October 30, 2014 at 15:44No security frivolity
We continue the topic of security raised in the first post .
Without false modesty, we can say that in our country they relate to security issues without jokes. However, if you dig a little deeper, in many cases it turns out that this serious attitude to security is not so serious. You can list a large number of cases where large companies either because of misunderstanding or because of reluctance to spend resources prefer the so-called paper security real action. Another very common feature is the increased attention to certain technical aspects of security to the detriment of creating a holistic concept and building a holistic solution based on the alleged threats and the likelihood of their occurrence.
SAP, in turn, takes seriously both the safety of its products and the safe operation of the company's products installed with customers. If you take a short digression into history, you can say that the topic of security has always been important for SAP. Every beginner basis (and not a basis too) will immediately remember that in any SAP system there is a concept of roles and authority, there are special security parameters. More advanced ones will remember that there are structural powers. But how much more. These things have always been - they always formed the basis of the bastions of protection of SAP products from any illegal actions.
But over time, SAP products have changed, become more complicated. New solutions appeared. Relationships were established between the products, which in turn led to even more complicated final decisions. And all this in one way or another influenced (and far from positively) on security.
As the products themselves and the final landscapes become more complex, methods of penetrating systems, theft, data corruption, etc., become more complex or rather sophisticated. The following example can illustrate the growing importance and magnitude of security topics in company products. If in the period from 2001 to 2008 the number of notes and corrections issued by SAP and related to the security topic as a whole amounted to several hundred for the entire period, then only in 2009 alone there were more than 100. And only in 2010 alone this kind more than 800 notes were issued. What was the reason for such an avalanche-like increase in the number of notes issued? In 2009, the company's management came up with the so-called Security Initiative. This initiative included all aspects of security, ranging from documentary standards for the development and change of company products to special sets of services at the level of consulting departments to improve the security situation of the same products on the side of customers. This initiative involved not only SAP employees, but also dozens, if not hundreds, of partner companies that develop additional security products, examine the standard SAP company code and customer user code and help customers better cope with security challenges.
As part of the direct development of SAP products, the initial planning of the security initiative was designed for several years, covering several key areas. Among them were and remain the following:
In 2010, the tasks were set to verify the code in all internal corporate scenarios, and security, in addition, the company set itself the task of solving all the open communications that existed at that time related to security, a separate concept for testing products on security issues, etc. was proposed and developed. .P. In 2011, the company set and completed the task of testing all new code for vulnerabilities in all possible test scenarios, and was also tasked with optimizing and improving standard roles and default values present in the corresponding authorizations. Separately, the task was solved to improve the situation with the storage of personal data. The security product testing concept developed in 2010 began to be applied in a productive mode. 2012 - the code continues to be tested for vulnerabilities in all possible test scenarios. The testing concept continues to be used and refined. The problem of improving the situation with the storage of personal data and authorizations continues to be addressed. In 2013, the company set an ambitious goal - to become one of the best companies on the market in the industry in the field of ensuring the safety of its products. The company is in constant motion to improve its own products in terms of safety. Thus, we can say that the initiative launched in 2009 continues to influence everything that is done in the company in the field of security. 2012 - the code continues to be tested for vulnerabilities in all possible test scenarios. The testing concept continues to be used and refined. The problem of improving the situation with the storage of personal data and authorizations continues to be addressed. In 2013, the company set an ambitious goal - to become one of the best companies on the market in the industry in the field of ensuring the safety of its products. The company is in constant motion to improve its own products in terms of safety. Thus, we can say that the initiative launched in 2009 continues to influence everything that is done in the company in the field of security. 2012 - the code continues to be tested for vulnerabilities in all possible test scenarios. The testing concept continues to be used and refined. The problem of improving the situation with the storage of personal data and authorizations continues to be addressed. In 2013, the company set an ambitious goal - to become one of the best companies on the market in the industry in the field of ensuring the safety of its products. The company is in constant motion to improve its own products in terms of safety. Thus, we can say that the initiative launched in 2009 continues to influence everything that is done in the company in the field of security. The problem of improving the situation with the storage of personal data and authorizations continues to be addressed. In 2013, the company set an ambitious goal - to become one of the best companies on the market in the industry in the field of ensuring the safety of its products. The company is in constant motion to improve its own products in terms of safety. Thus, we can say that the initiative launched in 2009 continues to influence everything that is done in the company in the field of security. The problem of improving the situation with the storage of personal data and authorizations continues to be addressed. In 2013, the company set an ambitious goal - to become one of the best companies on the market in the industry in the field of ensuring the safety of its products. The company is in constant motion to improve its own products in terms of safety. Thus, we can say that the initiative launched in 2009 continues to influence everything that is done in the company in the field of security.
Without false modesty, we can say that in our country they relate to security issues without jokes. However, if you dig a little deeper, in many cases it turns out that this serious attitude to security is not so serious. You can list a large number of cases where large companies either because of misunderstanding or because of reluctance to spend resources prefer the so-called paper security real action. Another very common feature is the increased attention to certain technical aspects of security to the detriment of creating a holistic concept and building a holistic solution based on the alleged threats and the likelihood of their occurrence.
SAP, in turn, takes seriously both the safety of its products and the safe operation of the company's products installed with customers. If you take a short digression into history, you can say that the topic of security has always been important for SAP. Every beginner basis (and not a basis too) will immediately remember that in any SAP system there is a concept of roles and authority, there are special security parameters. More advanced ones will remember that there are structural powers. But how much more. These things have always been - they always formed the basis of the bastions of protection of SAP products from any illegal actions.
But over time, SAP products have changed, become more complicated. New solutions appeared. Relationships were established between the products, which in turn led to even more complicated final decisions. And all this in one way or another influenced (and far from positively) on security.
As the products themselves and the final landscapes become more complex, methods of penetrating systems, theft, data corruption, etc., become more complex or rather sophisticated. The following example can illustrate the growing importance and magnitude of security topics in company products. If in the period from 2001 to 2008 the number of notes and corrections issued by SAP and related to the security topic as a whole amounted to several hundred for the entire period, then only in 2009 alone there were more than 100. And only in 2010 alone this kind more than 800 notes were issued. What was the reason for such an avalanche-like increase in the number of notes issued? In 2009, the company's management came up with the so-called Security Initiative. This initiative included all aspects of security, ranging from documentary standards for the development and change of company products to special sets of services at the level of consulting departments to improve the security situation of the same products on the side of customers. This initiative involved not only SAP employees, but also dozens, if not hundreds, of partner companies that develop additional security products, examine the standard SAP company code and customer user code and help customers better cope with security challenges.
As part of the direct development of SAP products, the initial planning of the security initiative was designed for several years, covering several key areas. Among them were and remain the following:
- Authorization - optimization and improvement of work with them
- Security-Based Testing Strategy
- Analysis of existing and closing unresolved support messages
- Improving the security of web services
- Improving the security of client programs
- Safe storage and processing of personal data
- Secure storage and processing of credit card information
- Vulnerability code scanning
- Securely transfer changes between systems in the transport landscape
In 2010, the tasks were set to verify the code in all internal corporate scenarios, and security, in addition, the company set itself the task of solving all the open communications that existed at that time related to security, a separate concept for testing products on security issues, etc. was proposed and developed. .P. In 2011, the company set and completed the task of testing all new code for vulnerabilities in all possible test scenarios, and was also tasked with optimizing and improving standard roles and default values present in the corresponding authorizations. Separately, the task was solved to improve the situation with the storage of personal data. The security product testing concept developed in 2010 began to be applied in a productive mode. 2012 - the code continues to be tested for vulnerabilities in all possible test scenarios. The testing concept continues to be used and refined. The problem of improving the situation with the storage of personal data and authorizations continues to be addressed. In 2013, the company set an ambitious goal - to become one of the best companies on the market in the industry in the field of ensuring the safety of its products. The company is in constant motion to improve its own products in terms of safety. Thus, we can say that the initiative launched in 2009 continues to influence everything that is done in the company in the field of security. 2012 - the code continues to be tested for vulnerabilities in all possible test scenarios. The testing concept continues to be used and refined. The problem of improving the situation with the storage of personal data and authorizations continues to be addressed. In 2013, the company set an ambitious goal - to become one of the best companies on the market in the industry in the field of ensuring the safety of its products. The company is in constant motion to improve its own products in terms of safety. Thus, we can say that the initiative launched in 2009 continues to influence everything that is done in the company in the field of security. 2012 - the code continues to be tested for vulnerabilities in all possible test scenarios. The testing concept continues to be used and refined. The problem of improving the situation with the storage of personal data and authorizations continues to be addressed. In 2013, the company set an ambitious goal - to become one of the best companies on the market in the industry in the field of ensuring the safety of its products. The company is in constant motion to improve its own products in terms of safety. Thus, we can say that the initiative launched in 2009 continues to influence everything that is done in the company in the field of security. The problem of improving the situation with the storage of personal data and authorizations continues to be addressed. In 2013, the company set an ambitious goal - to become one of the best companies on the market in the industry in the field of ensuring the safety of its products. The company is in constant motion to improve its own products in terms of safety. Thus, we can say that the initiative launched in 2009 continues to influence everything that is done in the company in the field of security. The problem of improving the situation with the storage of personal data and authorizations continues to be addressed. In 2013, the company set an ambitious goal - to become one of the best companies on the market in the industry in the field of ensuring the safety of its products. The company is in constant motion to improve its own products in terms of safety. Thus, we can say that the initiative launched in 2009 continues to influence everything that is done in the company in the field of security.