Diese Präsentation wurde erfolgreich gemeldet.
Die SlideShare-Präsentation wird heruntergeladen. ×

Simple SAP Security Breach !!

Wird geladen in …3
×

Hier ansehen

1 von 7
1 von 7

Simple SAP Security Breach !!

Herunterladen, um offline zu lesen

For almost a decade I (and I am sure, all ABAPers) have been happily using the loop holes in SAP security to access the forbidden transactions, with no malicious intension though, only for speedy analysis and ethical debugging.

But today I am wondering, is it really a loop hole or has SAP provided these small windows to the developers knowingly?

SAP Security Guys!! Hope you are reading this.

For almost a decade I (and I am sure, all ABAPers) have been happily using the loop holes in SAP security to access the forbidden transactions, with no malicious intension though, only for speedy analysis and ethical debugging.

But today I am wondering, is it really a loop hole or has SAP provided these small windows to the developers knowingly?

SAP Security Guys!! Hope you are reading this.

Weitere Verwandte Inhalte

Ähnliche Bücher

Kostenlos mit einer 30-tägigen Testversion von Scribd

Alle anzeigen

Ähnliche Hörbücher

Kostenlos mit einer 30-tägigen Testversion von Scribd

Alle anzeigen

Simple SAP Security Breach !!

  1. 1. 8/18/2015 Simple SAP Security Breach | SAP Yard http://www.sapyard.com/simple­sap­security­breach/ 1/7 Simple SAP Security Breach TOPICS: Authorization Data Theft Hacking SAP Security POSTED BY: SAP YARD AUGUST 18, 2015 It is nearly impossible to prevent a developer from accessing any t-code. We saw an example in our other post titled “Can you really restrict any developer from executing any t-code?“. For almost a decade I (and I am sure, all ABAPers) have been happily using the loop holes in SAP security to access the forbidden transactions, with no malicious intension though, only for speedy analysis and ethical debugging. But today I am wondering, is it really a loop hole or has Enter email Subscribe RECENT POSTS Simple SAP Security Breach Playing Sherlock Holmes to detect CONVT_CODEPAGE runtime error mystery DELETING rows of the internal table within the LOOP. Is it a Taboo? A big NO NO? SAP YARD YOUR BACKYARD FOR SAP TECHNICAL TIPS AND SOLUTIONS HOME SEE ALL POSTS ASK YOUR QUESTIONS ABOUT ME CONTACT ME You and 92 other friends like this SAP Yard 173 likes Liked SEARCH …
  2. 2. 8/18/2015 Simple SAP Security Breach | SAP Yard http://www.sapyard.com/simple­sap­security­breach/ 2/7 SAP provided these small windows to the developers knowingly? SAP Security Guys!! Hope you are reading this. Check, I do not have access to t-code SE38 (ABAP Editor) in my Pre-Production system. I also do not have access to t-code SE80 (Object Navigator/ ABAP Workbench), SE37 (Function Module) etc in the same system. Quick Reference for Vistex Technical Offshore Development Model in 10 Steps
  3. 3. 8/18/2015 Simple SAP Security Breach | SAP Yard http://www.sapyard.com/simple­sap­security­breach/ 3/7 I do have authorization to the basic t-code SE11 (Display Table). You might have access to some other common t-codes (you can use that). SE11 is my secret window to all the forbidden t-codes. Check how ?? I am in SE11. Click Other Object icon (Shift + F5) -> Enhanced Options radio button. Click on the corner square icon for Program, Function Group or click ‘More’ to get other areas.
  4. 4. 8/18/2015 Simple SAP Security Breach | SAP Yard http://www.sapyard.com/simple­sap­security­breach/ 4/7 For demo, I chose, Program. Provide the program name you want to view. And here you are in the ABAP editor. You can see the code.
  5. 5. 8/18/2015 Simple SAP Security Breach | SAP Yard http://www.sapyard.com/simple­sap­security­breach/ 5/7 Similarly you can view, function modules, services, proxies, web dynpros and what not. As an ABAPer, I am happy to figure out this alternative way to navigate through the t-codes. This process is specially handy, when you want to check something really quick or want to do some comparison during some issues mitigation. If you go via the right path i.e. –> ask your manager for approval –> raise ticket for security team –> wait for approval again –> wait for security team to provide you the right access. Some times, you do not have the liberty of waiting and watching for that long. So, ABAPers quickly use this trick. Specially in quality and pre-production (where you have the restriction). Question to Security Guys.  Are the developers suppose to access the t-code via this alternate route? Did you guys knowingly provide this alternative? If you
  6. 6. 8/18/2015 Simple SAP Security Breach | SAP Yard http://www.sapyard.com/simple­sap­security­breach/ 6/7 know and it is ok to access this way, then we are good. But, if Security Guys are not aware of this loop hole, then there are chances of bigger Security breach. SAP Security folks can end up giving the same alternative in Production environment too. If this happens,then there can be serious implications and data theft (and I know of clients where you can use this alternative in Production environment as well).  We would like to hear comments from Security experts. Please provide your opinion on this topic. Should Security team not close this alternative if the user’s role does not allow him/her to access certain transactions? ABAPers, please forgive me if your doors get closed.  But I am sure, no ABAPer want his/her system and data to be visible to unwanted crooks. It’s our duty to make our environment as robust as possible and protect them from any unforeseen spy or data thief. Morever ABAPers would figure out some other way, if this one is closed.. ABAPers rock!!!! Do you have anything more to add to it? Do you have any story to share on this topic. Please feel free to email us at mailsapyard@gmail.com or leave it in our comment section.  If you want to get updates about our new tweaks and tricks, please subscribe. If you liked it, please share it. Thank you very much for your time!!      
  7. 7. 8/18/2015 Simple SAP Security Breach | SAP Yard http://www.sapyard.com/simple­sap­security­breach/ 7/7 BE THE FIRST TO COMMENT ON "SIMPLE SAP SECURITY BREACH" Image source : www.theregister.co.uk Previous post Leave a comment Logged in as SAP Yard. Log out? Comment Post Comment COPYRIGHT 2015 | SAPYARD BY WWW.SAPYARD.COM ALL PRODUCT NAMES ARE TRADEMARKS OF THEIR RESPECTIVE COMPANIES. SAPYARD.COM IS NOT AFFILIATED TO SAP AG. 

×