I remember a mission during my time in the German Armed Forces, when we had to move out, because the S-wire rolls (those with the small sharp blades), which were normally attached to the outer fence of the barrack, were replaced. For temporary protection, we were asked to put those wire rolls inside the fence. When we asked what this would do, anyone could climb onto the fence from the outside and then jump over the 40cm wide and high wire rolls, we were told: "That's what we do, so nobody can crawl underneath!
A prime example of perceived safety. Many will now say, nobody is that stupid (I swear, the story is true!). But today I have to think about this day again and again, when I experience the carelessness with which SAP customers import transport requests from third parties - often companies that develop in offshore centers in India, Russia or China. Of course, such transport orders are usually first checked by the customer with the commercially available virus scanners - after all, you don't want to catch a virus (or to stick to the example: "Nobody should crawl under the fence").
But when it comes to the risk assessment of the actual transport contents, I always notice a frightening carelessness. Transports are often imported into a sandbox system beforehand, but usually only to see whether they can be successfully imported, functionally deliver what has been requested and if this is done at an acceptable speed.
Completely disregarded is the fact that it does not need the knowledge of anonymous foreign special units to break into an SAP system - you can also attack a system or prepare it for an imminent attack ("on the fence and over") by transporting certain settings. Every developer can easily acquire the necessary knowledge for this by oneself. The possible effects range from data theft and identity theft to the complete loss of the SAP system.
An older, but no less interesting article by Dennis Buroh from March 2017´s issue of Computerwoche (German only, sorry) describes very impressively how high the danger of attacks by internal employees is (Title: “This is how you become an internal perpetrator”). Here, the extensive possibilities of the developers in the development system, together with the option of having changes brought into production very easily via the transport system, represent an explosive combination.
Virtual Forge, a leading provider of security products for SAP, has identified this major security problem and with its Transport Threat Detection (TTD) product offers SAP customers a solution that automatically scans every new transport order for malicious transport content, similar to a classic virus scanner. The installation effort is extremely low because the software has to be installed on only one SAP system. Since Transport Threat Detection does not intervene in the existing change and transport process, but only sends corresponding notifications when an attack is detected, the solution can be used ad hoc. Take advantage of the know-how gained from 12 years of experience in SAP security and really protect your SAP systems - or in other words: Don't let anyone simply step on the fence and jump over it...