Tower of Babel
SAP is innovative! One of the latest trends in Walldorf is said to be the ability to operate with almost any existing programming language on the basis of the Hana platform.
That sounds exciting, innovative and generous - whether it is also sensible, efficient and secure seems to be another matter. The fact is: SAP wants to make itself attractive to the generation of high-tech start-ups.
You want to be seen in Silicon Valley and around the world as an innovator that leaves Microsoft, Oracle and Salesforce far behind: If you want to realize your ideas based on Hana, just bring your own programming language!
One wonders whether Walldorf has never heard of the Tower of Babel. "Bring Your Own Language" will exponentially increase the known problems of security, NetWeaver Foundation for Third Party and CDS (Core Data Services) with Abap-managed Database Procedures (AMDP).
Security specialists speak of several thousand vulnerabilities in operational SAP systems. Not all threats can be attributed to the basic system (core). Many vulnerabilities arise from modifications, so-called Z-functions and transactions as well as add-ons.
The open NetWeaver platform as well as Abap and Java give existing SAP customers and partners a great deal of room for maneuver. A systematic review of the modifications in R/3 and ERP/ECC 6.0 with regard to "security" was never planned by SAP.
For a long time, the "black box" R/3 was considered largely protected and unattractive for cyber attacks. With ECC 6.0, not only has the core of the software from Walldorf changed, but the world has also changed: ERP systems are connected to the Internet via many interfaces and portals.
Global communication is a prerequisite for business success. Data security and data protection are often neglected. Because there are still no concrete solutions and measures for the thousands of security vulnerabilities, Walldorf is trying to keep the ball rolling.
Most SAP employees are not allowed to speak up and talk about it. As a precautionary measure, E-3 Magazine was informed that inquiries will not be answered.
Obviously, the topic is more topical than SAP would like it to be. In the meantime, the detection and checking of modifications and add-ons would be a great pleasure - because SAP could then solve two problems in one fell swoop: Security and indirect use!
A sword of Damocles hangs over existing SAP customers: indirect use. For years, SAP has motivated its own existing customers and partners to expand the SAP base.
Even the world's best ERP system cannot meet all requirements and wishes - and Walldorf is well aware of this. The SAP community has made extensive use of Abap and NetWeaver and now SAP is paying the price: since 2014, SAP has been pointing out to many customers that the NetWeaver Foundation for 3rd Party (NWF 3rd Party) product requires a license.
This means that in-house developments and third-party solutions that use NetWeaver technology are subject to licensing. Indirect use has always been a complex, repressed and expensive issue.
In the past, however, it was believed that nothing is cooked as hot as it is eaten. Wrong! For some months now, SAP has been trying to turn "indirect use" into a significant source of revenue.
The "NetWeaver Foundation for Third Party" license required for this could cost individual existing customers up to two million euros or more, according to a recent survey by the DSAG working group on licenses.
SAP cannot measure and check indirect use - i.e. modifications and add-ons. Traditional SAP license measurement is still blind in this respect, which is currently doubly unpleasant from Walldorf's point of view: security vulnerabilities and indirect use are not visible!
Obviously, however, the topics of security and indirect use should not become manageable, but more complex. With "Bring Your Own Language", the possibilities for modifying the SAP system would increase exponentially.
The SAP Release Strategy document from November 12 of this year refers to this topic in a very special way under the following heading: Abap-managed Database Procedures and Advanced View Building with Core Data Services.
CDS may be a key to the Tower of Babel - Bring Your Own Language - but Core Data Services are certainly not a solution for a consolidated and error-free SAP basis.
There will be no security and indirect use will continue to be a sword of Damocles.