SAP applications expose a broad and often underestimated attack surface. Fiori launchpads and apps serve as the primary user interface for S/4HANA, and every Fiori endpoint, OData service, and ICF handler is a potential entry point for injection, session hijacking, or privilege escalation. Behind the UI, custom ABAP code, RFC-enabled function modules, BAPI interfaces, and role-based authorization models introduce risk that standard web application scanners are not designed to detect.
Most enterprise security programs treat SAP as a black box. Vulnerability scans run against perimeter infrastructure but skip the application layer entirely, or rely on generic DAST tools that cannot authenticate through SAP login flows, navigate Fiori tile structures, or exercise OData entity sets. The scan completes and the report looks clean, but the actual SAP attack surface was never tested.
Merito integrates static and dynamic application security testing directly into the SAP testing operating model. SAST tooling analyzes custom ABAP code and Fiori front-end sources for injection vulnerabilities, hardcoded credentials, missing authorization checks, and insecure data handling patterns. DAST tooling is configured to authenticate against SAP systems, crawl Fiori apps and OData endpoints, and test for cross-site scripting, CSRF, broken access control, and server-side request forgery in the context of real SAP user roles and transactions. Security findings are linked into Cloud ALM release governance and remediation is tracked through the same transport and release cycle that governs functional changes, giving security teams and release managers a unified view of what is ready and what is not.
.jpg&w=3840&q=75)
