For almost a decade I (and I am sure, all ABAPers) have been happily using the loop holes in SAP security to access the forbidden transactions, with no malicious intension though, only for speedy analysis and ethical debugging.
But today I am wondering, is it really a loop hole or has SAP provided these small windows to the developers knowingly?
SAP Security Guys!! Hope you are reading this.
América Latina es el principal destino de las inversiones mineras a nivel mundial. Según las estadísticas regionales, el año pasado, el subcontinente captó en torno al 33% de las inversiones mundiales en esa actividad económica, mientras que a principios de los 90 esa participación era de 12%. La actividad exploratoria también avala el atractivo minero de Latinoamérica. El estudio Corporate Exploration Strategies (CES), del SNL Metals&Mining, arrojó que la región capturó el 27% de la inversión mundial en exploración, en donde destacan cuatro países latinoamericanos: México (en el cuarto puesto); Chile (quinto), Perú (séptimo) y Brasil (noveno). Cabe destacar que el año pasado Argentina salió del “top ten”, siendo superado por la República Democrática del Congo, convirtiéndose esta en la primera nación africana en posicionarse dentro de los 10 primeros destinos de inversión exploratorios a nivel mundial. Por el lado de los proyectos en carpeta, solo los países que integran la llamada Alianza del Pacífico, esto es, Chile, Colombia, Perú y México, tienen desarrollos que en conjunto superan los US$ 221.000 millones, como se ha destacado en eventos como el Simposium del Oro y de la Plata, que se celebró en mayo pasado en Lima, Perú
América Latina es el principal destino de las inversiones mineras a nivel mundial. Según las estadísticas regionales, el año pasado, el subcontinente captó en torno al 33% de las inversiones mundiales en esa actividad económica, mientras que a principios de los 90 esa participación era de 12%. La actividad exploratoria también avala el atractivo minero de Latinoamérica. El estudio Corporate Exploration Strategies (CES), del SNL Metals&Mining, arrojó que la región capturó el 27% de la inversión mundial en exploración, en donde destacan cuatro países latinoamericanos: México (en el cuarto puesto); Chile (quinto), Perú (séptimo) y Brasil (noveno). Cabe destacar que el año pasado Argentina salió del “top ten”, siendo superado por la República Democrática del Congo, convirtiéndose esta en la primera nación africana en posicionarse dentro de los 10 primeros destinos de inversión exploratorios a nivel mundial. Por el lado de los proyectos en carpeta, solo los países que integran la llamada Alianza del Pacífico, esto es, Chile, Colombia, Perú y México, tienen desarrollos que en conjunto superan los US$ 221.000 millones, como se ha destacado en eventos como el Simposium del Oro y de la Plata, que se celebró en mayo pasado en Lima, Perú
Digital Transformation in Defense: Live, Virtual and Constructive (LVC) TrainingAmy Blanchard
For testing and training applications, the only affordable way to represent the required environment is to introduce simulated systems into live cockpits or with a synthetic, immersive environment due to limitations in physical range space and the number of physical assets available to represent realistic friendly and threat force densities. In some cases, M&S environments can be used to assess test issues that cannot be easily addressed in the real-world environment due to financial, operational security, and/or environmental considerations. Creating augmented live training and synthetic environments for training and exercises also promises to reduce operation tempos while still allowing realistic training at home stations and reducing the wear and tear on valuable equipment.
Sexual harassment of women at workplaceSinu Joseph
This presentation uses visuals to explain the Sexual Harassment of Women at Workplace (Prevention, Prohibition & Redressal) Act 2013. It can be used by employers, ICC members or organizations working to impact awareness on the Act. Write to contactus@mythrispeaks.org for more information.
SAP inside track NL 2013, SAP Security updatejvandevis
This presentation was presented on the SAP Inside Track The Netherlands 2013 in Eindhoven, Ciber.
It discussed some new presented SAP Security features as well as some other SAP Security related information,
(Video and code available at http://fsharpforfunandprofit.com/cap)
In this talk I'll look at a unusual approach to designing internal interfaces and external APIs -- a "capability-based" approach that takes the Principle Of Least Authority and applies it to software design.
When this approach is used, it produces a robust and modular design which captures the domain constraints, resulting in an API which is self-documenting and hard to misuse.
I'll demonstrate how to design and implement a capability based approach, how capabilities can be quickly combined and restricted easily, and how capabilities are a natural fit with a REST API that uses HATEOAS.
During one of my personal projects I decided to study the internals of Android and the potential of altering the Dalvik VM (e.g. Xposed framework and Cydia) and application behaviour. Not going into detail about runtime hooking of constructors and classes like these two tools provide, I also explored the possibility of reverse engineering and modifying existing applications.
In the web you can find multiple tutorials on Android reverse engineering of applications but not many that do it with real applications that are often subject to obfuscation or with complex execution flows. So in order to learn I decided to pick a common application such as Skype and do the following:
decompile it
study contents and completely remove some functionality (e.g. ads)
change some resources (not described in presentation bellow)
recompile, sign and install.
Used tools include :
apktool – for (de)compiling android applications
jarsigner – for signing android applications
xposed – for intercepting runtime execution flow (will make public in future)
The following presentation describes the steps taken in order to completely remove the ads from skype. This includes any computation or data plan usage the ads consume. Please note the disclaimer of the presentation as this information is for educational purposes only.
Check my website : www.marioalmeida.eu
Exploiting Critical Attack Vectors to Gain Control of SAP SystemsOnapsis Inc.
The largest organizations in the world rely on SAP platforms to run their critical processes and keep their business crown jewels: financial information, customers data, intellectual property, credit cards, human resources salaries, sensitive materials, suppliers and more. Everything is there – and attackers know it.
This presentation will highlight three attack vectors targeting SAP.
- SAP Portal Header Authentication
- Verb Tampering
- Abuse of JAVA Core Services
You will learn techniques to mitigate these threats.
Deploying Static Application Security Testing on a Large ScaleAchim D. Brucker
SCA, if used for finding vulnerabilities also called SAST, is an
important technique for detecting software vulnerabilities already
at an early stage in the software development life-cycle. As such,
SCA is adopted by an increasing number of software vendors.
The wide-spread introduction of SCA at a large software vendor,
such as SAP, creates both technical as well as non-technical
challenges. Technical challenges include high false positive and
false negative rates. Examples of non-technical challenges are the
insufficient security awareness among the developers and managers
or the integration of SCA into a software development life-cycle
that facilitates agile development. Moreover, software is not
developed following a greenfield approach: SAP's security
standards need to be passed to suppliers and partners in the same
manner as SAP's customers begin to pass their security standards
to SAP.
In this paper, we briefly present how the SAP's Central Code
Analysis Team introduced SCA at SAP and discuss open problems in
using SCA both inside SAP as well as across the complete software
production line, i.e., including suppliers and partners.
sPlatform Security: "Are you really that attached to your ABAP security flaws, or can they go?"
-------------------------------------------------------------------------------------
Attacks on companies have increased exponentially in recent years. Not uncommonly, these were made possible by software vulnerabilities. SAP systems are particularly critical for many core business processes and should receive corresponding protections.
However, you'll only achieve a basic level of security that can weather stress tests and remain consistent if you take a truly head-to-toe approach to security. And that includes your ABAP code. In our experience to date, many companies balk at audits of their custom developments or 3rd-party add-ons, or are unsatisfied with the nearly unmanageable number of findings. How can this mass of supposedly critical security flaws be evaluated reliably? Where do you even start to clean up?
The newest module in our SAST SUITE, the Code Security Advisor, offers a solution. It is directly integrated into your SAP system and has a risk assessment enriched by key figures such as usage statistics for prioritization, an option to easily decommission obsolete code and a comprehensive set of rules with test cases developed by our SAP security and compliance consultants based on their years of experience.
-------------------------------------------------------------------------------------
Für Informationen auf Deutsch, sprechen Sie uns gerne an: sast@akquinet.de
[CB19] Spyware, Ransomware and Worms. How to prevent the next SAP tragedy by ...CODE BLUE
On this presentation, we will raise awareness on how the SAP Internet facing systems are particularly vulnerable to Spyware, Ransomware and Worms due to their inherent complexity.
We will also introduce (for the first time in Asia ) the “Project ARSAP”. This project is a semi-automatic mechanism which main goal is to detect and register all the SAP systems that are exposed to the Internet, extracting the system’s metadata and cataloging the assets in base of their Geo-location, system type, version, installed components and potential risk of compromise.
We will present a brief introduction to SAP, defining its architecture / entry points and explain with great detail the methodology behind the “ARSAP” project.
Then, three different scenarios were malware could strike SAP will be showcased. We will start by recreating a real SAP cyber-attack, where a company got attacked via malicious emails and we will move forward to some other complex techniques that could allow anyone, directly from the Internet to compromise the whole Interfacing SAP system and jump to the adjacent network.
This presentation will have several live demos where the attendees will be able to observe the entire attack workflow. We will conclude the presentation by presenting some suggested remediations and conclusions.
Digital Transformation in Defense: Live, Virtual and Constructive (LVC) TrainingAmy Blanchard
For testing and training applications, the only affordable way to represent the required environment is to introduce simulated systems into live cockpits or with a synthetic, immersive environment due to limitations in physical range space and the number of physical assets available to represent realistic friendly and threat force densities. In some cases, M&S environments can be used to assess test issues that cannot be easily addressed in the real-world environment due to financial, operational security, and/or environmental considerations. Creating augmented live training and synthetic environments for training and exercises also promises to reduce operation tempos while still allowing realistic training at home stations and reducing the wear and tear on valuable equipment.
Sexual harassment of women at workplaceSinu Joseph
This presentation uses visuals to explain the Sexual Harassment of Women at Workplace (Prevention, Prohibition & Redressal) Act 2013. It can be used by employers, ICC members or organizations working to impact awareness on the Act. Write to contactus@mythrispeaks.org for more information.
SAP inside track NL 2013, SAP Security updatejvandevis
This presentation was presented on the SAP Inside Track The Netherlands 2013 in Eindhoven, Ciber.
It discussed some new presented SAP Security features as well as some other SAP Security related information,
(Video and code available at http://fsharpforfunandprofit.com/cap)
In this talk I'll look at a unusual approach to designing internal interfaces and external APIs -- a "capability-based" approach that takes the Principle Of Least Authority and applies it to software design.
When this approach is used, it produces a robust and modular design which captures the domain constraints, resulting in an API which is self-documenting and hard to misuse.
I'll demonstrate how to design and implement a capability based approach, how capabilities can be quickly combined and restricted easily, and how capabilities are a natural fit with a REST API that uses HATEOAS.
During one of my personal projects I decided to study the internals of Android and the potential of altering the Dalvik VM (e.g. Xposed framework and Cydia) and application behaviour. Not going into detail about runtime hooking of constructors and classes like these two tools provide, I also explored the possibility of reverse engineering and modifying existing applications.
In the web you can find multiple tutorials on Android reverse engineering of applications but not many that do it with real applications that are often subject to obfuscation or with complex execution flows. So in order to learn I decided to pick a common application such as Skype and do the following:
decompile it
study contents and completely remove some functionality (e.g. ads)
change some resources (not described in presentation bellow)
recompile, sign and install.
Used tools include :
apktool – for (de)compiling android applications
jarsigner – for signing android applications
xposed – for intercepting runtime execution flow (will make public in future)
The following presentation describes the steps taken in order to completely remove the ads from skype. This includes any computation or data plan usage the ads consume. Please note the disclaimer of the presentation as this information is for educational purposes only.
Check my website : www.marioalmeida.eu
Exploiting Critical Attack Vectors to Gain Control of SAP SystemsOnapsis Inc.
The largest organizations in the world rely on SAP platforms to run their critical processes and keep their business crown jewels: financial information, customers data, intellectual property, credit cards, human resources salaries, sensitive materials, suppliers and more. Everything is there – and attackers know it.
This presentation will highlight three attack vectors targeting SAP.
- SAP Portal Header Authentication
- Verb Tampering
- Abuse of JAVA Core Services
You will learn techniques to mitigate these threats.
Deploying Static Application Security Testing on a Large ScaleAchim D. Brucker
SCA, if used for finding vulnerabilities also called SAST, is an
important technique for detecting software vulnerabilities already
at an early stage in the software development life-cycle. As such,
SCA is adopted by an increasing number of software vendors.
The wide-spread introduction of SCA at a large software vendor,
such as SAP, creates both technical as well as non-technical
challenges. Technical challenges include high false positive and
false negative rates. Examples of non-technical challenges are the
insufficient security awareness among the developers and managers
or the integration of SCA into a software development life-cycle
that facilitates agile development. Moreover, software is not
developed following a greenfield approach: SAP's security
standards need to be passed to suppliers and partners in the same
manner as SAP's customers begin to pass their security standards
to SAP.
In this paper, we briefly present how the SAP's Central Code
Analysis Team introduced SCA at SAP and discuss open problems in
using SCA both inside SAP as well as across the complete software
production line, i.e., including suppliers and partners.
sPlatform Security: "Are you really that attached to your ABAP security flaws, or can they go?"
-------------------------------------------------------------------------------------
Attacks on companies have increased exponentially in recent years. Not uncommonly, these were made possible by software vulnerabilities. SAP systems are particularly critical for many core business processes and should receive corresponding protections.
However, you'll only achieve a basic level of security that can weather stress tests and remain consistent if you take a truly head-to-toe approach to security. And that includes your ABAP code. In our experience to date, many companies balk at audits of their custom developments or 3rd-party add-ons, or are unsatisfied with the nearly unmanageable number of findings. How can this mass of supposedly critical security flaws be evaluated reliably? Where do you even start to clean up?
The newest module in our SAST SUITE, the Code Security Advisor, offers a solution. It is directly integrated into your SAP system and has a risk assessment enriched by key figures such as usage statistics for prioritization, an option to easily decommission obsolete code and a comprehensive set of rules with test cases developed by our SAP security and compliance consultants based on their years of experience.
-------------------------------------------------------------------------------------
Für Informationen auf Deutsch, sprechen Sie uns gerne an: sast@akquinet.de
[CB19] Spyware, Ransomware and Worms. How to prevent the next SAP tragedy by ...CODE BLUE
On this presentation, we will raise awareness on how the SAP Internet facing systems are particularly vulnerable to Spyware, Ransomware and Worms due to their inherent complexity.
We will also introduce (for the first time in Asia ) the “Project ARSAP”. This project is a semi-automatic mechanism which main goal is to detect and register all the SAP systems that are exposed to the Internet, extracting the system’s metadata and cataloging the assets in base of their Geo-location, system type, version, installed components and potential risk of compromise.
We will present a brief introduction to SAP, defining its architecture / entry points and explain with great detail the methodology behind the “ARSAP” project.
Then, three different scenarios were malware could strike SAP will be showcased. We will start by recreating a real SAP cyber-attack, where a company got attacked via malicious emails and we will move forward to some other complex techniques that could allow anyone, directly from the Internet to compromise the whole Interfacing SAP system and jump to the adjacent network.
This presentation will have several live demos where the attendees will be able to observe the entire attack workflow. We will conclude the presentation by presenting some suggested remediations and conclusions.
Managed Services: "The choice is yours: a make or buy approach to SAP security and compliance?"
-------------------------------------------------------------------------------------
Checking for vulnerabilities, flawed configurations, and critical authorizations on a regular basis is the only way to ensure SAP system security. However, efforts like these are technically complex, which is why they require so much time and personnel. Decision-makers thus face a fundamental question: Should they "make" or “buy" their way to SAP security and compliance? Our SAST MANAGED SERVICES offer a holistic solution that can assist you in both on-site and remote environments.
--------------------------------------------------------------------------------------
Für Informationen auf Deutsch, sprechen Sie uns gerne an: sast@akquinet.de
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus44CON
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
This 2 hour workshop will introduce you to Industrial Ethernet Switches and their vulnerabilities. These are switches used in industrial environments, like substations, factories, refineries, ports, or other other homes of industrial automation equipment. In other words, scada and ICS switches. You will gain familiarity with the basic usage of these switches, and do some very light traffic analysis and firmware reverse engineering.
Not only will vulnerabilities be disclosed for the first time (exclusively at 44CON), but the methods of finding those vulnerabilities will be shared. If you have never done any reverse engineering or firmware analysis, this might be a good place to start.
You will need to be familiar with a linux commandline, and the usage of tools such as BURP and wireshark. If you are an IDA Pro wizard we welcome your attendance, but we won’t be teaching you anything new. However, we will examine firmware and device embedded webservers with tools such binwalk, strings, grep, xxd, python, scapy, and compression utilities.
All vulnerabilities taught/disclosed will be in the default configuration state of the devices. While these vulnerabilities have been responsibly disclosed to the vendors, SCADA/ICS patching in live environments tends to take 1-3 years. So this work will be fresh and useful for your penetration tests in the future.
You might even find new vulnerabilities with the chance to play with these devices (which are being brought to 44CON for this workshop)!
Flow Chart to get Free access to SAP HANA Cloud PlatformSAPYard
Finally you are somewhat clear as to what you want to do in HANA. Now a greater hurdle. Neither your employee organization nor your current project client has HANA database. So, how would you explore the tremendous power and innovation of HANA? Is it end of the road? Was your acquaintance with HANA only till here?
Do not worry, there is always a way around. You just need to have the zeal to learn and find out the alternatives.
“When a person really desires something, the whole universe conspires to help that person to realize his dream.” :)
– Paulo Coelho, The Alchemist
The easiest option (and a better one, if you can afford) is to enroll in the authorized SAP Classroom/Online HANA training session. Consider it as an investment for your future.
But, if you do not want to shell out some $$$ right now or you want to have some bare minimum knowledge in HANA and then you plan to take proper formal training, you have another free alternative.
Remember, in the concluding lines of previous post, I mentioned that we can get access to HANA database using SAP HANA Cloud Platform. There is nothing called a “free lunch” in this world, but SAP HANA Cloud Platform is an exception. Yes, it is absolutely free!!! Thanks to SAP.
HANA the “Hot cake” of the market. I have been hearing about HANA since the beginning of this decade or even earlier. Initially I thought it was just a new database, so why the fuss? My crooked mind used to say: may be SAP does not want to share the market revenue with any other database provider (competitors); therefore they came up with their own database. Pat SAP for Smart Business Acumen. :)
Later I had a notion that HANA is only for BI/BW folks, so being an ABAPer – why should I care? Everyone used to talk about analysis and modelling. So, I used to think, let the BI/BW modelers worry about HANA.
Then the rumour started in market; ABAP and ABAPer are going to be extinct in near future. I used to wonder, if ABAPer are going to die, then who in this whole universe would support those tons and tons of ABAP code written in the history of SAP Implementations? What will happen to all those time, effort and money spent in those large and small scales SAP Implementations? What a waste of rumour!!
The bgRFC allows applications to record data that is received later by a called application. When the data is received, we must ensure that the data was transferred to the receiver either once only in any order (transactional) or once only in the order of creation (queued).
What is bgRFC?
bgRFC Configaration
bgRFC Programming
bgRFC Debugging
bgRFC Monitoring
A Chargeback is an amount claimed by a distributor from a manufacturer or vendor for the difference between their initial acquisition price and the actual agreed upon price for products/services sold to a specific end customer or partner.
There are not much documents in the internet world regarding Vistex. In this post, the author has tried to give an overview of the Vistex Chargeback and the bird’s eye view to the common terminologies, screens, transactions and technical objects (user exits, BADIs etc). Hope this post would act as a launch pad to all interested consultants who would like to take deep dive into Vistex.
Below are the contents of the attached document:
i) Definition of Chargeback
ii) Benefits of the Chargeback Application
iii) Chargeback Process
iv) Chargeback Lifecycle
v) Source Documents of Chargeback
vi) Chargeback creation based on Partner Roles with proper agreements
vii) Chargeback creation based on Partner role w/o agreement
viii) Why Partner Roles are important to create Chargeback Document
ix) Chargeback Creation Transaction codes
x) Chargeback Display or Change TCodes
xi) Chargeback Accounting Document Display
xii) Document flow for the accounting document of Chargeback
xiii) Common T-codes/User Exits/BADIs in Chargeback
xiv) High Level Overview from Contract to Chargeback Business Process for a Pharma wholesale business process
xv) Chargeback functions : CB Creation, Document flow and Reconciliation
There are not much documents in the internet world regarding Vistex. In this post, the author has tried to give an overview of the Vistex Contract (with examples from Pharma Contracts Management System) and the bird’s eye view to the common terminologies, screens, transactions and technical objects (user exits, BADIs etc). Hope this post would act as a launch pad to all interested consultants who would like to take deep dive into Vistex Contract.
Below are the contents of the attached document:
i) Vistex Introduction
ii) Benefits of Vistex Solution
iii) Industry Challenges
iv) Benefits of Vistex Solution
v) Integrated Contract Life-Cycle Management
vi) Contract Development and Administration
vii) Contract Types
viii) Contract Screen General Tab
ix) Contract Screen Customer Tab
ix) Contract Screen Products Tab
x) Group Purchase Organization (GPO) & Buying Group
xi) Group Membership
xii) Membership/Block Maintenance Screen
xiii) Buying Group assignment to Contract
xiv) Sample Process Flow
xv) Sample Exception Processing Flow
xvi) Contract Activation
xvii) Contract Best Price Logic
xviii) Contract Data Upload
xix) Manual File Upload
xx) File Upload
xxi) Inbound Contract Create/Update (EDI 845)
xxii) Common T-Codes, Tables & BADI
Couple of our readers suggested that we post something which would be easy reference for Vistex Technical who are beginners. Hope this post would help all Vistex Technical who are starting their first project in Vistex.
A. Common Modules in Vistex
1. Customer Rebate
2. Chargeback
3. Contract
4. CLM
As a hardcore ABAP developer, I was curious to know, how is an ABAPer affected by this upgrade 7.4. After exploring the system and going through the sap release documents, I have tried to jot down the changes which ABAPers like me would be interested in.
And NEW and VALUE Operators are the first features in EhP7 which the ABAPer would be using regularly.
Offshore development model in 10 steps sap yardSAPYard
Recently while discussing with one of my onsite client, I
came to know that clients here are not completely aware
of how offshore functions. They believe that after they
give the business requirement, their responsibilities are
over. In short, offshore model is a Black Box to them.
They are only interested in the final deliverables and not
in how offshore get the things done.
The difference between a normal programmer and a good programmer is, the latter keeps his/her basics right. Good programmers are distinguished by the quality of their deliverables. They provide enough documentation in their object so that the future practitioners supporting their product do not curse them. One of my Team Lead once told me, “your code should not only meet the functionalities, it should also be asthetically pleasing if someone happens to peep into it"
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Simple SAP Security Breach !!
1. 8/18/2015 Simple SAP Security Breach | SAP Yard
http://www.sapyard.com/simplesapsecuritybreach/ 1/7
Simple SAP Security
Breach
TOPICS: Authorization Data Theft Hacking
SAP Security
POSTED BY: SAP YARD AUGUST 18, 2015
It is nearly impossible to prevent a developer from
accessing any t-code. We saw an example in our other
post titled “Can you really restrict any developer
from executing any t-code?“. For almost a decade I
(and I am sure, all ABAPers) have been happily using
the loop holes in SAP security to access the forbidden
transactions, with no malicious intension though, only
for speedy analysis and ethical debugging.
But today I am wondering, is it really a loop hole or has
Enter email
Subscribe
RECENT POSTS
Simple SAP Security Breach
Playing Sherlock Holmes to
detect CONVT_CODEPAGE
runtime error mystery
DELETING rows of the
internal table within the
LOOP. Is it a Taboo? A big
NO NO?
SAP YARD
YOUR BACKYARD FOR SAP TECHNICAL TIPS AND SOLUTIONS
HOME SEE ALL POSTS ASK YOUR QUESTIONS ABOUT ME CONTACT ME
You and 92 other friends like this
SAP Yard
173 likes
Liked
SEARCH …
2. 8/18/2015 Simple SAP Security Breach | SAP Yard
http://www.sapyard.com/simplesapsecuritybreach/ 2/7
SAP provided these small windows to the developers
knowingly?
SAP Security Guys!! Hope you are reading this.
Check, I do not have access to t-code SE38 (ABAP
Editor) in my Pre-Production system.
I also do not have access to t-code SE80 (Object
Navigator/ ABAP Workbench), SE37 (Function
Module) etc in the same system.
Quick Reference for Vistex
Technical
Offshore Development
Model in 10 Steps
3. 8/18/2015 Simple SAP Security Breach | SAP Yard
http://www.sapyard.com/simplesapsecuritybreach/ 3/7
I do have authorization to the basic t-code SE11
(Display Table). You might have access to some other
common t-codes (you can use that). SE11 is my secret
window to all the forbidden t-codes.
Check how ??
I am in SE11. Click Other Object icon (Shift + F5) ->
Enhanced Options radio button. Click on the corner
square icon for Program, Function Group or click
‘More’ to get other areas.
5. 8/18/2015 Simple SAP Security Breach | SAP Yard
http://www.sapyard.com/simplesapsecuritybreach/ 5/7
Similarly you can view, function modules, services,
proxies, web dynpros and what not.
As an ABAPer, I am happy to figure out this alternative
way to navigate through the t-codes. This process is
specially handy, when you want to check something
really quick or want to do some comparison during some
issues mitigation.
If you go via the right path i.e. –> ask your manager
for approval –> raise ticket for security team –>
wait for approval again –> wait for security team
to provide you the right access. Some times, you do
not have the liberty of waiting and watching for that
long. So, ABAPers quickly use this trick. Specially in
quality and pre-production (where you have the
restriction).
Question to Security Guys.
Are the developers suppose to access the t-code via this
alternate route?
Did you guys knowingly provide this alternative? If you
6. 8/18/2015 Simple SAP Security Breach | SAP Yard
http://www.sapyard.com/simplesapsecuritybreach/ 6/7
know and it is ok to access this way, then we are good.
But, if Security Guys are not aware of this loop hole,
then there are chances of bigger Security breach. SAP
Security folks can end up giving the same alternative
in Production environment too. If this happens,then
there can be serious implications and data theft (and
I know of clients where you can use this alternative in
Production environment as well).
We would like to hear comments from Security
experts. Please provide your opinion on this topic.
Should Security team not close this alternative if the
user’s role does not allow him/her to access certain
transactions?
ABAPers, please forgive me if your doors get closed.
But I am sure, no ABAPer want his/her system and
data to be visible to unwanted crooks. It’s our duty to
make our environment as robust as possible and protect
them from any unforeseen spy or data thief.
Morever ABAPers would figure out some other way, if
this one is closed.. ABAPers rock!!!!
Do you have anything more to add to it? Do you have any
story to share on this topic. Please feel free to email us at
mailsapyard@gmail.com or leave it in our comment
section.
If you want to get updates about our new tweaks and
tricks, please subscribe.
If you liked it, please share it. Thank you very much for
your time!!
7. 8/18/2015 Simple SAP Security Breach | SAP Yard
http://www.sapyard.com/simplesapsecuritybreach/ 7/7
BE THE FIRST TO COMMENT
ON "SIMPLE SAP SECURITY BREACH"
Image source : www.theregister.co.uk
Previous post
Leave a comment
Logged in as SAP Yard. Log out?
Comment
Post Comment
COPYRIGHT 2015 | SAPYARD BY WWW.SAPYARD.COM
ALL PRODUCT NAMES ARE TRADEMARKS OF THEIR RESPECTIVE COMPANIES. SAPYARD.COM IS NOT AFFILIATED TO SAP AG.
