* Posts by Wedgie

3 posts • joined 18 Jun 2013

Hey, G20. Please knock it off with the whole tax loophole thing - we're good guys, really


Plenty are at it

I've got plenty of clients who have done the same. Set up an entity in a low(sh)-tax location e.g. Switzerland.

Step 1. Transport some staff to Head Office & claim that's where decisions are made, sales happen & risk is taken (therefore where tax should be paid)

Step 2. Set up new companies overseas & transfer manufacturing, service, distribution and local procurement into those companies.

Step 3. Operate tolling system where H/O owns stock & pays local manufacturers to covert raw materials into product & ship on behalf of Head Office.

A few honchos move, lots of people get new contracts in the new companies.


Enterprise giant SAP's systems take a probe to the wobbly bits - report


Nothing new here

We've been able to find SAP systems through internet searches since the days of ITS and early SAP Portal. It would have been a trivial matter to try some default user accounts.

Other posters have commented on the reality of the tests & possible scaremongering tactics. For all their sins SAP does generally produce reasonably secure software. The problem is that most of those paid to secure it do not understand how to secure the assets using standard delivered SAP functionality and standard security techniques.


SAP users slack, slow and backward on security


No surprise

Unfortunately this is no surprise to many of us working in the SAP security field. SAP are working very hard to improve, unfortunately clients are struggling to care.

Some key themes:

1. Security admins main knowledge is around building roles/permission structures and user admin. The technical side is neglected (despite being covered quite well in certification) and there is a big gap.

2. Patching is time consuming and many organisations require full regression testing for each set of patches. Across 20 productive systems (each with a supporting application stack of 2-5 systems) covering a full scope of business processes that comes at quite a cost (though not as much as a breach of course).

3. IS teams rarely talk to SAP teams. SAP has been treated as a silo & there is a disconnect between IS and their SAP counterparts. Many SAP admins do not understand the impact of vulnerabilities, the IS teams struggle to use terms that the SAP guys understand.

Fortunately some people do "get it" and plenty of orgs are doing good stuff & SAP is committed to make it easy for people to do the right thing.

Disclaimer: I work for a company doing security for SAP