The official description is “Strategic SAP product security issues and questions in the areas of secure user access, such as Single Sign-On and Identity Management, secure collaboration, such as message security (encryption) and trust management as well as infrastructure security questions that span more than one SAP NetWeaver component, should be posted here.”.
Practically speaking, this will be a place to discuss all things security, even if they can’t be directly linked to an SAP software component. Processes around security management or IT risk management are fine as well.
We will start things by moving all (well, all we can find…) security related posts that are now buried in all the other forums into the security forum – using Craig‘s words, this is supposed to be the “one true place for security related issues”.
The SDN Security forum will be moderated by myself and two colleagues from the SAP Global Focus Group Risk Management & IT Security – Michael Altmaier and Christian Wippermann. We’ll be happy to discuss all your security questions. Questions around SAP’s new GRC Initiative are not directly in focus, but as long as there’s no separate forum for this, we’ll be happy to serve as a temporary home.
One request: please do NOT use the forum to post new security issues you may find in a SAP component. The reason for this is not that we’re trying to hide these issues, quite the contrary: we’d like to address them as fast as humanly possible, and this is why they still need to go to email@example.com, where our dedicated security product experts will take care of them.
Let me finish this post with a quote from Confessions of a master jewel thief by Bill Mason:
“Nothing works more in a thief’s favor than people feeling secure. That’s why places that are heavily alarmed and guarded can sometimes be the easiest targets. The single most important factor in security — more than locks, alarms, sensors, or armed guards — is attitude. A building protected by nothing more than a cheap combination lock but inhabited by people who are alert and risk-aware is much safer than one with the world’s most sophisticated alarm system whose tenants assume they’re living in an impregnable fortress.”
Secure and happy posting, everyone – I’m looking forward to your discussions!