06-11-2008 12:55 PM
Hi all.
I just want to know if there is any interest in a lessons learned information in the wiki pages.
Idea is to enlighten security minded persons of some of the security holes there are in the system.
However, there is a backside to it and that is that the security holes can be used by evilminded persons.
So. Shall we start this wiki-page in order to help each other with security holes, or is the risk to high?
Comments are welcome!
Regards
Fredrik
06-11-2008 1:58 PM
Which holes? Where?
I for one would welcome a "lesson's learnt" contribution to help with some "booby-traps" and also some "tips and tricks" for improving security; and making interested folks more aware of some common and some special things to know.
First, perhaps you should decide whether you want to blog or wiki (see /people/community.user/blog/2008/05/26/blog-this-or-wiki-it).Something which you consider to be a security trap, might be a security design feature for someone else.
Of course, if it is a bug somewhere which SAP has not provided a fix for yet, then this is not the ideal place to document it... (though there are worse places).
Cheers,
Julius
06-11-2008 9:04 PM
Hi Fredrik and others,
As you have not clearly distinguished between "backdoors" and "pitfalls" is security design, I would be interested in your and any other's ideas on a "Challenge of the (yester)Day" sticky thread.
I have read all threads in this forum and there are some really interesting and challenging ones which remain unanswered (at least, from the poster's point of possibly absent view).
Upfront in the threads listed chronologically (by date) I will add the following comment:
"Only informed answers need respond. Advertizing not allowed.".
That way we can "bounce" high quality questions to the top of the forum... and of course suggestions of threads to add are more than wlecome, and these threads would be more actively moderated for content than others (which will make my "job" easier)?
Any thoughts?
Julius
06-11-2008 10:39 PM
My wild idea was to write some kind of security cookbook containing things like:
beginners tips - example: tools and reports to simplify the day
version gaps - example: password case sensitivity
new functions - example: new BI auths
complex setups - example: Trusted RFCs
security warnings - example: remove S_DEBUG with change rights in production
I was planning to put it in the wiki to make it editable by the entire community =o)
Regards
Fredrik
06-14-2008 8:42 PM
I pointed this out to some of the other moderators.
First of all, there are already SAP Security Guides available for specific focus areas (see SAP note 39267), however these are not publicly editable.
Here at SDN, probably the wiki is the best place for this, however there is no possibility to have threaded comments on changes and it would need to be managed somehow. On the other, that which is a guideline or standard for one person or company, might not match the design or strategy of another - and wikis are not ideal for documenting disagreements
Lets see whether there are any other ideas.
Cheers,
Julius