Skip to Content
At this year’s RSA conference in Barcelona [1], Bruce Schneier shared some insights on “Security Design: What Works, What Doesn’t, and Why”. A key statement was that “many commercial products are insecure because of a fundamental misunderstanding of what the technologies can and cannot do.” Refering to real-world scenarios he illustrated whether a security design is meaningful – or not (e.g. a rabbit runs a very good built-in program that protects against foxes or other natural enemies, however, running in zig-zags and jumping doesn’t help against cars). If you want to understand security you have to think about the overall system, in other words, it doesn’t help to look at security mechanisms in isolation. You can read more about this in Bruce’s book “Beyond Fear” [2], in his Weblog [3], and in his monthly newsletter Crypto-Gram [4].

After his talk there was the opportunity to ask questions. Having the title of his talk in mind and as a member of the SAP Product Security team, I asked a good one (according to Bruce): “Assume that you have three wishes – what would you like to have from vendors?” After a taking a moment to gather his thoughts, he answered that he has actually two wishes, namely honesty and usability. Honesty means that vendors should clearly specify what a given product can do and what it can’t do. Usability means that we already have many products with many security functions, but it is still very difficult to use them easily.

Note that SAP is not a vendor of security products, but a vendor that ships products with security functions. Some of these security functions are implemented by SAP, many others are provided by solutions from our security partner ecosystem. However, as a trusted advisor for our customers, we should do our best to fulfill Bruce’s wishes.

Beginning with “honesty”, let’s explore some examples. The SAP Security Guides, for instance, provide a central overview of security-related functions and settings of individual applications, components, and scenarios for customers, consultants, support, and salespeople [5]. The guide gives recommendations for a baseline level of protection and gives pointers for customers that are aiming for a higher level of protection. Another example is the envisaged Security Bulletin service. Currently, SAP publishes information about security fixes in the SAP Notes that are available to our customers, however, customers that want to focus on security-related notes might find it difficult to find them in a meaningful way. Thus, SAP will offer a dedicated service (analogous to a CERT advisory service [6]) that briefly summarizes the security issues, provides a risk estimation and a reference to the SAP note that describes the fix. That way, customers will be in a better position to make informed decisions in their own (security) risk management process.

Now let’s have a look at “usability”. Being honest, I have to admit that is not an easy game to understand and implement security in a secure SAP scenario today. However, the NetWeaver mantra “simple, robust, model-driven” reflects that SAP is following the right strategy. With NetWeaver SAP has aligned several components into one product. As a result, customers can expect more integrated and centralized security functions – a significant step toward improving the user experience. Regarding robustness, SAP is taking the initiative to protect the new Web applications running on the SAP NetWeaver platform, as well as the platform components themselves [7]. Besides this, there are internal quality standards in place in order to ensure that baseline security is in place. Both approaches contribute to the usability of SAP security functions as design and implementation weaknesses are addressed and their solutions incorporated centrally. And lastly, model-driven means that SAP listens to its customers. In which scenarios is SAP software used? What requirements have to be met? That way we develop and align security features that are useful for our customers.

I won the prize for the best question (a signed copy of “Beyond Fear”). By the end of the day I’m also very happy that SAP is on the right path toward solving the equation security = honesty + usability.

References:

1. RSA Conference 2004

2. Bruce Schneier, Beyond Fear, Copernicus Books, 2003

3. Bruce Schneier, Weblog Schneier on Security

4. Bruce Schneier, Crypto-Gram

5. SAP Security Guides, http://help.sap.com => Documentation => SAP NetWeaver ’04 (english version) => SAP NetWeaver Security Guide

6. CERT Advisories

7. Jürgen Schneider, How SAP Protects Your Web Applications from Security Vulnerabilities, SAP Insider, October – December issue, 2004.

To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply