6 posts • joined 18 Jun 2013
SAP Understands football better than er...football
NFL prediction wasn't quite so accurate
Re: Slow And Painful
SAP have really upped their game in the security area over the last 5 years. While many, many customers subscribe to security by obscurity, the same doesn't apply to SAP.
The problem is that many customers will not invest in securing their assets using standard mechanisms that SAP have provided for years, party because it is, just like you say, an utter faff to patch around release cycles.
Yet another exploit facilitated through too much RFC access. Who woulda thunk it.
Plenty are at it
I've got plenty of clients who have done the same. Set up an entity in a low(sh)-tax location e.g. Switzerland.
Step 1. Transport some staff to Head Office & claim that's where decisions are made, sales happen & risk is taken (therefore where tax should be paid)
Step 2. Set up new companies overseas & transfer manufacturing, service, distribution and local procurement into those companies.
Step 3. Operate tolling system where H/O owns stock & pays local manufacturers to covert raw materials into product & ship on behalf of Head Office.
A few honchos move, lots of people get new contracts in the new companies.
Nothing new here
We've been able to find SAP systems through internet searches since the days of ITS and early SAP Portal. It would have been a trivial matter to try some default user accounts.
Other posters have commented on the reality of the tests & possible scaremongering tactics. For all their sins SAP does generally produce reasonably secure software. The problem is that most of those paid to secure it do not understand how to secure the assets using standard delivered SAP functionality and standard security techniques.
Unfortunately this is no surprise to many of us working in the SAP security field. SAP are working very hard to improve, unfortunately clients are struggling to care.
Some key themes:
1. Security admins main knowledge is around building roles/permission structures and user admin. The technical side is neglected (despite being covered quite well in certification) and there is a big gap.
2. Patching is time consuming and many organisations require full regression testing for each set of patches. Across 20 productive systems (each with a supporting application stack of 2-5 systems) covering a full scope of business processes that comes at quite a cost (though not as much as a breach of course).
3. IS teams rarely talk to SAP teams. SAP has been treated as a silo & there is a disconnect between IS and their SAP counterparts. Many SAP admins do not understand the impact of vulnerabilities, the IS teams struggle to use terms that the SAP guys understand.
Fortunately some people do "get it" and plenty of orgs are doing good stuff & SAP is committed to make it easy for people to do the right thing.
Disclaimer: I work for a company doing security for SAP
- Breaking Fad 4K-ing excellent TV is on its way ... in its own sweet time, natch
- Was Earth once covered in HELLFIRE? No – more like a wet Sunday night in Iceland
- First Irish boy band U2. Now Apple pushes ANOTHER thing into iPhones, iPods, iPads
- Top Gear Tigers and Bingo Boilers: Farewell then, Phones4U
- Updated iOS 8 Healthkit gets a bug SO Apple KILLS it. That's real healthcare!