Refer to this page for information about version-specific improvements to SD Elements and associated content.

Table of Contents

• 2026.4.1 | April 11, 2026
  • New features and enhancements
• 2026.3.2 | March 28, 2026
  • New features and enhancements
  • Content updates
• 2026.3.1 | February 28, 2026
  • New features and enhancements
  • Content updates
• 2026.2.2 | February 28, 2026
  • New features and enhancements
  • Content updates
• 2026.2.1 | February 14, 2026
  • New features and enhancements
• 2026.1.1 | January 31, 2026
  • New features and enhancements

SD Elements Release Notes

2026.4.1 | April 11, 2026

SDE v2026.4.1

New features and enhancements 2026.4.1

• Project Survey Reporting
  • Added a new project survey reporting context, enabling users to build advanced reports based on the current state of their project surveys.

2026.3.2 | March 28, 2026

SDE v2026.3.2

New features and enhancements 2026.3.2

No updates.

Content updates 2026.3.2

Summary

• Added content for SAP Security Baseline Template and coverage for the following SAP services:

  • Host Operating System for SAP Servers
  • SAP ABAP Application Server
  • SAP Java Application Server
  • SAP HANA
  • SAP Graphical User Interface (GUI)
  • SAP Business Technology Platform (BTP)
  • SAP Web Dispatcher

• Minor improvements to the applicability criteria of some hardware content. Merged the answer "A1301: Firmware and software development for hardware is in scope" with "A2322: Firmware". More changes to come in next release.

• Improved Tooltips (Description of Project Survey Answers)

• New Just-in-Time Training

  • OWASP Top 10 2025 (44)

Content additions and updates (as of February 10, 2026):

• Compliance Regulations and Mappings

  • Added SAP Security Baseline Template 2.6

• Content Packs

  • Added SAP Security Baseline Template

• T2174: Avoid unintended proxy or intermediary (Confused Deputy) (Hardware/Firmware)

  • P1572: Unintended proxy or intermediary (Confused Deputy) (Hardware/Firmware) [Updated]
    • INFO: Updated the match conditions.
• T2175: Provide documentation for design (Hardware/Firmware) [Updated]
  • INFO: Updated the match conditions.
• T2176: Avoid mixing agents of varying trust levels (Hardware/Firmware)
  • P1574: Improper isolation of shared resources on SoC (Hardware/Firmware) [Updated]
    • INFO: Updated the match conditions.
• T2178: Ensure fabric access controls enablement before 3rd party hardware IPs (Hardware/Firmware)
  • P1576: Power-on of untrusted execution core before enabling fabric access control (Hardware/Firmware) [Updated]
    • INFO: Updated the match conditions.
• T2185: Prevent unauthorized access to sensitive data through debug or test interfaces (Hardware/Firmware)
  • P1583: Improper access to sensitive information using debug and test interfaces (Hardware/Firmware) [Updated]
    • INFO: Updated the match conditions.
• T2192: Prevent incorrect selection of fuse values (Hardware/Firmware)
  • P1590: Incorrect selection of fuse values (Hardware/Firmware) [Updated]
    • INFO: Updated the match conditions.
• T2193: Prevent incorrect comparison logic granularity (Hardware/Firmware)
  • P1591: Incorrect comparison logic granularity (Hardware/Firmware) [Updated]
    • INFO: Updated the match conditions.
• T2194: Protect software-controllable physical operation features (Hardware/Firmware)
  • P1592: Hardware features enable physical attacks from software (Hardware/Firmware) [Updated]
    • INFO: Updated the match conditions.
• T2197: Prevent Improper Restriction of Security Token Assignment (Hardware/Firmware)
  • P1595: Improper restriction of security token assignment (Hardware/Firmware) [Updated]
    • INFO: Updated the match conditions.
• T2199: Prevent improper handling of single-event upsets (Hardware/Firmware)
  • P1597: Improper handling of single event upsets (Hardware/Firmware) [Updated]
    • INFO: Updated the match conditions.
• T2203: Ensure a policy that prevents the use of obsolete encoding (Hardware/Firmware)
  • P1601: Policy uses obsolete encoding (Hardware/Firmware) [Updated]
    • INFO: Updated the match conditions.
• T2204: Enforce policy privilege assignments consistently between control and data agents (Hardware/Firmware)
  • P1602: Policy privileges are not assigned consistently between control and data agents (Hardware/Firmware) [Updated]
    • INFO: Updated the match conditions.
• T2205: Prevent a product being released in non-release configuration (Hardware/Firmware)
  • P1603: Product released in non-release configuration (Hardware/Firmware) [Updated]
    • INFO: Updated the match conditions.
• T2208: Restrict sharing device unlocking credentials across multiple parties (Hardware/Firmware)
  • P1606: Device unlock credential sharing (Hardware/Firmware) [Updated]
    • INFO: Updated the match conditions.
• T2210: Prevent signals conflict between a hardware IP and the parent system (Hardware/Firmware)
  • P1608: Hardware child block incorrectly connected to parent system (Hardware/Firmware) [Updated]
    • INFO: Updated the match conditions.
• T2212: Use Integrated Circuit (IC) Imaging Techniques to protect against hardware reverse engineering (Hardware/Firmware)
  • P1610: Missing protection against reverse engineering using IC imaging techniques (Hardware/Firmware) [Updated]
    • INFO: Updated the match conditions.
• T2214: Protect unexpected behavior of system due to sequence of processor instructions (Halt and Catch Fire) (Hardware/Firmware)
  • P1612: Sequence of processor instructions leads to unexpected behavior (halt and catch fire) (Hardware/Firmware) [Updated]
    • INFO: Updated the match conditions.
• T2215: Prevent modification of immutable data (Hardware/Firmware)
  • P1613: Assumed-immutable data is stored in writable memory (Hardware/Firmware) [Updated]
    • INFO: Updated the match conditions.
• T2217: Prevent security identifiers from unauthorized access while decoding (Hardware/Firmware)
  • P1615: Incorrect decoding of security identifiers (Hardware/Firmware) [Updated]
    • INFO: Updated the match conditions.
• T2219: Implement secure conversion of Security Identifiers (Hardware/Firmware)
  • P1617: Incorrect conversion of security identifiers (Hardware/Firmware) [Updated]
    • INFO: Updated the match conditions.
• T2220: Implement secure mechanism to generate Security Identifiers (Hardware/Firmware)
  • P1618: Insecure security identifier mechanism (Hardware/Firmware) [Updated]
    • INFO: Updated the match conditions.
• T2226: Transaction without a security identifier (Hardware/Firmware)
  • P1624: Missing security identifier (Hardware/Firmware) [Updated]
    • INFO: Updated the match conditions.
• T2233: Set proper setting of Bus Controlling Capability in Fabric end-point (Hardware/Firmware)
  • P1631: Improper setting of bus controlling capability in fabric end-point (Hardware/Firmware) [Updated]
    • INFO: Updated the match conditions.
• T2234: Restrict mapping of unwarranted programming overlaps of protected and unprotected ranges by Fabric-Address (Hardware/Firmware)
  • P1632: Fabric-address map allows programming of unwarranted overlaps of protected and unprotected ranges (Hardware/Firmware) [Updated]
    • INFO: Updated the match conditions.
• T2235: Put security checks in Fabric Bridge (Hardware/Firmware)
  • P1633: Missing security checks in fabric bridge (Hardware/Firmware) [Updated]
    • INFO: Updated the match conditions.
• T2236: Put security controls in On-chip Fabrics or Buses (Hardware/Firmware)
  • P1634: Missing support for security features in on-chip fabrics or buses (Hardware/Firmware) [Updated]
    • INFO: Updated the match conditions.
• T2237: Protect against Electromagnetic Fault Injection (EM-FI) (Hardware/Firmware)
  • P1635: Improper protection against Electromagnetic Fault Injection (EM-FI) (Hardware/Firmware) [Updated]
    • INFO: Updated the match conditions.
• T2238: Protect alert signals against untrusted agents (Hardware/Firmware)
  • P1636: Improper protection for out of bounds signal level alerts (Hardware/Firmware) [Updated]
    • INFO: Updated the match conditions.
• T6434: Best practices for SAP system user management on Windows (SAP OS) [Added]
  • P3941: Improper User Privilege Management in SAP Systems on Windows (SAP OS) [Added]
• T6435: Restrict root permissions for SAP accounts (SAP OS) [Added]
  • P3942: Unrestricted Root Permissions for SAP System Accounts (SAP OS) [Added]
• T6436: Restrict access to shares and NFS exports (SAP OS) [Added]
  • P3943: Unrestricted Access to Shares and NFS Exports (SAP OS) [Added]
• T6437: Set system change option to "not modifiable" for SAP ABAP application server (SAP ABAP) [Added]
  • P3944: Unrestricted System Configuration Modifications (SAP ABAP) [Added]
• T6438: Define security settings in SAP ABAP application server using SCC4 (SAP ABAP) [Added]
  • P3945: Unauthorized System Modifications in SAP ABAP Application Server (SAP ABAP) [Added]
• T6439: Activate profile parameter to create customizing table logs (SAP ABAP) [Added]
  • P3946: Lack of Audit Trail for Changes in Customizing Tables (SAP ABAP) [Added]
• T6440: Activate transport parameter to create customizing table logs (SAP ABAP) [Added]
  • P3947: Lack of Transport Parameter Activation for Customizing Table Logs (SAP ABAP) [Added]
• T6441: Activate transport parameters for SAP ABAP application server (SAP ABAP) [Added]
  • P3948: Lack of Version Control for Repository Objects (SAP ABAP) [Added]
• T6442: Activate transport parameter to validate content of transport files (SAP ABAP) [Added]
  • P3949: Unchecked Transport File Content Integrity (SAP ABAP) [Added]
• T6443: Validate kernel release and transport parameters for SAP ABAP application server (SAP ABAP) [Added]
  • P3950: Version and Parameter Validation Weakness (SAP ABAP) [Added]
• T6444: Set profile parameter abap/ext_debugging_possible = 2 (SAP ABAP) [Added]
  • P3951: Unauthorized Debugging in Production Systems (SAP ABAP) [Added]
• T6445: Set profile parameter dbs/dba/ccms_maintenance = 1 (SAP ABAP) [Added]
  • P3952: Unauthorized Access and Maintenance Actions in DBA Cockpit (SAP ABAP) [Added]
• T6446: Set profile parameter dbs/dba/ccms_security_level = 1 (SAP ABAP) [Added]
  • P3953: Lack of Access Controls on Database Administration Functions (SAP ABAP) [Added]
• T6447: Set profile parameter login/show_detailed_errors to 0 (SAP ABAP) [Added]
  • P3954: Information Disclosure Due to Detailed Error Messages (SAP ABAP) [Added]
• T6448: Apply information disclosure rules for SAP ABAP application server (SAP ABAP) [Added]
  • P3955: Information Disclosure Vulnerability (SAP ABAP) [Added]
• T6449: Protect web methods of sapstartsrv (SAP ABAP) [Added]
  • P3956: Unauthenticated Access to Web Methods (SAP ABAP) [Added]
• T6450: Enable HANA data-at-rest encryption (SAP HANA) [Added]
  • P3957: Lack of Data at Rest Encryption (SAP HANA) [Added]
• T6451: Protect the keys for HANA data-at-rest encryption (SAP HANA) [Added]
  • P3958: Insecure Key Management for HANA Data-at-Rest Encryption (SAP HANA) [Added]
• T6452: Disable server header in SAP Java application server (SAP JAVA) [Added]
  • P3959: Information Disclosure via Server Headers (SAP JAVA) [Added]
• T6453: Protect web methods by setting profile parameter (SAP JAVA) [Added]
  • P3960: Unprotected Web Methods (SAP JAVA) [Added]
• T6454: Prohibit information disclosure in SAP WDISP (SAP WDISP) [Added]
  • P3961: Information Disclosure Vulnerabilities (SAP WDISP) [Added]
• T6455: Configure URL filtering with SAP Web Dispatcher (SAP WDISP) [Added]
  • P3962: URL Filtering Configuration Weakness in SAP Web Dispatcher (SAP WDISP) [Added]
• T6456: Restrict administrative access to specific clients (SAP WDISP) [Added]
  • P3963: Unrestricted Administrative Access (SAP WDISP) [Added]
• T6457: Configure icm/HTTP/error_templ_path profile parameter (SAP WDISP) [Added]
  • P3964: Improper Management of Error Templates (SAP WDISP) [Added]
• T6458: Activate rdisp/TRACE_HIDE_SEC_DATA profile parameter (SAP WDISP) [Added]
  • P3965: Information Disclosure via Trace Files (SAP WDISP) [Added]
• T6459: Deactivate icm/trace_secured_data in SAP service WDISP (SAP WDISP) [Added]
  • P3966: Information Disclosure Through Insecure Log Configuration (SAP WDISP) [Added]
• T6460: Deactivate forwarded certificates via HTTP for SAP service WDISP (SAP WDISP) [Added]
  • P3967: Forwarded Certificates Acceptance via HTTP (SAP WDISP) [Added]
• T6461: Disable or properly configure icm/trustedreverse_proxy (SAP WDISP) [Added]
  • P3968: Improperly Configured Trusted Reverse Proxies (SAP WDISP) [Added]
• T6462: Maintain directory traversal protection for SAP ABAP application server (SAP ABAP) [Added]
  • P3969: Directory Traversal Vulnerability (SAP ABAP) [Added]
• T6463: Control critical authorization for authorization object S_PATH (SAP ABAP) [Added]
  • P3970: Directory Traversal Weakness due to Inadequate Authorization Control (SAP ABAP) [Added]
• T6464: Control critical authorization for authorization object S_DATASET (SAP ABAP) [Added]
  • P3971: Directory Traversal Risk Due to Uncontrolled File System Access (SAP ABAP) [Added]
• T6465: Set REJECT_EMPTY_PATH parameter in SAP ABAP application server (SAP ABAP) [Added]
  • P3972: Improper Handling of Empty Path Segments (SAP ABAP) [Added]
• T6466: Ensure UNCONF_PATH_AS_EMPTY is set to ON (SAP ABAP) [Added]
  • P3973: Directory Traversal Vulnerability Risk (SAP ABAP) [Added]
• T6467: Split message server ports for SAP ABAP application server (SAP ABAP) [Added]
  • P3974: Unsegregated Message Server Ports (SAP ABAP) [Added]
• T6468: Prohibit external monitoring of the message server (SAP ABAP) [Added]
  • P3975: Inadequate Protection Against External Monitoring (SAP ABAP) [Added]
• T6469: Deactivate external administration of the message server (SAP ABAP) [Added]
  • P3976: Improper Access Control on Message Server (SAP ABAP) [Added]
• T6470: Maintain access control list of the message server (SAP ABAP) [Added]
  • P3977: Improper Access Control (SAP ABAP) [Added]
• T6471: Restrict access control list in message server (SAP ABAP) [Added]
  • P3978: Excessively Permissive Access Control Lists (SAP ABAP) [Added]
• T6472: Restrict unauthenticated monitoring of SAP message server (SAP ABAP) [Added]
  • P3979: Unauthenticated Monitoring Weakness in SAP Message Server (SAP ABAP) [Added]
• T6473: Apply MSGSRV-A rules for Java systems (SAP JAVA) [Added]
  • P3980: Improper Configuration on Message Servers (SAP JAVA) [Added]
• T6474: Secure network configuration for SAP ABAP application server (SAP ABAP) [Added]
  • P3981: Inadequate Network Authorization Checks (SAP ABAP) [Added]
• T6475: Configure secure network settings for SAP ABAP application server (SAP ABAP) [Added]
  • P3982: Improperly Configured Network Settings (SAP ABAP) [Added]
• T6476: Configure RFC self-trust profile parameter (SAP ABAP) [Added]
  • P3983: Insecure Trust Relationships (SAP ABAP) [Added]
• T6477: Disable unused ICF services for SAP ABAP application server (SAP ABAP) [Added]
  • P3984: Exposure of Unnecessary ICF Services (SAP ABAP) [Added]
• T6478: Configure SAP ABAP application server for secure network (SAP ABAP) [Added]
  • P3985: Missing XML DTD Restriction (SAP ABAP) [Added]
• T6479: Disable CPIC in SAP ABAP application server (SAP ABAP) [Added]
  • P3986: Exposure through CPIC Interface (SAP ABAP) [Added]
• T6480: Enable X-Forwarded-For header for SAP ABAP application server (SAP ABAP) [Added]
  • P3987: Improper Handling of Forwarded Client IP Headers (SAP ABAP) [Added]
• T6481: Protect application server through secure network configuration (SAP ABAP) [Added]
  • P3988: Unrestricted Network Exposure (SAP ABAP) [Added]
• T6482: Secure network configuration for SAP HANA (SAP HANA) [Added]
  • P3989: Insecure Network Configuration (SAP HANA) [Added]
• T6483: Operate cloud connector in high availability mode for SAP BTP (SAP BTP) [Added]
  • P3990: Inadequate Redundancy in Cloud Connector Configuration (SAP BTP) [Added]
• T6484: Disable invoker servlet in SAP Java application server (SAP JAVA) [Added]
  • P3991: Invoker Servlet Default Configuration Weakness (SAP JAVA) [Added]
• T6485: Delete obsolete clients in SAP ABAP (SAP ABAP) [Added]
  • P3992: Presence of Obsolete Clients in SAP ABAP Application Server (SAP ABAP) [Added]
• T6486: Delete obsolete tenants in HANA (SAP HANA) [Added]
  • P3993: Retained Obsolete Tenants (SAP HANA) [Added]
• T6487: Disable scripting completely in SAP ABAP application server (SAP ABAP) [Added]
  • P3994: Unauthorized Script Execution Vulnerability (SAP ABAP) [Added]
• T6488: Restrict scripting to authorized users only in SAP ABAP application server (SAP ABAP) [Added]
  • P3995: Excessive Privilege Management in Script Execution (SAP ABAP) [Added]
• T6489: Set scripting parameters for security in SAP ABAP application server (SAP ABAP) [Added]
  • P3996: Improper Restriction of Script-Based Operations (SAP ABAP) [Added]
• T6490: Enable HttpOnly attribute for system cookies (SAP JAVA) [Added]
  • P3997: Unprotected System Cookies (SAP JAVA) [Added]
• T6491: Restrict session tracking cookies to HTTPS (SAP JAVA) [Added]
  • P3998: Insecure Transmission of Session Tracking Cookies (SAP JAVA) [Added]
• T6492: Ensure SQL trace level is not set to ALL_WITH_RESULTS (SAP HANA) [Added]
  • P3999: Insecure SQL Trace Level Configuration (SAP HANA) [Added]
• T6493: Enable user control for SAP ABAP actions (SAP ABAP) [Added]
  • P4000: Lack of User Control for SAP ABAP Actions (SAP ABAP) [Added]
• T6494: Set profile parameter auth/check/calltransaction to 2 or 3 (SAP ABAP) [Added]
  • P4001: Insufficient Authorization Checks for Transaction Calls (SAP ABAP) [Added]
• T6495: Profile parameter auth/no_check_in_some_cases = Y (SAP ABAP) [Added]
  • P4002: Improper Security Authorization Checks (SAP ABAP) [Added]
• T6496: Set profile parameter auth/object_disabling_active to N in SAP ABAP application server (SAP ABAP) [Added]
  • P4003: Improper Authorization Configuration (SAP ABAP) [Added]
• T6497: Configure auto-logout for SAP ABAP application server (SAP ABAP) [Added]
  • P4004: Lack of Auto-Logout Mechanism (SAP ABAP) [Added]
• T6498: Set the parameter rdisp/vbdelete to a value greater than or equal to 400 (SAP ABAP) [Added]
  • P4005: Improper Handling of User Session Expiration (SAP ABAP) [Added]
• T6499: Activate switchable authorization check framework scenarios (SAP ABAP) [Added]
  • P4006: Lack of Activated SACF Scenarios (SAP ABAP) [Added]
• T6500: Activate SLDW scenarios in transaction SLDW_COMPARE (SAP ABAP) [Added]
  • P4007: Inactive SLDW Scenarios in SAP ABAP Application Server (SAP ABAP) [Added]
• T6501: Activate authorization object S_START for Web Dynpro ABAP (SAP ABAP) [Added]
  • P4008: Lack of Authorization Control (SAP ABAP) [Added]
• T6502: Set profile parameter rfc/authCheckInPlayback to 1 for SAP ABAP application server (SAP ABAP) [Added]
  • P4009: Lack of Playback Authentication Control (SAP ABAP) [Added]
• T6503: Perform regular security updates for SAP ABAP application server (SAP ABAP) [Added]
  • P4010: Lack of Regular Security Updates (SAP ABAP) [Added]
• T6504: Review and implement SAP security notes timely (SAP ABAP) [Added]
  • P4011: Lack of Timely Implementation of SAP Security Notes (SAP ABAP) [Added]
• T6505: Regular security updates for SAP Java application server (SAP JAVA) [Added]
  • P4012: Lack of Regular Security Updates (SAP JAVA) [Added]
• T6506: Review and implement SAP security notes timely (SAP JAVA) [Added]
  • P4013: Delayed Application of Security Patches (SAP JAVA) [Added]
• T6507: Regular security updates for SAP HANA (SAP HANA) [Added]
  • P4014: Vulnerabilities in Outdated SAP HANA Deployments (SAP HANA) [Added]
• T6508: Implement regular security updates for SAP HANA (SAP HANA) [Added]
  • P4015: Lack of Regular Security Updates (SAP HANA) [Added]
• T6509: Regular security updates for SAP GUI (SAP SAPGUI) [Added]
  • P4016: Outdated Software (SAP SAPGUI) [Added]
• T6510: Implement regular security updates for SAP GUI (SAP SAPGUI) [Added]
  • P4017: Lack of Regular Security Updates (SAP SAPGUI) [Added]
• T6511: Regular security updates for cloud connectors on SAP BTP (SAP BTP) [Added]
  • P4018: Outdated Cloud Connectors in SAP BTP (SAP BTP) [Added]
• T6512: Disable beta features for productive subaccounts (SAP BTP) [Added]
  • P4019: Activation of Beta Features in Productive Subaccounts (SAP BTP) [Added]
• T6513: Deactivate self-registration of users in the UME (SAP JAVA) [Added]
  • P4020: Permissive User Self-Registration (SAP JAVA) [Added]
• T6514: Secure default SAP* user configuration (SAP ABAP) [Added]
  • P4021: Insecure Default SAP* User Configuration (SAP ABAP) [Added]
• T6515: Change default password for user DDIC (SAP ABAP) [Added]
  • P4022: Use of Default Credentials (SAP ABAP) [Added]
• T6516: Manage standard users in SAP ABAP application server (SAP ABAP) [Added]
  • P4023: Mismanagement of Standard Users in SAP ABAP Application Server (SAP ABAP) [Added]
• T6517: Change default values and restrict user access (SAP ABAP) [Added]
  • P4024: Improper Default Configuration (SAP ABAP) [Added]
• T6518: Remove the EARLYWATCH user from all clients (SAP ABAP) [Added]
  • P4025: Existence of Unauthorized Users (SAP ABAP) [Added]
• T6519: Change default passwords for standard users in SAP ABAP application server (SAP ABAP) [Added]
  • P4026: Default Password Vulnerability (SAP ABAP) [Added]
• T6520: Deactivate the user SYSTEM (SAP HANA) [Added]
  • P4027: Reliance on Default SYSTEM User (SAP HANA) [Added]
• T6521: Restrict reference user assignments in SAP ABAP application server (SAP ABAP) [Added]
  • P4028: Improper User Assignment in Identity Management (SAP ABAP) [Added]
• T6522: Distinguish between platform and business users in SAP BTP (SAP BTP) [Added]
  • P4029: Undifferentiated User Access Management (SAP BTP) [Added]
• T6523: Use custom identity provider for platform users in SAP BTP (SAP BTP) [Added]
  • P4030: Lack of Custom Identity Provider Implementation (SAP BTP) [Added]
• T6524: Restrict viewer privileges from external email domains (SAP BTP) [Added]
  • P4031: Inadequate Restriction of Viewer Privileges for External Email Domains (SAP BTP) [Added]
• T6525: Restrict administrative privileges for platform users (SAP BTP) [Added]
  • P4032: Excessive Privilege Assignment (SAP BTP) [Added]
• T6526: Provide user base for Cloud Foundry members with a custom identity provider (SAP BTP) [Added]
  • P4033: Reliance on Default Identity Providers (SAP BTP) [Added]
• T6527: Restrict viewer privileges for Cloud Foundry members with external email domains (SAP BTP) [Added]
  • P4034: Excessive Privileges for External Members (SAP BTP) [Added]
• T6528: Restrict Cloud Foundry administrative privileges (SAP BTP) [Added]
  • P4035: Excessive Administrative Privileges (SAP BTP) [Added]
• T6529: Use a custom identity provider for platform users of Neo environment subaccounts (SAP BTP) [Added]
  • P4036: Lack of Customized Identity Management (SAP BTP) [Added]
• T6530: Avoid default identity provider user classes (SAP BTP) [Added]
  • P4037: Unauthorized Identity Provider User Classes Assignment (SAP BTP) [Added]
• T6531: Restrict default identity provider usage (SAP BTP) [Added]
  • P4038: Weak Identity Management Practices (SAP BTP) [Added]
• T6532: Utilize custom identity provider for business users (SAP BTP) [Added]
  • P4039: Decentralized Identity Management Weakness (SAP BTP) [Added]
• T6533: Restrict user classes for SAP BTP business users (SAP BTP) [Added]
  • P4040: Improper User Classification in SAP BTP Service (SAP BTP) [Added]
• T6534: Restrict user name characters in SAP ABAP (SAP ABAP) [Added]
  • P4041: Improper Control of User Names (SAP ABAP) [Added]
• T6535: Enable SNC module for secure network communications (SAP ABAP) [Added]
  • P4042: Insecure Network Communications (SAP ABAP) [Added]
• T6536: Enforce encryption for SNC setting profile parameters (SAP ABAP) [Added]
  • P4043: Lack of Enforced Encryption for SNC Setting Profile Parameters (SAP ABAP) [Added]
• T6537: Encrypt inbound RFC or GUI connections (SAP ABAP) [Added]
  • P4044: Unencrypted Inbound Connections (SAP ABAP) [Added]
• T6538: Encrypt network connections for SAP ABAP application server (SAP ABAP) [Added]
  • P4045: Unencrypted Network Connections (SAP ABAP) [Added]
• T6539: Enable secure communication for SAP ABAP application server (SAP ABAP) [Added]
  • P4046: Lack of Encryption in Network Communications (SAP ABAP) [Added]
• T6540: Encrypt network connections to protect SAP ABAP data in transit (SAP ABAP) [Added]
  • P4047: Lack of Network Encryption (SAP ABAP) [Added]
• T6541: Configure strong encryption for SAP ABAP network connections (SAP ABAP) [Added]
  • P4048: Lack of Encrypted Network Connections (SAP ABAP) [Added]
• T6542: Set profile parameter snc/permit_insecure_start = 0 (SAP ABAP) [Added]
  • P4049: Insecure Network Connections (SAP ABAP) [Added]
• T6543: Use HTTPS for network connections (SAP WDISP) [Added]
  • P4050: Lack of HTTPS Implementation in Network Connections (SAP WDISP) [Added]
• T6544: Use HTTPS port for Web Dispatcher administration (SAP WDISP) [Added]
  • P4051: Unencrypted Network Communication (SAP WDISP) [Added]
• T6545: Set minimum password length (SAP ABAP) [Added]
  • P4052: Inadequate Password Length Enforcement (SAP ABAP) [Added]
• T6546: Set maximum idle time for initial password in SAP (SAP ABAP) [Added]
  • P4053: Lack of Maximum Idle Time for Initial Password (SAP ABAP) [Added]
• T6547: Set password expiration time for SAP ABAP application server (SAP ABAP) [Added]
  • P4054: Reliance on Outdated or Compromised Credentials (SAP ABAP) [Added]
• T6548: Set login/password_downwards_compatibility to 0 (SAP ABAP) [Added]
  • P4055: Outdated Password Standards Support (SAP ABAP) [Added]
• T6549: Enforce password compliance to current policy in SAP ABAP application server (SAP ABAP) [Added]
  • P4056: Lack of Password Policy Enforcement (SAP ABAP) [Added]
• T6550: Remove redundant old downward-compatible password hashes from SAP ABAP application server (SAP ABAP) [Added]
  • P4057: Weak Password Hash Storage (SAP ABAP) [Added]
• T6551: Set profile parameter icf/reject_expired_passwd to 1 (SAP ABAP) [Added]
  • P4058: Use of Expired Passwords (SAP ABAP) [Added]
• T6552: Set profile parameter to reject expired passwords (SAP ABAP) [Added]
  • P4059: Use of Expired Passwords in Authentication (SAP ABAP) [Added]
• T6553: Enhance password policy on SAP ABAP application server (SAP ABAP) [Added]
  • P4060: Weak Password Policy (SAP ABAP) [Added]
• T6554: Implement password policy on SAP ABAP application server (SAP ABAP) [Added]
  • P4061: Password Management Weakness (SAP ABAP) [Added]
• T6555: Adjust the rule about the profile parameter describing the password hash algorithm (SAP ABAP) [Added]
  • P4062: Weak Password Hash Algorithm (SAP ABAP) [Added]
• T6556: Define a rule about profile parameter login/password_logon_usergroup (SAP ABAP) [Added]
  • P4063: Improper Configuration of Authentication Parameters (SAP ABAP) [Added]
• T6557: Define a rule for additional security policy attributes about ticket logon (SAP ABAP) [Added]
  • P4064: Ticket Logon Policy Configuration Weakness (SAP ABAP) [Added]
• T6558: Implement password expiration policy for SAP ABAP (SAP ABAP) [Added]
  • P4065: Implementation of Password Expiration Policy (SAP ABAP) [Added]
• T6559: Implement minimum password length for SAP Java application server (SAP JAVA) [Added]
  • P4066: Insufficient Password Length Enforcement (SAP JAVA) [Added]
• T6560: Set password expiration policy for SAP Java application server (SAP JAVA) [Added]
  • P4067: Inadequate Password Expiration Policy (SAP JAVA) [Added]
• T6561: Disable user ID in password for Java application server (SAP JAVA) [Added]
  • P4068: Inclusion of User ID in Passwords Weakness (SAP JAVA) [Added]
• T6562: Set UME property ume.logon.security_policy.oldpass_in_newpass_allowed to FALSE (SAP JAVA) [Added]
  • P4069: Weak Password Policy Allowing Substring Reuse in New Passwords (SAP JAVA) [Added]
• T6563: Define password policy rules for SAP Java application server (SAP JAVA) [Added]
  • P4070: Weak Password Policy Configuration (SAP JAVA) [Added]
• T6564: Implement password history policy (SAP JAVA) [Added]
  • P4071: Password Reuse Weakness (SAP JAVA) [Added]
• T6565: Set password max idle time for SAP Java application server (SAP JAVA) [Added]
  • P4072: Stale Password Exploitation Risk (SAP JAVA) [Added]
• T6566: Set password policy parameters for SAP HANA (SAP HANA) [Added]
  • P4073: Weak Password Policy in Authentication Mechanism (SAP HANA) [Added]
• T6567: Enforce password change at first logon (SAP HANA) [Added]
  • P4074: Use of Default or Compromised Credentials at Initial Login (SAP HANA) [Added]
• T6568: Limit password lifetime for users in SAP HANA (SAP HANA) [Added]
  • P4075: Infrequent Password Changes (SAP HANA) [Added]
• T6569: Implement password policy in SAP HANA (SAP HANA) [Added]
  • P4076: Lack of Robust Password Policy Management (SAP HANA) [Added]
• T6570: Implement password reuse policy in SAP HANA (SAP HANA) [Added]
  • P4077: Password Reuse Risk (SAP HANA) [Added]
• T6571: Define a password complexity rule for SAP HANA (SAP HANA) [Added]
  • P4078: Weak Password Handling (SAP HANA) [Added]
• T6572: Enforce a maximum number of failed logon attempts (SAP HANA) [Added]
  • P4079: Lack of Account Lockout Mechanism (SAP HANA) [Added]
• T6573: Lock user SYSTEM after failed logon attempts (SAP HANA) [Added]
  • P4080: Risk of Unrestricted Login Attempts (SAP HANA) [Added]
• T6574: Implement password lockout policy on SAP HANA (SAP HANA) [Added]
  • P4081: Lack of Password Lockout Policy (SAP HANA) [Added]
• T6575: Enforce minimum password lifetime policy (SAP HANA) [Added]
  • P4082: Frequent Password Changes Allow Immediate Reuse (SAP HANA) [Added]
• T6576: Set password_expire_warning_time to at least 7 days (SAP HANA) [Added]
  • P4083: Inadequate Password Expiration Warning Notification (SAP HANA) [Added]
• T6577: Maintain RFC gateway access control lists (SAP ABAP) [Added]
  • P4084: Lack of RFC Gateway Access Control (SAP ABAP) [Added]
• T6578: Set SAP application server profile parameters (SAP ABAP) [Added]
  • P4085: Improper Access Control via Misconfigured SAP ABAP Gateway Parameters (SAP ABAP) [Added]
• T6579: Configure SAP gateway security profile parameter (SAP ABAP) [Added]
  • P4086: Lack of Secure Configuration in SAP Gateway (SAP ABAP) [Added]
• T6580: Enable RFC gateway default "initial security environment" (SAP ABAP) [Added]
  • P4087: Lack of Access Control Lists in RFC Gateway (SAP ABAP) [Added]
• T6581: Set RFC gateway monitoring to local only (SAP ABAP) [Added]
  • P4088: Unauthorized Remote Monitoring of RFC Gateway (SAP ABAP) [Added]
• T6582: Disable simulation mode in SAP gateway (SAP ABAP) [Added]
  • P4089: Simulation Mode Enabled (SAP ABAP) [Added]
• T6583: Start programs via acceptable methods in SAP RFC gateway (SAP ABAP) [Added]
  • P4090: Unauthorized Program Start via RFC Gateway (SAP ABAP) [Added]
• T6584: Set profile parameter gw/acl_mode_proxy to 1 (SAP ABAP) [Added]
  • P4091: Lack of Access Control on RFC Gateway (SAP ABAP) [Added]
• T6585: Implement RFC gateway security for SAP services (SAP JAVA) [Added]
  • P4092: Unauthorized Remote Function Call Execution (SAP JAVA) [Added]
• T6586: Define trusting relations between ABAP-based systems (SAP ABAP) [Added]
  • P4093: Improper Trust Management (SAP ABAP) [Added]
• T6587: Define only required trusting relationships in called systems (SAP ABAP) [Added]
  • P4094: Excessive Trusting Relationships (SAP ABAP) [Added]
• T6588: Define only required trusted destinations (SAP ABAP) [Added]
  • P4095: Overextended Trust Relationships (SAP ABAP) [Added]
• T6589: Migrate trusting relationships to latest security method (SAP ABAP) [Added]
  • P4096: Legacy Security Protocols in Trusting Relationships (SAP ABAP) [Added]
• T6590: Use SNC or TLS on top of trusted connections (SAP ABAP) [Added]
  • P4097: Insecure Communication Risks (SAP ABAP) [Added]
• T6591: Configure trusting relationships in SAP ABAP application server (SAP ABAP) [Added]
  • P4098: Improper Trusting Relationship Configuration (SAP ABAP) [Added]
• T6592: Set profile parameter rfc/selftrust = 0 (SAP ABAP) [Added]
  • P4099: Implicit Self-Trust in RFC Communication (SAP ABAP) [Added]
• T6593: Assign authorizations to manage trusting relations (SAP ABAP) [Added]
  • P4100: Inadequate Management of Trusting Relations (SAP ABAP) [Added]
• T6594: Control authorizations in called systems for SAP ABAP application server (SAP ABAP) [Added]
  • P4101: Improper Authorization Management in Trusting Relationships (SAP ABAP) [Added]
• T6595: Use authorization object S_ICF in calling systems for SAP ABAP application server (SAP ABAP) [Added]
  • P4102: Missing or Improper Use of Authorization Object S_ICF for Communication Security (SAP ABAP) [Added]
• T6596: Set profile parameter rfc/allowoldticket4tt to no (SAP ABAP) [Added]
  • P4103: Acceptance of Old Trusted Tickets (SAP ABAP) [Added]
• T6597: Enforce HTTPS for SSO tickets (SAP ABAP) [Added]
  • P4104: Insecure Transmission of SSO Tickets (SAP ABAP) [Added]
• T6598: Set SAP profile parameter for ticket host restriction (SAP ABAP) [Added]
  • P4105: Unrestricted SSO Ticket Utilization (SAP ABAP) [Added]
• T6599: Set HttpOnly attribute for ICF logon cookie in SAP ABAP application server (SAP ABAP) [Added]
  • P4106: Absence of HTTPonly Attribute on ICF Logon Cookies (SAP ABAP) [Added]
• T6600: Configure profile parameter for SAP SSO (SAP ABAP) [Added]
  • P4107: Improper Authentication of SAP Tickets (SAP ABAP) [Added]
• T6601: Enforce secure cookie transmission (SAP JAVA) [Added]
  • P4108: Insecure Cookie Transmission (SAP JAVA) [Added]
• T6602: Set ume.logon.httponlycookie to true (SAP JAVA) [Added]
  • P4109: Unprotected Logon Cookies from JavaScript Access (SAP JAVA) [Added]
• T6603: Configure SAP logon ticket lifetime (SAP JAVA) [Added]
  • P4110: Improper Management of Authentication Tokens (SAP JAVA) [Added]
• T6604: Set the portal.alias.security.enforce_secure_cookie property value to true (SAP JAVA) [Added]
  • P4111: Insecure Cookie Transmission Risk (SAP JAVA) [Added]
• T6605: Avoid using ABAP authorization profile SAP_ALL (SAP ABAP) [Added]
  • P4112: Excessive Privilege Assignment through ABAP Authorization Profile SAP_ALL (SAP ABAP) [Added]
• T6606: Avoid using SAP_NEW authorization profile and role in SAP ABAP application server (SAP ABAP) [Added]
  • P4113: Excessive Authorization Profile Usage in SAP ABAP Application Server (SAP ABAP) [Added]
• T6607: Control assignment of critical Basis authorizations (SAP ABAP) [Added]
  • P4114: Excessive Assignment of Critical Authorizations (SAP ABAP) [Added]
• T6608: Manage authorizations for SAP ABAP application server (SAP ABAP) [Added]
  • P4115: Improper Authorization Management (SAP ABAP) [Added]
• T6609: Avoid granting broad authorizations in SAP systems (SAP ABAP) [Added]
  • P4116: Broad Authorization Weakness in SAP Systems (SAP ABAP) [Added]
• T6610: Manage authorization to start reports in SAP ABAP application server (SAP ABAP) [Added]
  • P4117: Inadequate Authorization Controls (SAP ABAP) [Added]
• T6611: Restrict critical authorization for debug and replace on SAP ABAP application server (SAP ABAP) [Added]
  • P4118: Inadequate Control over Debug and Replace Authorizations (SAP ABAP) [Added]
• T6612: Manage critical authorizations in SAP ABAP application server (SAP ABAP) [Added]
  • P4119: Inadequate Management of Critical Authorizations (SAP ABAP) [Added]
• T6613: Administer RFC connections (SAP ABAP) [Added]
  • P4120: Improper Authorization Management for RFC Connections (SAP ABAP) [Added]
• T6614: Restrict function module execution authorizations in SAP (SAP ABAP) [Added]
  • P4121: Unrestricted Execution of Function Modules (SAP ABAP) [Added]
• T6615: Authorization to execute all class methods (SAP ABAP) [Added]
  • P4122: Unrestricted Execution of Class Methods (SAP ABAP) [Added]
• T6616: Manage user authorizations in SAP ABAP application server (SAP ABAP) [Added]
  • P4123: Improper user authorizations in SAP ABAP application server (SAP ABAP) [Added]
• T6617: Manage SAP ABAP application server user authorizations (SAP ABAP) [Added]
  • P4124: Improper SAP ABAP application server user authorizations (SAP ABAP) [Added]
• T6618: Restrict authorization group changes for SAP tables (SAP ABAP) [Added]
  • P4125: Improper authorization group changes for SAP tables (SAP ABAP) [Added]
• T6619: Administer SAP queries (SAP ABAP) [Added]
  • P4126: Inadequate Control over Query Administration Permissions (SAP ABAP) [Added]
• T6620: Manage SAP ABAP application server RFC authorizations (SAP ABAP) [Added]
  • P4127: Unrestricted RFC Authorization (SAP ABAP) [Added]
• T6621: Restrict authorization to execute update commands in DBA Cockpit SQL editor (SAP ABAP) [Added]
  • P4128: Improper Authorization Assignment for Update Commands (SAP ABAP) [Added]
• T6622: Authorization to read all database tables (SAP ABAP) [Added]
  • P4129: Improper Access Control for Database Tables (SAP ABAP) [Added]
• T6623: Protection of password hashes in ABAP systems (SAP ABAP) [Added]
  • P4130: Insufficient Protection of Password Hashes (SAP ABAP) [Added]
• T6624: Ensure tables USR02, USH02, and USRPWDHISTORY are assigned to table authorization group SPWD (SAP ABAP) [Added]
  • P4131: Inadequate Access Controls for Critical SAP Tables (SAP ABAP) [Added]
• T6625: Protect access to sensitive SAP tables (SAP ABAP) [Added]
  • P4132: Unauthorized Access to Critical Tables in SAP ABAP Application Server (SAP ABAP) [Added]
• T6626: Restrict administrator group membership (SAP JAVA) [Added]
  • P4133: Excessive Privilege Allocation (SAP JAVA) [Added]
• T6627: Avoid granting DATA ADMIN system privilege (SAP HANA) [Added]
  • P4134: Excessive Privilege Assignment (SAP HANA) [Added]
• T6628: Restrict role collection assignment in SAP BTP (SAP BTP) [Added]
  • P4135: Excessive Privileges and Role Assignment (SAP BTP) [Added]
• T6629: Limit assignment of critical subaccount roles (SAP BTP) [Added]
  • P4136: Unrestricted Assignment of Critical Roles (SAP BTP) [Added]
• T6630: Minimize assignment of Cloud Foundry roles (SAP BTP) [Added]
  • P4137: Improper assignment of Cloud Foundry roles (SAP BTP) [Added]
• T6631: Restrict assignment of critical platform roles (SAP BTP) [Added]
  • P4138: Excessive Role Assignment (SAP BTP) [Added]
• T6632: Assign custom platform roles sparingly in SAP BTP (SAP BTP) [Added]
  • P4139: Inadequate Role Assignment and Access Control in SAP BTP (SAP BTP) [Added]
• T6633: Restrict HTML5 application permission in Neo environment (SAP BTP) [Added]
  • P4140: Improper Permission Assignment in HTML5 Applications (SAP BTP) [Added]
• T6634: Implement dedicated HTML5 application permission in Neo environment (SAP BTP) [Added]
  • P4141: Improper Role-Based Access Control in Application Descriptor (SAP BTP) [Added]
• T6635: Limit OAuth clients to necessary scopes in SAP BTP Neo environment (SAP BTP) [Added]
  • P4142: Excessive OAuth Scope Authorization (SAP BTP) [Added]
• T6636: Prohibit direct user assignments while exporting transports (SAP ABAP) [Added]
  • P4143: Unauthorized Role Assignments During Transport (SAP ABAP) [Added]
• T6637: Prohibit direct user assignments while importing transports (SAP ABAP) [Added]
  • P4144: Improper Authorization Management in Transport Processes (SAP ABAP) [Added]
• T6638: Avoid individual user-to-role assignments in Java applications (SAP BTP) [Added]
  • P4145: Improper Management of User-to-Role Assignments (SAP BTP) [Added]
• T6639: Avoid individual user-to-role assignments in Neo environment subaccounts (SAP BTP) [Added]
  • P4146: Risk of Unauthorized Access Due to Individual User-to-Role Assignments (SAP BTP) [Added]
• T6640: Manage roles centrally for SAP BTP Neo Java and HTML5 applications (SAP BTP) [Added]
  • P4147: Inappropriate Individual User-to-Role Assignments (SAP BTP) [Added]
• T6641: Set an individual main key for SAP ABAP application server (SAP ABAP) [Added]
  • P4148: Lack of Unique Encryption Key Configuration (SAP ABAP) [Added]
• T6642: Activate encryption for secure store (SAP JAVA) [Added]
  • P4149: Sensitive Data Storage without Encryption (SAP JAVA) [Added]
• T6643: Activate SAP security audit log (SAP ABAP) [Added]
  • P4150: Insufficient Logging for Security Events (SAP ABAP) [Added]
• T6644: Define and activate security audit log slots in SAP ABAP application server (SAP ABAP) [Added]
  • P4151: Insufficient Auditing of Critical Users and Events (SAP ABAP) [Added]
• T6645: Activate monitoring of the Internet Communication Manager for SAP ABAP application server (SAP ABAP) [Added]
  • P4152: Lack of Monitoring in Internet Communication Manager (SAP ABAP) [Added]
• T6646: Activate monitoring of the message server (SAP ABAP) [Added]
  • P4153: Lack of Message Server Logging (SAP ABAP) [Added]
• T6647: Validate XML documents from untrusted sources in SAP NetWeaver Administrator (SAP JAVA) [Added]
  • P4154: Inadequate XML Document Validation (SAP JAVA) [Added]
• T6648: Enable HANA auditing status (SAP HANA) [Added]
  • P4155: Lack of Auditing Capabilities (SAP HANA) [Added]
• T6649: Set audit trail targets in SAP HANA (SAP HANA) [Added]
  • P4156: Improper Audit Trail Configuration in SAP HANA (SAP HANA) [Added]
• T6650: Define audit policies according to best practices (SAP HANA) [Added]
  • P4157: Lack of Comprehensive Audit Policies (SAP HANA) [Added]
• T6651: Implement regular audit log fetching and storage (SAP BTP) [Added]
  • P4158: Insufficient Audit Log Management (SAP BTP) [Added]

• T6652: Set audit log level of cloud connector(s) to security (SAP BTP) [Added]

  • P4159: Insufficient Logging and Monitoring (SAP BTP) [Added]

• Changes to Project Properties and Profiles

  • Q193: Components
    • Q101: Components In Development
      • A1077: Hardware [Updated]
        • INFO: Updated the text and children.
  • Q237: Compliance Scope: Other
    • Q519: SAP Security Baseline Template [Added]
      • A2360: SAP ABAP Application Server [Added]
      • A2361: SAP Java Application Server [Added]
      • A2362: SAP High-performance ANalytic Application (HANA) [Added]
      • A2363: SAP Graphical User Interface (GUI) [Added]
      • A2364: SAP Business Technology Platform (BTP) [Added]
      • A2365: Host Operating System for SAP Servers [Added]
      • A2366: SAP Web Dispatcher [Added]
  • Q307: Containerization
    • Q308: Containerization Technologies
      • A1926: Singularity (Apptainer) [Updated]
        • INFO: Updated the text.
  • Q362: Microsoft Azure
    • Q306: Azure Services
      • A1197: Azure Active Directory (Entra ID) [Updated]
        • INFO: Updated the text.

2026.3.1 | February 28, 2026

No updates.

2026.2.2 | February 28, 2026

SDE v2026.2.2

New features and enhancements 2026.2.2

• Jira to SDE Comment Sync Capability

  • Added the ability to sync Jira Comments from an Issue back to the corresponding SDE Countermeasure Task Notes.
  • This sync is built into the existing sync schedule

• Scan a Repository: Gitlab

  • Added an improvement to retrieve a larger number of repositories under a user connection

Content updates 2026.2.2

• Minor improvements to the applicability criteria of some of our hardware content, and merged the answer "A1301: Firmware and software development for hardware is in scope" with "A2322: Firmware"

2026.2.1 | February 14, 2026

SDE v2026.2.1

New features and enhancements 2026.2.1

• AI Navigator

  • Added a new disclaimer when AI Services are deployed
  • Navigator is disabled by default once the service is enabled

• New Release Carry-Over Changes

  • Separated and created Task Notes and independent carry-over option so they are no longer grouped with Status/Weakness carry-over

• Evidence Linking, Verification Notes

  • Included UX pinning on the Verification Notes tab under a Countermeasure, which allows users to pin the most important notes in the convenience of the UX
• Scan a Repository: GitHub
  • Added a fix to retrieve a larger number of repositories under a user connection

2026.1.1 | January 31, 2026

SDE v2026.1.1.4

New features and enhancements 2026.1.1

• New Library Import/Export

  • Added Glossary, Regulations, and Regulations Sections
  • Added the ability for a user to import or export changes in bulk pertaining to Glossary, Regulations, and Regulation Sections in the new Import/Export

• New Library Threats MAESTRO Mapping

  • Added the ability for a user to create or modify MAESTRO threat mapping on Library threats