https://community.sap.com/t5/devops-and-system-administration-forum/sap-management/m-p/12113180#M493 <P>Hi expect,</P> <P>My leader wants to know if there is a vulnerability that can destroy the system program without logging in to the system. </P> <P>(Even though I think it's impossible.)</P> <P>It seems to have something to do with SAP basis. I'm just an ABAPer What I said can't make him believe. </P> <P>I hope you can answer my questions from a professional perspective. Thank you in advance！</P> Wed, 23 Oct 2019 06:38:24 GMT former_member635517 2019-10-23T06:38:24Z https://community.sap.com/t5/devops-and-system-administration-forum/sap-management/m-p/12113180#M493 <P>Hi expect,</P> <P>My leader wants to know if there is a vulnerability that can destroy the system program without logging in to the system. </P> <P>(Even though I think it's impossible.)</P> <P>It seems to have something to do with SAP basis. I'm just an ABAPer What I said can't make him believe. </P> <P>I hope you can answer my questions from a professional perspective. Thank you in advance！</P> Wed, 23 Oct 2019 06:38:24 GMT https://community.sap.com/t5/devops-and-system-administration-forum/sap-management/m-p/12113180#M493 former_member635517 2019-10-23T06:38:24Z https://community.sap.com/t5/devops-and-system-administration-forum/sap-management/m-p/12113181#M494 <P>Hello Ivan,</P><P>Can you please elaborate on what "destroy the system program" means?</P><P>Do you mean an ABAP program? Or the SAP system itself?</P><P>Regards,</P><P>Isaías</P> Thu, 24 Oct 2019 16:45:24 GMT https://community.sap.com/t5/devops-and-system-administration-forum/sap-management/m-p/12113181#M494 Isaias_SAP 2019-10-24T16:45:24Z https://community.sap.com/t5/devops-and-system-administration-forum/sap-management/m-p/12113182#M495 <P>Short answer: yes it is possible assuming someone exploits a known vulnerability, injects and executes malicious code. Security concerns around SAP systems have increased in the past decade, SAP vulnerabilities are being actively scanned around the world. These days you have companies specializing in SAP security including vulnerability and penetration testing.</P><P>You should at least follow the <A href="https://wiki.scn.sap.com/wiki/display/PSR/The+Official+SAP+Product+Security+Response+Space" target="_blank">SAP Security Response Wiki Page</A> to know what vulnerabilities exist in your SAP system.</P><P>Long answer: every system can be compromised given sufficient time and resources, you need to always keep security in mind. Security can mean physical security, network security, application level security, etc. With SAP, you should only open up access to the system where needed and configure your network accordingly. For example, do not expose your SAP system to the Internet unless you absolutely have to. At least always restrict port and protocol access using a firewall. If you need to expose your system to the Internet, at least have a system in between such as SAP Gateway that you expose rather than the actual system of record. Also, I recommend you use encrypted communication whenever possible, even inside the corporate network. Even more important is to keep up to date with security patches. You might have to patch your SAP system monthly just like you would patch your hardware, operating system, database, etc. Also, security has to be considered when implementing enhancements or creating custom solutions on top of SAP. Proper design and adherence to authorization concepts and best practices should always be a priority. Typically, SAP security is handled by three different teams: basis, development and security/governance/compliance. You can also have a dedicated security team or teams depending on your company size.</P><P>I suggest you add the <A href="https://answers.sap.com/tags/49511061904067247446167091106425" target="_blank">Security</A> tag to have more visibility.</P> Fri, 25 Oct 2019 11:16:39 GMT https://community.sap.com/t5/devops-and-system-administration-forum/sap-management/m-p/12113182#M495 SamuliKaski 2019-10-25T11:16:39Z