The global and independent platform for the SAP community.
The opinion of the SAP community, Editorial, MAG 15-12

Tower of Babel

A small step for SAP, perhaps a major disaster for existing customers. Those who modified their SAP system currently face three challenges: Security, NetWeaver Foundation for Third Party and CDS with Abap-managed Database Procedures.
December 3, 2015
Content:
Editorial
This text has been automatically translated from German to English.

SAP is innovative! One of the latest trends in Walldorf is said to be the ability to operate with almost any existing programming language on the basis of the Hana platform.

That sounds exciting, innovative and generous - whether it is also sensible, efficient and secure seems to be another matter. The fact is: SAP wants to make itself attractive to the generation of high-tech start-ups.

You want to be seen in Silicon Valley and around the world as an innovator that leaves Microsoft, Oracle and Salesforce far behind: If you want to realize your ideas based on Hana, just bring your own programming language!

One wonders whether Walldorf has never heard of the Tower of Babel. "Bring Your Own Language" will exponentially increase the known problems of security, NetWeaver Foundation for Third Party and CDS (Core Data Services) with Abap-managed Database Procedures (AMDP).

Security specialists speak of several thousand vulnerabilities in operational SAP systems. Not all threats can be attributed to the basic system (core). Many vulnerabilities arise from modifications, so-called Z-functions and transactions as well as add-ons.

The open NetWeaver platform as well as Abap and Java give existing SAP customers and partners a great deal of room for maneuver. A systematic review of the modifications in R/3 and ERP/ECC 6.0 with regard to "security" was never planned by SAP.

For a long time, the "black box" R/3 was considered largely protected and unattractive for cyber attacks. With ECC 6.0, not only has the core of the software from Walldorf changed, but the world has also changed: ERP systems are connected to the Internet via many interfaces and portals.

Global communication is a prerequisite for business success. Data security and data protection are often neglected. Because there are still no concrete solutions and measures for the thousands of security vulnerabilities, Walldorf is trying to keep the ball rolling.

Most SAP employees are not allowed to speak up and talk about it. As a precautionary measure, E-3 Magazine was informed that inquiries will not be answered.

Obviously, the topic is more topical than SAP would like it to be. In the meantime, the detection and checking of modifications and add-ons would be a great pleasure - because SAP could then solve two problems in one fell swoop: Security and indirect use!

A sword of Damocles hangs over existing SAP customers: indirect use. For years, SAP has motivated its own existing customers and partners to expand the SAP base.

Even the world's best ERP system cannot meet all requirements and wishes - and Walldorf is well aware of this. The SAP community has made extensive use of Abap and NetWeaver and now SAP is paying the price: since 2014, SAP has been pointing out to many customers that the NetWeaver Foundation for 3rd Party (NWF 3rd Party) product requires a license.

This means that in-house developments and third-party solutions that use NetWeaver technology are subject to licensing. Indirect use has always been a complex, repressed and expensive issue.

In the past, however, it was believed that nothing is cooked as hot as it is eaten. Wrong! For some months now, SAP has been trying to turn "indirect use" into a significant source of revenue.

The "NetWeaver Foundation for Third Party" license required for this could cost individual existing customers up to two million euros or more, according to a recent survey by the DSAG working group on licenses.

SAP cannot measure and check indirect use - i.e. modifications and add-ons. Traditional SAP license measurement is still blind in this respect, which is currently doubly unpleasant from Walldorf's point of view: security vulnerabilities and indirect use are not visible!

Obviously, however, the topics of security and indirect use should not become manageable, but more complex. With "Bring Your Own Language", the possibilities for modifying the SAP system would increase exponentially.

The SAP Release Strategy document from November 12 of this year refers to this topic in a very special way under the following heading: Abap-managed Database Procedures and Advanced View Building with Core Data Services.

CDS may be a key to the Tower of Babel - Bring Your Own Language - but Core Data Services are certainly not a solution for a consolidated and error-free SAP basis.

There will be no security and indirect use will continue to be a sword of Damocles.

Write a comment

Security: How to protect SAP systems effectively

Precisely supports Amazon RDS for Db2 Service

Flexera completes acquisition of Snow Software

Working on the SAP basis is crucial for successful S/4 conversion. 

This gives the Competence Center strategic importance for existing SAP customers. Regardless of the S/4 Hana operating model, topics such as Automation, Monitoring, Security, Application Lifecycle Management and Data Management the basis for S/4 operations.

For the second time, E3 magazine is organizing a summit for the SAP community in Salzburg to provide comprehensive information on all aspects of S/4 Hana groundwork. All information about the event can be found here:

SAP Competence Center Summit 2024

Venue

Event Room, FourSide Hotel Salzburg,
At the exhibition center 2,
A-5020 Salzburg

Event date

June 5 and 6, 2024

Regular ticket:

€ 590 excl. VAT

Venue

Event Room, Hotel Hilton Heidelberg,
Kurfürstenanlage 1,
69115 Heidelberg

Event date

28 and 29 February 2024

Tickets

Regular ticket
EUR 590 excl. VAT
The organizer is the E3 magazine of the publishing house B4Bmedia.net AG. The presentations will be accompanied by an exhibition of selected SAP partners. The ticket price includes the attendance of all lectures of the Steampunk and BTP Summit 2024, the visit of the exhibition area, the participation in the evening event as well as the catering during the official program. The lecture program and the list of exhibitors and sponsors (SAP partners) will be published on this website in due time.