No safety concerns.
We continue the topic of security, raised in the first post .
Without false modesty, it can be said that in our country, without joking, they relate to security issues. However, if you dig a little deeper, in many cases it turns out that this serious attitude to security is not so serious. You can list a large number of cases where large companies prefer so-called, either because of a misunderstanding or because of their unwillingness to spend resources. paper security real action. Another very common feature is increased attention to certain technical aspects of security to the detriment of creating a holistic concept and building a holistic solution based on perceived threats and the likelihood of their occurrence.
SAP, in turn, takes a serious approach both to the safety of its products, and to ensuring the safe operation of the company's products installed by customers. If you make a small excursion into history, then you can say that the topic of security was always important for SAP. Every beginner basis (and not a basis too) will immediately recall that in any SAP system there is a concept of roles and authorities, there are special security parameters. More advanced will remember that there are structural powers. How many more? These things have always been - they have always formed the basis of bastions for protecting SAP products from any illegal actions.
But over time, SAP products have changed, become more complex. There were new solutions. Relationships were established between the products, which in turn led to an even greater complication of the final solutions. And all this in one way or another influenced (and far from positively) security.
')
As the products themselves and the final landscapes become more complex, the methods of penetration into systems, theft, data corruption, etc. became more and more complex or rather sophisticated. The following example can illustrate the growing importance and magnitude of the security topic in a company's products. If in the period from 2001 to 2008, the number of notes and proofs issued by SAP and related to the security topic as a whole was several hundred for the entire period, then in 2009 alone there were already more than 100. And only in 2010 of this kind more than 800 notes were issued. What was the reason for such an avalanche increase in the number of notes issued? In 2009, the company’s management launched the so-called Security Initiative (SAP Security Initiative). This initiative included all aspects of security, ranging from documentary standards for developing and changing the company's products to special sets of services at the level of consulting departments to improve the security situation of the same products on the customer side. This initiative involved not only SAP employees, but also dozens, if not hundreds, of partner companies that develop additional security products, examine the standard SAP code and user code of clients and help customers better handle security challenges.
As part of the development of the SAP product itself, the initial planning of the security initiative was designed for several years to cover several key areas. Among them were and remain the following:
In 2010, the task was to check the code in all internal scenarios and security, in addition, the company set itself the task of solving all open security-related messages that existed at that time, was proposed and developed a separate concept for testing security products and t .P. In 2011, the company set and completed the task of testing all new code to detect vulnerabilities in all possible test scenarios, the task was also to optimize and improve the standard roles and default values present in the corresponding authorizations. Separately, the task was to improve the situation with the storage of personal data. The concept of product safety testing, developed in 2010, began to be applied in a productive mode. 2012th year - the code continues to be tested for finding vulnerabilities in all possible test scenarios. The concept of testing continues to be used and refined. The task of improving the situation with the storage of personal data and authorizations continues. For 2013, the company set an ambitious goal - to become one of the best companies on the market in the industry in the area of ensuring the safety of its products. The company is in constant motion to improve its own products in terms of security. Thus, it can be said that the initiative launched in 2009 continues to influence everything that is being done in the company in the field of security.
Without false modesty, it can be said that in our country, without joking, they relate to security issues. However, if you dig a little deeper, in many cases it turns out that this serious attitude to security is not so serious. You can list a large number of cases where large companies prefer so-called, either because of a misunderstanding or because of their unwillingness to spend resources. paper security real action. Another very common feature is increased attention to certain technical aspects of security to the detriment of creating a holistic concept and building a holistic solution based on perceived threats and the likelihood of their occurrence.
SAP, in turn, takes a serious approach both to the safety of its products, and to ensuring the safe operation of the company's products installed by customers. If you make a small excursion into history, then you can say that the topic of security was always important for SAP. Every beginner basis (and not a basis too) will immediately recall that in any SAP system there is a concept of roles and authorities, there are special security parameters. More advanced will remember that there are structural powers. How many more? These things have always been - they have always formed the basis of bastions for protecting SAP products from any illegal actions.
But over time, SAP products have changed, become more complex. There were new solutions. Relationships were established between the products, which in turn led to an even greater complication of the final solutions. And all this in one way or another influenced (and far from positively) security.
')
As the products themselves and the final landscapes become more complex, the methods of penetration into systems, theft, data corruption, etc. became more and more complex or rather sophisticated. The following example can illustrate the growing importance and magnitude of the security topic in a company's products. If in the period from 2001 to 2008, the number of notes and proofs issued by SAP and related to the security topic as a whole was several hundred for the entire period, then in 2009 alone there were already more than 100. And only in 2010 of this kind more than 800 notes were issued. What was the reason for such an avalanche increase in the number of notes issued? In 2009, the company’s management launched the so-called Security Initiative (SAP Security Initiative). This initiative included all aspects of security, ranging from documentary standards for developing and changing the company's products to special sets of services at the level of consulting departments to improve the security situation of the same products on the customer side. This initiative involved not only SAP employees, but also dozens, if not hundreds, of partner companies that develop additional security products, examine the standard SAP code and user code of clients and help customers better handle security challenges.
As part of the development of the SAP product itself, the initial planning of the security initiative was designed for several years to cover several key areas. Among them were and remain the following:
- Authorization - optimization and improvement of work with them
- Security Testing Strategy
- Analysis of existing and closing of unresolved support service messages.
- Improving the security of web services
- Improving the security of client programs
- Safe storage and processing of personal data
- Secure storage and processing of credit card information
- Scanning software code for vulnerabilities
- Secure transfer of changes between systems in the transport landscape
In 2010, the task was to check the code in all internal scenarios and security, in addition, the company set itself the task of solving all open security-related messages that existed at that time, was proposed and developed a separate concept for testing security products and t .P. In 2011, the company set and completed the task of testing all new code to detect vulnerabilities in all possible test scenarios, the task was also to optimize and improve the standard roles and default values present in the corresponding authorizations. Separately, the task was to improve the situation with the storage of personal data. The concept of product safety testing, developed in 2010, began to be applied in a productive mode. 2012th year - the code continues to be tested for finding vulnerabilities in all possible test scenarios. The concept of testing continues to be used and refined. The task of improving the situation with the storage of personal data and authorizations continues. For 2013, the company set an ambitious goal - to become one of the best companies on the market in the industry in the area of ensuring the safety of its products. The company is in constant motion to improve its own products in terms of security. Thus, it can be said that the initiative launched in 2009 continues to influence everything that is being done in the company in the field of security.
Source: https://habr.com/ru/post/242003/
All Articles