> Publishing of Audit reports to public is not at all possible as it contains company's many secret...

Senators Sarbanes and Oxley found sufficient reason to make it mandatory to disclose such weaknesses, and if something happens because management did not take due care of addressing the issues which leads to a loss for other 3rd parties (e.g shareholders...) then they are personally liable.

However I suspect that David is asking something else --> whether SAP's own products and processes have been subject to external audits (e.g. ISO certification, enabling legal compliance for the software users, external code reviews, penetration tests, security research studies, etc).

I know that SAP does this and also reacts to it (personally I do some research and am very impressed with SAP's responsiveness and efforts), but I doubt you will find detailed audit reports published. The closest thing to it which you will find is https://service.sap.com/securitynotes . I can recommend keeping an eye on this, and SAP note 888889.

Having said that, there once was a guy who tried to auction a bug he found to the highest bidder. Rumour has it that he did this after trying unsuccessfully to blackmail SAP for the details. Very silly idea... as I can assure you from my experiences that SAP's intention is to improve the security and security related products and customer side implementations. This is in everyone's interest. There is also more than enough work there to keep a knowledgable person busy for a long time...

My 2 cents, but someone from SAP would certainly be able to give a more qualified and knowledgable answer.

Cheers,

Julius

ps: Along with technology and creative ideas, security also changes very fast. So if someone is offering a bug free certificate for anything longer than a few minutes for any software (particularly if custom code can be added...!) then rather be carefull of that proposition...

Thanks for the responses. I actually work for SAP and I have had a hard time tracking this down internally. But I think I have enough information for the customer that is found on the www.sap.com/security page:

SAP solutions are built from the ground up to ensure the highest levels of security in the most sensitive environments. SAP follows rigorous security standards in the design and development of all its solutions, and SAP application developers receive extensive security training. SAP software development is certified according to the ISO 9001:2000 standard. Our technology has also been certified according to Information Technology Security Evaluation Criteria (ITSEC) Level E2 Medium.

SAP provides consulting and support services that focus on risk assessment and management, helping you understand security as a business issue and ensuring that all work routines and processes are secure. We also offer a broad range of solutions to help you manage governance, risk, and compliance. And we practice what we preach: SAP's internal IT processes have been awarded ISO 27001:2005 certification.