SAP Penetration Tester
LOCATION
Hybrid – Spring, TX 77373
DESCRIPTION
We are seeking an experienced SAP Penetration Tester to support enterprise security assessments across complex SAP environments, including S/4HANA, NetWeaver, and Fiori. The ideal candidate will be skilled in evaluating vulnerabilities across application, transport, and OS/DB layers and recommending actionable remediation strategies aligned with compliance requirements and business risk.
Primary skill set (mandatory technical skill sets):
-
SAP security testing across HANA, NetWeaver, Fiori, and ABAP code
-
Hands-on experience with SAP penetration testing tools such as Onapsis and ERPScan
-
Strong knowledge of RFC gateway, ICM/Web Dispatcher, SM59 misuse, SAPRouter vulnerabilities
-
Identification of SoD conflicts, insecure TCODEs, and authorization flaws
-
ABAP code review experience for injection flaws, logic bugs, hardcoded credentials
-
OS/DB-level penetration testing (e.g., default SAP/Oracle credentials, RFC/transport vulnerabilities)
-
Ability to collaborate closely with InfoSec, BASIS, and Audit teams
Must Have skill sets:
-
5+ years in SAP security or penetration testing
-
Proficiency in Python and scripting custom automation for SAP assessments
-
Familiarity with STRIDE and MITRE ATT&CK frameworks for ERP threat modeling
-
Ability to produce both technical and executive-level risk reports
-
Fluent written and spoken English
Nice to Have skill sets:
-
Experience with SAP GRC, ST03N analysis, and integrating SAP logs with SIEM (e.g., Splunk)
-
Familiarity with Fiori Launchpad security, SOAP injection, and IDOR in UI5 apps
-
Experience training SAP developers on secure ABAP coding practices
-
Certifications: OSCP, CEH, SAP Security Certification
Contact: jorge.flores@pantheon-inc.com