As means of a background, I have been in the security field, specifically the pro-active testing (penetration testing) side of security for over a decade. As part of my past role, I would present at public and private conferences, helping to educate organizations about the benefits of pen testing or helping to educate pen testing teams about the latest techniques.
I say all of this in order to communicate that I would grade myself as having an above average knowledge of the security space and significant familiarity with commonly used terms in the industry. So when I recently took a product manager role at Onapsis and was told I would have to learn about SAP and the security and risk implications around SAP in the enterprise I smiled and thought “well, I guess I know what I am doing the first couple of days”. As it turns out SAP is a world unto itself, with a lot of history and complexity.
I know that more and more ‘traditional’ security professionals are being asked to evaluate the security posture and risk of a business’s SAP system; which makes sense as SAP typically runs the most critical processes and workflows for an organization, as well as housing the most important data. Given the amount of time and effort it is taking me to learn SAP I thought it would be beneficial to publish a little resource for other professionals making the same jump.
So, SAP? For those like me who need to know what an acronym stands for it is Systems, Applications and Products in data processing, also it is never said as a single word, but spelled out S-A-P. It started in and is still based in Germany and according to Wikipedia has a revenue of over 16 billion Euro in 2012 – so not a small company by any stretch of the imagination.