Note 1572302 - Hard-coded credentials in ABAP DDIC

Former Member · ‎06-22-2011

Hello,

Have you read [Note 1572302 - Hard-coded credentials in ABAP DDIC|https://service.sap.com/sap/support/notes/1572302] ?

I had a good laugh when I read it. Before implementing the note or the corresponding SP, you'd better check the usernames in your production system !

I know 14 SAP employees that must have get some good congratulations !

I am also a little afraid by the lack of source code reviewing before distribution to customers....

Regards,

Olivier

martin_voros · ‎06-22-2011

Hi Oliver,

IMO it's getting better there is still room fr improvement. As you've probably noticed Java AS 7.02 got EAL4+ certification which is basically the highest possible level for already developed product. Part of the certification is that you have to have standard processes such as periodic scan for crap like this. SAP says that they want to get EAL4+ for ABAP AS as well. My guess is that the huge number of security fixes from last December was result of this process. They need to find all these old surprises. This one was with since release 3.1I.

Cheers

Former Member · ‎06-23-2011

Hi Martin,

Of course, this is a good move from SAP to detect and correct these "features".

Cheers,

Olivier

Former Member · ‎06-23-2011

From my experiences SAP are also very responsive to reporting such issues, though 1st level support on SMP might initially tell you that the solution is not to use it...

Cheers,

Julius

WolfgangJanzen · ‎06-27-2011


From my experiences SAP are also very responsive to reporting such issues, though 1st level support on SMP might initially tell you that the solution is not to use it...

Well, if you have found a security issue and face difficulties to address it properly, kindly do not hesitate to [report it via mail (PGP encrypted) to SAP|/docs/DOC-8218#section36 [original link is broken]].