Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Interest for a lessons learned information page?

fredrik_borlie
Contributor

‎06-11-2008 12:55 PM

0 Kudos

Hi all.

I just want to know if there is any interest in a lessons learned information in the wiki pages.

Idea is to enlighten security minded persons of some of the security holes there are in the system.

However, there is a backside to it and that is that the security holes can be used by evilminded persons.

So. Shall we start this wiki-page in order to help each other with security holes, or is the risk to high?

Comments are welcome!

Regards

Fredrik

4 REPLIES 4

Former Member

‎06-11-2008 1:58 PM

0 Kudos

Which holes? Where?

I for one would welcome a "lesson's learnt" contribution to help with some "booby-traps" and also some "tips and tricks" for improving security; and making interested folks more aware of some common and some special things to know.

First, perhaps you should decide whether you want to blog or wiki (see /people/community.user/blog/2008/05/26/blog-this-or-wiki-it).Something which you consider to be a security trap, might be a security design feature for someone else.

Of course, if it is a bug somewhere which SAP has not provided a fix for yet, then this is not the ideal place to document it... (though there are worse places).

Cheers,

Julius

Former Member

‎06-11-2008 9:04 PM

0 Kudos

Hi Fredrik and others,

As you have not clearly distinguished between "backdoors" and "pitfalls" is security design, I would be interested in your and any other's ideas on a "Challenge of the (yester)Day" sticky thread.

I have read all threads in this forum and there are some really interesting and challenging ones which remain unanswered (at least, from the poster's point of possibly absent view).

Upfront in the threads listed chronologically (by date) I will add the following comment:

"Only informed answers need respond. Advertizing not allowed.".

That way we can "bounce" high quality questions to the top of the forum... and of course suggestions of threads to add are more than wlecome, and these threads would be more actively moderated for content than others (which will make my "job" easier)?

Any thoughts?

Julius

fredrik_borlie
Contributor
In response to Former Member

‎06-11-2008 10:39 PM

0 Kudos

My wild idea was to write some kind of security cookbook containing things like:

  • beginners tips - example: tools and reports to simplify the day

  • version gaps - example: password case sensitivity

  • new functions - example: new BI auths

  • complex setups - example: Trusted RFCs

  • security warnings - example: remove S_DEBUG with change rights in production

I was planning to put it in the wiki to make it editable by the entire community =o)

Regards

Fredrik

Former Member
In response to Former Member

‎06-14-2008 8:42 PM

0 Kudos

I pointed this out to some of the other moderators.

First of all, there are already SAP Security Guides available for specific focus areas (see SAP note 39267), however these are not publicly editable.

Here at SDN, probably the wiki is the best place for this, however there is no possibility to have threaded comments on changes and it would need to be managed somehow. On the other, that which is a guideline or standard for one person or company, might not match the design or strategy of another - and wikis are not ideal for documenting disagreements

Lets see whether there are any other ideas.

Cheers,

Julius