This blog is part of a five-part series. I recommend starting here: Enterprise Security Services – Security for the Cloud Age We are now in the third category, Risk and Compliance, and I am leaving my home turf – technology. Nevertheless, this is an important topic. As a developer or administrator, you should be aware of the functionality available....
Although, having passwords to secure PSEs is a good idea, it is good to know how we can remove the passwords instead from accessing the PSEs. Note: If you are using passwords to secure your PSEs, please do not forget those passwords. When you open STRUST and try to access a PSE which is password....
SAP Cloud Integration (aka CPI) allows to call an integration flow via HTTP request from an external system (HTTP Sender adapter). This tutorial describes how to write a Node.js application which calls an iFlow, from SAP BTP. The app uses a custom client certificate for authentication. For security reasons, the certificate has to be rotated. A....
👉🏿back to blog series Dear community, Are you ready to learn how to apply plug-and-play automation to block compromised SAP users based on suspicious activity on SAP RISE, SAP ERP, Business Technology Platform, and Azure AD? This blog has you covered with all the steps required to start kicking 🤸🏾♂️ compromised users. As a byproduct to that rewarding experience your....
NOTE: this blog post is intended for developers who have previous experience in developing multi-tenant CAP applications using SAP Business Application Studio, SAP BTP destinations, and the destination and XSUAA services. Introduction After I published this blog post, many developers reached out to me with the classical question: “does this microservice work in a multi-tenant scenario?”....
(Jana Subramanian serves as APJ Principal Cybersecurity Advisor for Cloud Security and has been recognized as a Fellow of Information Privacy (FIP) by the International Association of Privacy Professionals (IAPP). As part of his responsibilities, Jana helps with strategic customer engagements related to topics such as cybersecurity, data privacy, multi-cloud security integration architecture, contractual assurance,....
SAP Cloud Integration (CPI) provides functionality to automatically sign a message with a digital signature using the Simple Signer. In a previous blog post we’ve learned how to verify such signature with Node.js in an HTTP receiver. Then we’ve showed the weakness of that scenario. Today we’ll make the scenario more secure. Quicklinks: Quick Guide Sample Code Content 0.1. Prerequisites 0.2. Preparation 1. Introduction: Security....
SAP Cloud Integration (CPI) provides functionality to automatically sign a message with a digital signature using the Simple Signer. In the previous blog post we’ve learned how to verify such signature with Node.js in an HTTP receiver. Today we’re going to show the weakness of that scenario by simulating a hacker exploit. Quicklinks: Sample Code Content 0. Prerequisites 1. Introduction 2. Hacker Scenario....
With other words: How to verify a digital signature in Node.js SAP Cloud Integration (CPI) provides functionality to automatically sign a message with a digital signature using the Simple Signer. This blog post explains how to verify such signature with Node.js in an HTTP receiver. In a tutorial, we use an iFlow that calls a Node.js server app....
Web applications are an essential part of the experience SAP offers its customers. However, as web applications become more complex, there are more opportunities for bugs to be introduced. Therefore, web developers and security researchers need effective tools and techniques to detect and fix software bugs before they manifest in unwanted or even dangerous behavior....
SAP Cloud Integration (CPI) provides functionality to automatically sign a message with a digital signature. This blog post explains the basics about digital signatures and shows the usage in a simple tutorial.. Quicklinks: Quick Guide Content 0. Prerequisites 1. Introduction 2. Signer Configuration 3. Hands-On Example 0. Prerequisites To follow this tutorial, access to a Cloud Integration tenant is required,....
updated date: 19.Apr.2023 Security is one of the top priorities for enterprise customers. For enterprise end users, having a seamless log-in process to different systems automatically without manually inputting credentials, can not only improve user experience but also increase enterprise security. With that being said, SSO plays a key role in the process. In the....
SAP Cloud Integration (CPI) provides functionality to automatically split a message with PKCS#7 / CMS compliant signature. This blog post explains what it is about that splitting, how it works and the meaning of the configuration options. A simple tutorial helps to understand the theory in real life. Quicklinks: Quick Guide Content 0. Prerequisites 1. Introduction 2. Splitter Configuration....
SAP Cloud Integration (CPI) offers easy to use iFlow steps to secure messages with encryption or signing. But how to decrypt a message outside of CPI? For your convenience, this blog post helps to make OpenSSL work together with CPI. With other words it shows which commands to use in OpenSSL to process messages encrypted....
National Cybersecurity Strategy Calls for Safer Development Practices: SAP Supports Secure-by-Design
In a Feb. 27 speech at Carnegie Mellon University Jen Easterly, Director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), called on technology companies to take greater responsibility when it comes to the design and security of their products. A few days later, the Biden administration released the long-anticipated National Cybersecurity Strategy (NCS), which confirms the US....
Cybersecurity automation and orchestration is an innovative approach to cybersecurity risk management that involves automating routine cybersecurity tasks and using orchestration to coordinate responses to cyber incidents. This approach can help organizations to reduce response times and minimize the impact of cyber incidents. Let me highlight the benefits of cybersecurity automation and orchestration with the....
(Jana Subramanian serves as APJ Principal Cybersecurity Advisor for Cloud Security and has been recognized as a Fellow of Information Privacy (FIP) by the International Association of Privacy Professionals (IAPP). As part of his responsibilities, Jana helps with strategic customer engagements related to topics such as cybersecurity, data privacy, multi-cloud security integration architecture, contractual assurance,....
From my experience the RFC Gateway security is for many SAP Administrators still a not well understood topic. As a result many SAP systems lack for example of proper defined ACLs to prevent malicious use. After an attack vector was published in a talk from Mathieu Geli and Dmitry Chastuhin at OPDCA 2019 Dubai (https://github.com/gelim/sap_ms)....
When dealing with Cloud Integration and specifically inbound requests and messaging processing, sometimes an http error is occurring. To help customers to quickly address these issues, we have released few resources to help our customers on knowing how to debug it and address it. The first one is a Guided Answer, Cloud Integration (CPI) Inbound 401....
As SAP HANA Cloud is a modern database as a service (DBaaS), the end users can access SAP HANA Cloud from anywhere with public internet, whether that’s at home, in the office, or even at a third space like a coffee shop. When an organization wants to move to SAP HANA Cloud, the authentication method....
SAP ID service manages customers S-User. Currently SAP ID service cases gets opened wrongly in BC-IAM-IDS and also gets transferred from other components in the BC-IAM-IDS component. Therefore, to address this scenario and help our customers to address them to the fast resolution, we have created the following blog to provide the correct steps to....
Securing the cloud is hard. But we can make it harder on ourselves than necessary. Each platform has an architecture. Trying to fit the architecture of one platform onto another will always be less optimal than architecting your solution to the target platform. This is why the common recommendation in cloud transformation is to avoid....
Users have access privileges beyond those necessary to perform their assigned duties, which may create improper segregation of duties. Control Description Dedicate approvers approve the nature and extent of user-access privileges for new and modified user access, including standard application business catalogues / business roles, critical financial reporting transactions, and segregation of duties. Background Assigning....
SAP Cloud Identity Services, Identity Authentication (IAS), can act as an identity provider to authenticate users managed in its own local user store, or delegate authentication to an existing corporate identity provider and directory. Many companies choose the latter option to setup identity federation between their tenants in IAS and Microsoft Azure Active Directory (Azure AD)....
(Jana Subramanian serves as the APJ Principal Advisor on Cybersecurity and is a Fellow of Information Privacy (FIP) awarded by the International Association of Privacy Professionals (IAPP). Jana provides expert support on cybersecurity, data privacy, cloud security integration, contractual assurance, audit, and compliance to strategic customers in APJ.) Introduction RISE with SAP is a comprehensive....
Why your organization should take care: Maintaining the security of installed SAP software is of critical strategic importance for the continuous protection of SAP business applications to defend against new types of cyber attacks and to close newly identified potential vulnerabilities. Therefore, SAP releases security patches every second Tuesday of the month. The patches should....
In this blog, I’ll delve into how you can troubleshoot errors in SAP IAS related to SSO and S/4 HANA private cloud. As you may know, SAP IAS is a highly competitive product when it comes to integrating SAP SaaS and PaaS solutions with S/4 HANA. Its main focus is on integration, security, compliance, simplicity,....
SAP Cloud Integration (CPI) provides functionality to automatically encrypt a message with PKCS#7 / CMS encryption. This blog post explains the details about the configuration options. SAP Cloud Integration offers a nice low code experience for designing processes, it really nicely makes complex transformations really nicely simple. Also the really ugly complex cryptic world of cryptography....
3.3 Terminated or Transferred Users Risk Users have access privileges even though they transferred to a new business role, potentially creating a segregation of duties conflict or users who have been terminated are still active in the system, creating a security risk. Control Description This control focuses on ensuring the timely removal of access rights....
When we speak to customers about security, we often hear the requirement for “more encryption”. Which makes sense, doesn’t it? After all, with todays’ encryption algorithms, anyone who is able to steal encrypted data cannot really do anything with them without asking a supercomputer – who then would be busy decrypting for the next 7....
From my experience the RFC Gateway security is for many SAP Administrators still a not well understood topic. As a result many SAP systems lack for example of proper defined ACLs to prevent malicious use. After an attack vector was published in a talk from Mathieu Geli and Dmitry Chastuhin at OPDCA 2019 Dubai (https://github.com/gelim/sap_ms)....
A Role redesign, also sometimes referred to as security redesign or role remediation, refers to significant changes to SAP roles that impact the authorizations of SAP users.It is basically based on the principle of separation of duties (SoD). Due to different SoD requirements between companies, the final SoD review takes place in the customer concept,....
The days of gigantic, monolithic programs are archaic; frankly, the complexity of a single-program approach is overwhelming. A modular approach to architecture is, therefore, the clear winner and a logical choice. Modular systems support a work breakdown structure (WBS) of the functionality of a larger system into smaller parts, and good architecture designs use microservices....
Comparing SAP S/4HANA Cloud, public edition, with SAP S/4HANA on premise, several differences in its IT audit capabilities become obvious. This blog post is part of a series of articles where we compare the audit process of SAP S/4HANA Cloud, public edition, with the audit process for SAP S/4HANA on Premise. To summarize the most....
(Jana Subramanian serves as the APJ Principal Cybersecurity Advisor for Cloud Security. He is a Fellow of Information Privacy (FIP), awarded by the International Association of Privacy Professionals (IAPP). In this role, Jana supports strategic customer engagements on cybersecurity, data privacy, multi-cloud security integration architecture, contractual assurance, audit, and compliance.) Introduction When organizations adopt RISE....
As part of the risk-based authentication concept, the Identity Authentication service (IAS) offers various options for multi-factor authentication. One of the alternatives is to use hardware security keys for strong phishing resistant access protection combined with ease-of-use for the end user. In this blog I will explain – jointly with Mr. Rolf Steinbrück from Yubico....
During the last weeks of the year, I usually go through my tools to do some cleanup work and compile an annual review. When I did so, I remembered a security vulnerability that kept the whole IT world busy in December 2021 and early 2022. Now that some months have passed by, I thought it....
Note: This blog post is the sixth part of a tutorial series. If you arrived here without reading the first part, please do so before you continue, and then come back here again. Part I explains the key concepts and technology standards for principal propagation in the context of calling a simple Web Service deployed on SAP Business Technology Platform (BTP)....
When it comes to the SAP Cloud Identity Services, some of the most common questions raised in implementation projects revolve around: “What would be the best option for us out of all available ones?”. This blog will explain what those options are and how to choose among them. So let’s start from the beginning! What....
This blog post shows how to do client-credentials flow with IAS using “identity” service in SAP BTP. We create a minimalistic sample app2app scenario where 2 application communicate with each other while authentication is done with the OAuth flow called “client-credentials”. Used technologies: SAP Business Technology Platform (SAP BTP), Cloud Foundry Environment, SAP Cloud Identity....
Dear Community, like I felt the need of collecting terms and abbreviations and their meanings in the huge and complex area of security, I feel like I should share the list with you, as you might have the same need. It is like: -> Read ABC anywhere -> forgot the meaning (again) -> look it....
This blog post shows how to do client-credentials flow with IAS using “identity” service in SAP BTP. We create a minimalistic sample app2app scenario where 2 application communicate with each other while authentication is done with the OAuth flow called “client-credentials”. The difference to previous tutorial is that this time we’re using a client certificate in order....
This article is available in German and in French languages. Overview The email abuse technique called “list bombing” or “email bomb” has been occurring more frequently for the last couple of years. Any brand which collects email addresses with web forms is vulnerable to list bombing. This type of attack can harm your deliverability and can lead to the....
This blog post shows how to do client-credentials flow with IAS using 2 different instances of “identity” service in SAP BTP. We create a minimalistic sample app2app scenario where 2 application communicate with each other. Today, both apps are bound to a different instance of identity service. Used technologies: SAP Business Technology Platform (SAP BTP),....
In this Blog we are going to see How to validate MYSAPSSO2 cookies with SAP Cloud Integration Introduction Recently, as part of an integration project in one of our clients, I was faced with the challenge of validating MYSAPSSO2 cookies with SAP BTP. After some research I was able to come up with 2 different....
This post is part of the blog series that describes how to audit SAP S/4HANA Cloud, public edition. In our blog series, we explain the steps necessary to perform a proper IT Audit of SAP S/4HANA Cloud, public edition, also highlighting the differences to on-premise appliances. To ensure a common understanding, this blog post introduces....
Working with Identity Provisioning transformations requires some knowledge of JSON data format and JSONPath syntax. A good understanding of the system-specific user and group attributes is also a must. But even if you feel confident in your expertise, managing transformations can be tough at times. “How do I map user or group attributes from source....
This blog post shows how to get a client certificate in an easy way. We do the required steps with respect to the certificate in understandable manual way. The goal is to replace the X509_GENERATED statement, which we used in previous tutorial. The setup is a simple client-credentials scenario. Used technologies: SAP Business Technology Platform....
This blog post is part of our series about how to audit SAP S/4HANA Cloud public edition. Role Concept: Business Catalogs vs. PFCG Roles SAP S/4HANA Cloud simplifies the role assignment by introducing business catalogs as the smallest assignable entity. Those business catalogs represent the building blocks for maintaining business roles. Important for auditing purposes: those....
SAP is an innovation company, successfully ensuring our customers are the best run using innovative products and services. SAP’s History of Innovation In 1972, when SAP was formed, the founders began with a vision of creating standard software for the mainframe computer. Eventually, when the client/server architecture became the backbone of the technological infrastructure SAP....
SAP is an innovation company, successfully ensuring our customers are the best run using innovative products and services. SAP’s History of Innovation In 1972, when SAP was formed, the founders began with a vision of creating standard software for the mainframe computer. Eventually, when the client/server architecture became the backbone of the technological infrastructure SAP....
In this blog we cover some basics, explain the functionality, and use cases of the most relevant standards like SAML 2.0, OAuth 2.0, and OpenID Connect. In addition, we provide you with a configuration guideline that provides a deeper insight and supports your identity federation setup between your SAP IAS and Azure tenants. UPDATE: E-Book for this blog....
A security policy is a collection of security policy attributes and their values. This definition replaces the definition of behavior with profile parameters: once a security policy is assigned to a user master record, this determines the desired behavior. The profile parameters are only relevant for those user master records for which no security policy has been....
Two-thirds of the Earth’s surface is covered with water. The other third is covered with auditors from headquarters.” – Norman Ralph Augustine – Trigger & Background Ironic as it is, the quote above does carry some truth. For every larger and/or publicly listed company, an annual audit is mandatory. This audit is required to validate correctness of....
This is the final part of the 3 blog posts about the reference architecture for Identity and Access Management scenarios: SAP Reference architecture for IAM – Employee provisioning with Azure AD SAP Reference architecture for IAM – Employee provisioning with SAP IAS SAP Reference architecture for IAM – HR Driven identity lifecycle management – Recruit-to-Retire (this....
The XSUAA service of SAP BTP offers a REST API which allows to programmatically handle security artifacts like Roles, Role Collections, Users etc. This blog post shows how to use it and provides a simple example. Used technologies: SAP Business Technology Platform Cloud Foundry environment, SAP Authorization and Trust Management (XSUAA) service, Node.js. Quicklinks: Quick....
You have a java app. It throws a 401 or 403 error. It makes you crazy. But: you’re not alone. Try this troubleshooting blog. Here, you find debugging hints and friends. Together, we’re reproducing the error in a hands-on sample scenario, we add some configuration and create a debugger class to get an idea about....
NOTE: this blog post is intended for developers who have previous experience in developing CAP applications using SAP Business Application Studio, SAP BTP destinations, and the destination and XSUAA services. Introduction Secure cloud software should always rely on some sort of authentication and authorization mechanism to let users benefit from its functionality and protect it....
There might be situations in which the Business decides to accept a given Risk but just for a set of users, or a specific User Group, and you might need to exclude them from all Risk Analysis reports. SAP Access Control provides the ability to exclude objects (Users, Roles, Profiles, User Groups) from Batch Risk....
Migrating your Identity Provisioning tenant from SAP BTP, Neo environment to SAP Cloud Identity Services infrastructure brings key benefits. Would you click the Migrate button when you read this? Or processes like update, upgrade, migrate – you name it, make you feel apprehensive about change no matter what the benefits are? It’s a known fact....
A framework of languages, libraries, and tools called the SAP Cloud Application Programming Model (CAP) is used to create enterprise-level services and applications. The CAP framework combines open-source and SAP technologies that have been successfully deployed and are widely used.On top of open source technologies, the key additions made by CAP are: Core Data Services (CDS) which serves....
How you can leverage new functionality to improve your security role build in SAP S/4HANA. Avoid CHANGED. MANUAL by Exception. MAINTAINED is OK. Strive for STANDARD. For as long as I’ve been building application security roles via transaction PFCG, this is the mantra I’ve followed when maintaining authorisations. Transaction PFCG (Role Maintenance)....
This blog post gives a simple example of using authorization in a simple project. It also shows a simplistic way of using attributes. The project is based on Node.js and runs on SAP BTP Cloud Foundry. Security is based on XSUAA and relies on SAP ID Service as Identity Provider. The next blog post uses IAS. Disclaimer: this is not an official reference application.....
just want to provide you a short heads-up. SAP BTP started to provide security recommendations for its services. Goal is to provide you actionable SAP recommendations to run SAP BTP services in a secure manner. We started with the following services Identity Authentication Destination Service Cloud Connector Credential Store We continued with the following services....
Log4Shell Digital criminals love easy to exploit vulnerabilities in widespread libraries. In December 2021 it was almost possible to hear the champagne corks pop, when one of the most critical security vulnerabilities was found in a logging library, called Log4j 2 for Java. Such vulnerability has both ingredients: it affects a library widely used in....
Update September 2022: Added a clarification in the section How to include classic UIs in the SAP Fiori catalogs re creation of tile/target mappings – as much as possible you should look to use the exact or closest fit tile/target mapping of the many thousands of these delivered by SAP. Also some hints re parameter naming; and some....
Edition 2- SAP Security Role Redesigning Problem Statement SoD (Segregation of Duties) Violation has been raised for many roles and that need to be remediated. Proposed Solution- SAP Security Role Redesign DUPLICATE Roles and their User assignments need to be revisited. Roles Design and Assignment must be aligned with understanding of user/tasks/transaction based design and....
This blog post is based on the previous post where we did our first steps with authorization handling and attributes. Today we’re going to connect a custom Identity Provider to our Subaccount. This allows us to showcase some more possibilities of fine-tuning authorization handling. Used technologies: SAP Business Technology Platform (SAP BTP), Cloud Foundry Environment, SAP Cloud....
Almost exactly one year ago, with our SAP S/4HANA Cloud Release 2108, we made the Security Audit Log (SAL) API available to customers. The SAL is probably the most important log for security monitoring – but often it doesn’t give you the full picture. For example, the SAL might show you that a specific user has....
User authorization forms the core of any enterprise data management suite. SAP’s access control determines who can do what on the installation. A company must understand the differences between authorization and authentication before discussing the former. Authentication is the credentials a user requires to gain access to the system. In essence, it’s their username and....
NOTE: this blog posts series is intended for developers who have previous experience in developing CAP applications using SAP Business Application Studio, SAP BTP destinations, and the destination and XSUAA services. Introduction Secure cloud software should always rely on some sort of authentication and authorization mechanism to let users benefit from its functionality and protect....
To follow-up with this blog post you must complete the following prerequisites: Read the Series Introduction post; Create an SAP BTP Trial Account following this tutorial; Setup SAP Business Application Studio in your SAP BTP trial following this tutorial; In your SAP Business Application Studio, create a dev space for Full-Stack development. Access SAP Business Application Studio We are going to start by accessing the selected IDE....
To follow-up with this blog post you must have read and completed the post: Setup project for development. Configure the User API Service The first approach to get the authenticated user information is the simplest as it does not rely on any backend service to be consumed and can be utilized directly in an HTML5 application....
To follow-up with this blog post you must have read and completed the post: Setup project for development. Modify the “userInfo” Function Handler The second approach to get the authenticated user information is also simple, but is actually done in the backend service of the solution, meaning the CAP service. As we have previously prepared a “skeleton”....
To follow-up with this blog post you must have read and completed the post: Setup project for development. Reference the XSUAA Service The third approach to get the authenticated user information is the most enhanced and complete one as it gets many available user data, such as ID in the source IdP, internal BTP ID and....
Risk zone ! The password hash algorithm used by ABAP based systems had evolved over time. Older hash algorithms are seen as weak nowadays and you should get rid of any such weak password hashes. References: Blog SAP password hashes security from Dmitry Gutsko, 2020 Blog Securing SAP NetWeaver AS ABAP Systems against password attacks from Kai Bauer, 2018....
Return on Investment (RoI) is one of the important Key Performance Indicators (KPI) for any business. The RoI could be direct or indirect. In direct RoI, the monetary gain from an investment —like increased sales or reduction in material cost — can be measured. On the other hand, indirect ROI can’t be calculated, at least....
When defining a destination in SAP BTP, we have the option of using mTLS. But how to provide the certificate? This blog post describes in a detailed step-by-step tutorial how to configure a destination with a certificate and how to get a hold of it. Used technologies: SAP BTP Cloud Foundry environment, Destination Service, XSUAA,....
Just as driving simulator helps with driving, provisioning job simulator helps with provisioning. By using driving simulators, you gain confidence on the road, experience the consequences of your actions (without risk of real damage) and ultimately learn how to avoid accidents. With the latest new feature of Identity Provisioning – the Simulate job, it’s pretty....
Configure Different Trust Configurations for the Same Identity Authentication Tenant (Azure AD Apps)
My name is Imre working at SAP since 2004. Now I’m at Identity Authentication Service area. In this blog post I will explore in detail how to configure Different Trust Configurations for the Same Identity Authentication Tenant (Azure AD Apps) I’m working in the Identity Authentication Service team, and we got several questions regarding the realization....
In this tutorial we configure trust (SAML) between 2 Cloud Foundry subaccounts located in different regions in SAP Business Technology Platform (SAP BTP). This allows us to call a protected application across subaccounts, across regions. Used technologies: XSUAA, SAML2, OAuth2, Destination, OAuth2SAMLBearerAsertion, Node.js, Quicklinks: Quick Guide Sample Code Disclaimer: This tutorial is not a recommendation....
In this tutorial we’re going to create 2 little apps and deploy them to 2 different trial accounts. We configure trust (based on SAML) and create a destination configuration of type OAuth2SAMLBearerAssertion. This tutorial is based on the explanations given in the previous blog post. Quicklinks: Quick Guide Sample Code Content Part 1: Theory-Torture (previous blog) 0.1. Introduction....
This blog post shows how to support authorization (scope, role) in a user-centric scenario where a REST endpoint is called from an application in a different subaccount (in different region). Used technologies: SAP BTP, Cloud Foundry, XSUAA, SAML2, OAuth2, Destination, OAuth2SAMLBearerAsertion, Node.js, This blog post builds completely on top of the scenario described in detail....
Inspired by the blogpost Chronicles of a PI TLS 1.2 upgrade by Eng Swee Yeoh I like to share some other pitfall you may want to avoid with the IAIK Library of your PI and other AS Java systems as well as the CCL. Updates: 2022-12-01: Added further information regarding the parameters ccl/ssl/*/allow_session_resumption_without_extended_master_secret. 2022-11-21: Added another pitfall when it....
Dada a criticidade das informações que mantém, a camada de autorizações relacionada aos componentes FI/CO, estes que, transacionam informações estratégicas e sensíveis, é amplamente discutida. O estabelecimento de controles, tal qual, SOD, visa assegurar a lisura nos processos e a integridade das informações demonstradas. O ponto de partida para esta publicação foi a seguinte impressão: “A....
This blog post describes how to set up a central custom Identity Provider and connect it to 2 subaccounts in different regions. The goal is to enable an application to call a protected endpoint on a subaccount in a different region. Authorization is handled as well. Used technologies: SAP BTP, Cloud Foundry, XSUAA, SAML2, OAuth2,....
Latest Update October 2022: A few additional references added for those interested in using SAP Access Control to manage access to SAP Fiori in the new section Next level security design with SAP Access Control, which you will find near the end of this blog post. Recently I have been working with a customer who is new....
The DBACOCKPIT of SAP NetWeaver AS ABAP and ABAP Platform provides the SQL Editor which can be used to execute SQL statements on connected databases. The SQL Editor is a full featured SQL command line and supports all SQL statements as listed, for example, in the SAP HANA SQL Reference Guide for SAP HANA Platform. It was designed to....
“Investments for the future” is a French government-funded initiative which seeks to modernize and make the country more competitive while making it more attractive to investments and innovation. It focuses on strategic sectors including artificial intelligence (AI) for defense-security. The program works in three phases: Industry sponsors are invited to submit a technical challenge to be....
Static application security testing (SAST) is a common essential step in the development lifecycle of large software companies like SAP. It enables detection of critical vulnerabilities in an application source code before deployment, when fixing the problem is the least expensive. While SAST have many known limitations, the impact of coding style on their ability....
As you may have learned, release 2108 has made it possible to access CDS view entities in an ABAP system from almost any application (including third-party). All you need to do is to expose the relevant view entities through a service and set SQL over ODBC as the communication protocol. That’s it. In very simplified....
Security-Enhanced Linux is a Linux Security Model (LSM) that allows defining security policies to implement mandatory access controls (MAC), providing a very granular layer to strengthen the OS against attacks. Despite the obvious benefits of using SELinux, it has been historically advised not to use it on Enforcing mode (we will see what this is....
This blog post gives an example on how to implement token exchange in a multitenant scenario. It builds on the previous tutorial and adds multitenant capabilities. Quicklinks: Quick Guide Sample Code Content 0. Introduction 1. Backend Application 2. Frontend Application 3. Run the Scenario Appendix: Sample Code Prerequisites To follow this tutorial, the following prerequisites are required: – Access to 2 subaccounts....
SAP SuccessFactors Employee Central consists of Foundation objects (Position, Location, Division, Legal Entity, Department, Division, Business Unit) and Employee Data related objects (Person, Personal Information, Employment information, Job Information, Compensation information). The foundation objects form the Organization structure and acts as a framework on which the Employee information is built. Third party (Target) systems that....
Running a Home-Grown Security Compliance Solution In a previous blog from about a year ago, I already spoke about our move towards compliance-as-code for security compliance scanning in SAP. Since then, the solution has involved into a policy control development, scanning and data pipeline operation that enables compliance, remediation and enforcement efforts through the organizational hierarchy. Multicloud....
In this blog post, you will learn the SUIM role comparison and its interpretation to analyze the difference in roles and apply the fix. Problem Statement: A comparison of roles in Development and Production indicates no difference in roles but roles have differences. Issue Identification: During the regular SAP support work, one may face....
Well, it is now year-end, and I have some time to share my knowledge. In the past months I got many questions on how to enable SSO for SAP S/4HANA Cloud, Private Edition, so I decided to write a blog on it. I am including some SAP S/4HANA Cloud, Private Edition specifics related to the delivery/license model of....
(Jana Subramanian is APJ Principal Cybersecurity Advisor for Cloud Security and Fellow of Information Privacy (FIP) awarded by International Association of Privacy Professional (IAPP). Jana supports strategic customer engagements on cybersecurity, data privacy, multi-cloud security architecture, contractual assurance, audit, and compliance domains.) Introduction Recently, major cloud service providers in a shared initiative have come up with the “Trusted....
The Security Optimization Service (SOS) is designed to check the security of your SAP system (see Introduction to Security Optimization Service (SOS) – Security health Check report). The SOS report shows two tables with results and findings. In the beginning you find the overview about findings which includes the count of users related to a check: SOS Chapter....
After peeking behind the curtains in our blog posts about Bug Bounty and Application Security testing, we’re continuing our series about how we secure SAP S/4HANA within our secure software development lifecycle by taking a step back. One of the first things we do when we develop and even design our software is called “Threat Modeling”. It’s mandatory....
As you may know there are some basic rules in SAP Security. One of them is to prohibit direct modifications in production systems. All changes in SAP system have to be first implemented in the development system and then could be promoted through the SAP landscape to the SAP production system. That’s why SAP recommends....
As of the QRC 01/2021 release of SAP HANA Cloud, SAP HANA database, you can leverage LDAP authentication and authorization for your SAP HANA database users. When and why would I use this feature? You already knew that the Lightweight Directory Access Protocol (LDAP) is an open standard protocol that facilitates authorization between client applications and the....
16 Likes 1,940 View 3 Comments The SAP Web Dispatcher is a reverse proxy designed to work best with other SAP software solutions. While there exist many reverse proxy solutions from various software vendors out there, the SAP Web Dispatcher is maintained and supported by SAP, is available for multiple operating systems, follows the same configuration principles....
This Article is referenced from the approach mentioned by Amazon at SAP on AWS blog which has been covered in 2 parts. Organizations which are running there SAP workloads on AWS can take advantage of these set of additional services that can enhance and simplify the operations of running SAP on AWS infrastructure. Mostly, organizations are keen about their....
This is in continuation of my previous Article Compliance Check of SAP Systems Using AWS Config – Part I 4. CONFIGRUATION 4.1 Compliance Check for SAP Infrastructure 4.1.1 Creation of AWS Config Rule First, we need to create a Rule for AWS Config to define the type of operation, to do so, go to AWS Config → Rules and click....
This is in continuation of my previous Article Compliance Check of SAP Systems Using AWS Config – Part II 4.2 Compliance Check for SAP Instance 4.2.1 Creation of SAP Secrets We need to store the username and password for the user which will be used to access SAP and fetch the required data. To fulfill the....
This is in continuation of my previous Article Compliance Check of SAP Systems Using AWS Config – Part III 4.2.4 Adding AWS Config Rule To make use of the above create Lambda environment, we need to create AWS Config Rule which is responsible for triggering the above Lambda function and fetch the data. To create Rule,....
At SAP, we believe that transparency and access to information makes for a stronger relationship with our customers. In SAP Trust Center, a wide variety of documents that detail our security and data protection measures, information about compliance through internal reviews and audits, and the availability of our cloud services worldwide are available to the public.....
Safeguarding Partner Products from Security Threats and Vulnerabilities (As a part of Endorsed Apps -Premium Certification) Secure your app before selling to customers....