Nowadays, most medium and large enterprises in the world rely on information systems to manage their key business processes. Examples of this type of systems are solutions for Enterprise Resource Planning (ERP), Customer Relationship Management (CRM), Supplier Relationship Management (SRM), Supply Chain Management (SCM), Product Life-cycle Management (PLM), Human Capital Management (HCM), Business Intelligence (BI), Integration Platforms, etc. Industry-recognized software products in this area involve SAP NetWeaver-based solutions and the SAP R/3 platform, Oracle E-Business Suite, JD Edwards Enterprise One, PeopleSoft, Siebel and Microsoft Dynamics. These products are used in most of the Fortune-100 and large governmental organizations in the world. SAP alone, has more than 90,000 customers in more than 120 countries.
These systems are in charge of processing sensitive business information and managing key processes across the organization, such as procurement, billing, invoicing, financial planning, production, payroll management, etc. The confidentiality, integrity and availability of this information are therefore critical for the security and continuity of the business.
For this document, the architecture of this kind of business-critical systems can be represented as in FIG. 1.
So far, most of the existing solutions for evaluating the security of these systems are designed to work on two layers: the functional layer [21] and the base layer. In the functional layer [21], solutions are designed to check mainly for Segregation of Duties violations. Solutions of this kind contain a comprehensive matrix of incompatible business functions and their mappings to the systems' related technical authorizations. On the other side, solutions working at the base layer mainly involve checking for security vulnerabilities in the base Operating System [24] and Database [23] layers of the systems.
While this kind of security assessment is of absolute importance, it has been noted that the security and auditing industry has so far been overlooking a major source of risk: the security of the technological components of these systems [22]. Each of these applications are developed using complex proprietary (as well as open) runtime platforms, specific protocols and security architectures. Due to the high complexity involved in proper security evaluation and assessment of this layer, added to the lack of consistent public information on the subject, its security is usually disregarded in the implementation phase and is neither comprehended in later security audits to the systems.
It is important to note that, despite being commonly disregarded, many of the threats in this layer have higher levels of risk than those in the functional layer [21], because of the following reasons:                The cyber attacker does not need to have a user account in the target system, which increases the like-hood of attacks.        As many cyber attacks can be performed remotely and anonymously, tracing the attacker back to his source location can be far more complicated than detecting local attackers.        In order to perform attacks at the functional layer [21], a high level of knowledge about internal business processes and controls is usually required. Attacks to the technological layer [22] can be performed automatically, even using public exploits available in the Internet.        
According to the practical experience of consultants engaged in specialized security assessments for world-wide customers, more than 95% of the evaluated systems were susceptible to sabotage, espionage and fraud attacks due to information security risks in their technological components. Surprisingly, many of those systems had passed regulatory compliance audits in the past.
It is also important to note that the relevance of this subject has grown radically over the last years. This is clearly reflected in the growth of related presentations in international security conferences and the increased number of technical security vulnerabilities being disclosed. It should be noted that the number of SAP security notes released each year has experienced a rapid growth in the last years, increasing more than 3800%, when comparing 2010 to 2007.
Performing this kind of comprehensive assessment through a manual approach is not feasible from a cost perspective, as common implementations of these systems can feature several dozen up to hundreds of Application Servers, each one comprising several security aspects to be reviewed.
At the same time, there are some solutions which try to automate some of these checks, such as the SAP Security Optimization Self-Service application, but they present several caveats that make it impractical for use as a security solution for professional security assessments and audits, such as:                It must be run from within an SAP system, meaning that the system used for evaluation could be the same as the one being evaluated. This is contrary to basic audit principles, which states that the auditing and the audited systems must be different in order to ensure the integrity of the audit results.        Related with the prior point, the fact that the assessments are executed from within an SAP system, forces the user to have explicit SAP operation knowledge to successfully use the system.        Reduced customization possibilities. The user cannot perform fine-grained configurations of the checks to execute and their configuration, and thus cannot check the system against different external or internal policies.        Low number of audit checks. Most of the checks are related with Segregation of Duties controls and the review of critical technical authorizations assigned to users. Many security settings are thus not evaluated automatically by the application, leaving an open gap for potential cyber attacks.        Lack of support for SAP Java platforms. The application can only perform checks for SAP ABAP platforms.        No blind discovery capabilities. The application can only evaluate systems manually configured by the user. This becomes highly impractical in large environments with hundreds or thousands of systems.        No black-box vulnerability assessment capabilities. The application only performs white-box security reviews.        No risk illustration. The application does not support the execution of risk illustration activities in order to demonstrate the real risk of detected security issues.        
Other existing automated security software do not currently present reliable and advanced features to identify security risks affecting business-critical applications with a holistic approach (combining white-box reviews, black-box assessment and risk illustration activities), which results in a lack of detection of existing risks and generates a false sense of security for the organizations relying on them.
In view of the shortcomings discussed above, there is a need for systems and methods for performing automated security assessments of business-critical systems that takes an entirely fresh approach and overcomes the drawbacks of the conventional techniques.