Solved: Application security knowledge

Former Member · ‎02-03-2010

Dear Gurus,

I currently have approx. 2 years of SAP Security experience. I know about the SAP application more from a technical perspective (as needed for SAP Security). I can design roles, configure GRC, have knowledge of Basis critical transactions, and so on. I can take recommendations from audit or Business for enforcing certain security rules during the design or support phases. My question now is...Is a application security consultant different from a regular technical security consultant? If yes, How??

Does a security consultant need to have knowledge of Business critical functions (in MM, FI, CO, SD, PP CRM, HR, etc?) or is it sufficient to have knowledge technically about SAP.

I can understand that security consultant should know atleast the basics of SOX/SODs but I am not able to understand the scope of knowledge that one should gain to be a Security consultant??

Your advice is appreciated.

Regards,

Venkat

Former Member · ‎02-03-2010

Dont be stressed by the modules and vaste array of other things. They should ideally provide this information to you, or even build the roles themselves as they develop them. Certainly they should maintain re-usable check proposals for you in Su24.

A similar approach we have at SDN is:

> Total Questions: 8 (5 unresolved)

You can only have a maximum of 10 unresolved questions before having to close your "tickets", so you have to follow up on them. The same applies to security and attempt a "lazy close". E.g. not giving them the access until they provide the information is a tool some people might use. Much easier said than done, but the real business users will typically know more about what they use and how they want to use it, than intermediaries who are an information deadend.

I suggest that you first become very confident with how to use and configure your tools in training and a sandbox.

SU21

SU01

SU10

PFCG

PFUD

SUIM

SU24

SU25

PRGN_CUST

SSM_CUST

NWA

Visual Admin (while still around)

The various integration and frontend tools

CUA

IdM

etc

Then learn some ABAP and JAVA fundamentals and using traces and logs.

When you have that waxed and experience in it, get involved in projects and learn the modules and some of exeptions and particularly the configuration options which can help security, also to simplify it and why not to use certain techniques.

> Does a security consultant need to have knowledge of Business critical functions (in MM, FI, CO, SD, PP CRM, HR, etc?) or is it sufficient to have knowledge technically about SAP.

It cannot harm, and will be a big advantage to you. Functional gurus in the modules who cannot understand the code will also reach their limits.

Cheers,

Julius

mvoros · ‎02-03-2010

Hi,

just my 2 cents. I think that overall knowledge of basic business processes in SAP such as order to cash is very helpful to security consultant. It helps him to understand business requirements and communicate necessary security measures back to business. Obviously, more knowledge means that you skills are more valuable.

Cheers

Former Member · ‎02-03-2010

Dont be stressed by the modules and vaste array of other things. They should ideally provide this information to you, or even build the roles themselves as they develop them. Certainly they should maintain re-usable check proposals for you in Su24.

A similar approach we have at SDN is:

> Total Questions: 8 (5 unresolved)

You can only have a maximum of 10 unresolved questions before having to close your "tickets", so you have to follow up on them. The same applies to security and attempt a "lazy close". E.g. not giving them the access until they provide the information is a tool some people might use. Much easier said than done, but the real business users will typically know more about what they use and how they want to use it, than intermediaries who are an information deadend.

I suggest that you first become very confident with how to use and configure your tools in training and a sandbox.

SU21

SU01

SU10

PFCG

PFUD

SUIM

SU24

SU25

PRGN_CUST

SSM_CUST

NWA

Visual Admin (while still around)

The various integration and frontend tools

CUA

IdM

etc

Then learn some ABAP and JAVA fundamentals and using traces and logs.

When you have that waxed and experience in it, get involved in projects and learn the modules and some of exeptions and particularly the configuration options which can help security, also to simplify it and why not to use certain techniques.

> Does a security consultant need to have knowledge of Business critical functions (in MM, FI, CO, SD, PP CRM, HR, etc?) or is it sufficient to have knowledge technically about SAP.

It cannot harm, and will be a big advantage to you. Functional gurus in the modules who cannot understand the code will also reach their limits.

Cheers,

Julius

Former Member · ‎02-03-2010

Thanks both for your valuable suggestions. I will start playing around with ABAP and SAP NW security functionality first before I go to other areas.

A similar approach we have at SDN is:
Total Questions: 8 (5 unresolved)
You can only have a maximum of 10 unresolved questions before having to close your "tickets"

:)..sorry..i will ensure to close my open topics..

Regards,

Venkat

Former Member · ‎02-03-2010

You are also welcome to leave this new thread open for a few more days, or I can move it to a functional forum which you have an interest in to see what they have to say about security.

We can also tour the whole to SDN with the thread if you wish. Should be interesting!

But close it when you have given up providing more information from your side, or you are happy.

Cheers,

Julius

Former Member · ‎02-04-2010

I'm going to offer a different opinion

I would suggest learning the business processes now. Business process understanding is far harder to find than tech skills and security consultants with those skills are harder to find and generally more valuable assets on a project. An analogy would be someone going on a cert course in a functional area without actually knowing the area in detail. They can configure stuff but can't effectively design it to meet the original spec

As in functional areas, those who know the context in which they operate are always better to work with. Security is as much functional as it is technical.

Understanding the processes, how they interact with each other and how to control them is invaluable. No-one can claim to understand segregation of duties or regulatory requirements like SOX without it.

Former Member · ‎02-04-2010

Thanks Alex for your opinion. Is there a course from SAP for learning key areas of functional modules (from Authorizations/Security) perspective?

Regards,

Venkat

Former Member · ‎02-04-2010

Hi Venkat,

There is no course that does this from a security basis, it comes from spending time with the func teams. One way that many people get it is doing process audit work.

Cheers

Former Member · ‎02-04-2010

The training courses are generally not alligned to the key areas of business processes, but rather the (central) security tools, as well as the technology (system and communication types) or even the areas where the techniques are particularly relevant (see the security guides) for us.

I fully agree with Alex and Martin that understanding of the business processes and the reasons behind the security requirements is valuable or even vital, but would still go for a solid technical training and knowledge first so that you know the tools, options and restraints, and then deeped your "domain experience" into the business processes and "modules".

Of course if you can do both in parallel, and pat your head while rubbing your tummy anti-clockwise at the same time... then go for it and take all the opportunities you get!

Cheers,

Julius