AppSec Jobs
← Back to all jobs

SAP

Product Security Sr Specialist - Business Data Cloud Security & Compliance

Walldorf, Baden-Württemberg, GermanyWebsite

Full details on LinkedIn

The complete job description, requirements, and application details are available on the original posting.

About SAP

SAP SE is a German multinational software corporation founded in 1972 by five former IBM employees. Headquartered in Walldorf, Germany, SAP has become one of the largest enterprise software companies in the world, specializing in real-time data processing and business application software. In 2021, the company reported revenues of €27.8 billion, ranking third in the industry behind Microsoft and Oracle. SAP's core offerings include enterprise resource planning (ERP) software, which facilitates centralized data management and real-time information flow across organizations. Key products include SAP ERP, S/4HANA, and SAP HANA, an in-memory platform for analytics and data processing. The company also provides solutions like SAP NetWeaver for integration and SAP Fiori for user experience design. In addition to software, SAP offers services such as implementation, consulting, and training to support business transformations across various industries globally.

Industry

information technology & services

Employees

108,000

20009 engineers

Revenue

$36B

Website

Visit →

Security at SAP

Compiled from public job postings, careers pages, and company materials. Data may not reflect current state — verify during interviews.

3 Intel Signals

Security Philosophy

  • Stated AppSec mission / Secure SDLC: "secure development and operations lifecycle (SDOL) involves risk, privacy, and ethics assessments"(SDOL document).
  • Developer enablement vs gatekeeping: "act as a security champion to help build a culture that sees security as an enabler."(Product Security job posting).
  • Risk philosophy: "architecture threat modeling"(SDOL document).
  • Stated pain points / goals: "Vulnerability Management remains a top priority"(Product Security job posting).
  • "Identify vulnerabilities early"(Application Vulnerability Report).
  • Gaps: No public, verbatim statement found that frames AppSec explicitly as "developer-first"versus "gatekeeping"beyond the security-champion language.

Security Team

Org structure / reporting: No public, verbatim statement found describing the AppSec reporting chain (for example: reporting line to CISO or CTO). Information not publicly available. Key public-facing leaders (public profiles found): - Siddhartha Rao, Global Vice President in-charge of Product Security at SAP SE — https://de.linkedin.com/in/siddhartharao - Key quote: "Global Vice President in-charge of Product Security at SAP SE"— (LinkedIn). - Sebastian Lange, Chief Security Officer @ SAP — https://www.linkedin.com/in/selange - Key quote: "Chief Security Officer @ SAP"— (LinkedIn). - Darryl Zietlow, SAP Application Security Manager — https://www.linkedin.com/in/darrylzietlow - Key quote: "SAP Application Security Manager"— (LinkedIn). Team size estimate (as_of:): Information not publicly available. LinkedIn Search Query Used: "site:linkedin.com "Application Security" "SAP""(no authoritative headcount found). Active AppSec job postings (as_of:): Count: at least 2 product/appsec-focused roles located on jobs.sap.com (examples listed below). Common skills/tools in job postings: "Proficiency with Vulnerability Management Tools (e.g. Tenable.io, Tenable Security Center, Rapid7 InsightVM)"and emphasis on cloud/container knowledge. Gaps: No public, verbatim org chart or headcount for AppSec; no public, verbatim description of team reporting chain.

Key Initiatives

Security Champions Program: Status: Evidence Found. - Quote: "Security Champions are equipped with the security mindset to act as points of contact"(Credly badge for SAP Security Champion). - Quote: "act as a security champion to help build a culture that sees security as an enabler."(Product Security job posting). "Shift Left"in practice: Mixed evidence. - Quote showing a runtime focus: "Instead of a shift-left support approach during pipeline runs, this service provides security-relevant information for what has already been deployed."(Application Vulnerability Report). - Quote showing secure development practices in SDOL: "guidelines for secure programming and code reviews"(SDOL document). Vulnerability Management Process: - Intake sources: "routine scans of external-facing web infrastructure and third-party penetration tests"and "red team testing"and "bug bounty programs."(Trust Center and SDOL). - Process / triage: Job posting references "established and matured cross-company processes around vulnerability management including operating models, maturity models, Service Level Agreement (SLA)/Service Level Objectives (SLOs)"(Product Security job posting). - Gaps: No public, verbatim SLAs, MTTR targets, or explicit ticketing ownership details found. Information not publicly available. Secure SDLC artifacts: "guidelines for secure programming and code reviews", "architecture threat modeling", "bug bounty programs"(SDOL document). Recent initiatives (last 6 months as_of): - Application Vulnerability Report for SAP BTP (Cloud Foundry) announced (beta, Dec 8, 2025) with runtime scanning using Trivy/OSV and a proprietary scanning layer. - SDOL documentation updated/available as of Jan 1, 2026 (secure SDOL description). - Gaps & contradictions: The Application Vulnerability Report explicitly states it focuses on runtime scanning "instead of a shift-left support approach", while SDOL lists secure development guidance; no public, verbatim unified workflow describing how SAP balances pipeline shift-left scanning with runtime scanning.

Preparing for an AppSec interview?

Get the weekly briefing 2,000+ security pros trust.