SAP Custom Code Security Reviewer
A major entertainment company has built a large custom SAP application on BTP that handles financial transactions and personally identifiable information. The client already knows vulnerabilities exist, but they need an expert who can find what's been missed and definitively validate whether their vendor's claims about what's "impossible" to fix are actually true. This isn't about checking compliance boxes, it's about security-focused code review with clear business impact assessment.
Key Responsibilities
- Conduct security-focused review of custom ABAP, UI5, and JavaScript code in a procure-to-pay system
- Find injection vulnerabilities, authentication bypasses, data exposure risks, and hard-coded credentials that automated scanners miss
- Assess whether the code is ready for HANA migration
- Evaluate secure development practices across the custom codebase
- Deliver a prioritized assessment with clear remediation guidance
- Translate technical risk into business impact for stakeholders
- Push back with evidence when vendor claims about "impossible" fixes need validation
- Navigate political complexity across multiple implementation partners
Qualifications and Skills
- At least 5 years of hands-on experience specifically reviewing ABAP code for security issues
- Deep knowledge of SAP BTP security architecture
- Proficiency with SAP SAST tools (Code Vulnerability Analyzer, ABAP Test Cockpit, or commercial alternatives)
- Track record of finding real vulnerabilities in enterprise SAP environments
- Ability to explain technical risks to both technical and business stakeholders in clear terms
- NOT suitable if you only do platform configuration assessments
- NOT suitable if you rely solely on automated scanners without manual code review
- NOT suitable if you don't have specific SAP code security experience
- NOT suitable if you're looking to learn SAP security on the job
