Xpandion Blog

  • Home
    Blog Home This is where you can find all the blog posts throughout the site.
  • Tags
    Tags Displays a list of tags that have been used in the blog.

3 Standards Every Risk Manager Should Require From Developers

  • Font size: Larger Smaller
  • Hits: 6196
  • Print

I recently held a conversation with a highly-experienced risk manager from one of our valued customers. As we were discussing the topic of development it dawned on me that this subject is often neglected by risk managers – despite the fact that development issues are a major potential for business risk.

iStock 000014086128XSmall


What I mean by development are the codes added to the standard ERP package, including isolated own-developed programs and reports, user exits (term in SAP), enhancements and code snippets.

I must say it was a very productive discussion and I came out identifying the following key standards risk managers should require of developers.

1. Avoid Bad Coding in Production

Nothing good can come of bad coding. If your company has not yet defined appropriate programming standards, you may end up with mediocre coding. Bad coding calls for hackers and bored programmers (next week’s blog will convey the adventures and consequences of a bored programmer). Furthermore, bad coding easily increases the probability of mistakes even if just through normal use. Risk managers should insist on a well-managed process for transferring codes from the development environment to production systems, including testing (unit and functional) and code review.

In addition, make sure that every programmer and code-changer is obligated to comply with these standards. I’ve often seen senior programmers who transfer codes to the production environment on their own, bypassing the recommended procedures set in the company. Although these codes may be fine, a well-managed process means that procedures are followed by everyone, at all times. 

 2. Authorization Check for Enhanced Protection

An authorization check essentially serves as the gatekeeper protecting the system from unauthorized use (in SAP the ABAP command for this is AUTHORITY-CHECK). Hence, an authorization check should be added to any sensitive path in the program. For example when displaying the population, right before issuing an invoice in the code, prior to altering the database, etc.

Be prepared for justifications on the programmers’ side. They may excuse the lack of authorization checks by claiming that a program is private and should be used only once by a specific person. That being said, make sure to stick to the standard; authorization checks must always be added before a program is transferred to the productive environment.
3. Monitor Access to Production Systems

There are various reasons for why developers login to the production environment. Most of them are legitimate, such as checking performance of the codes, fixing bugs, etc. However, in many cases developers will not stop there. Furthermore, bored programmers are likely to start poking around looking for interesting information as invoice amounts, high salaries, and yes, you can definitely let your imagination take you from here.

Access to production systems should be granted if (and only if) there is a genuine reason for it. In any case, developers should be monitored while in the production environment in order to ensure ongoing security and control, as well as enabling future inspection if needed.


By ensuring that developers stick to these easy-to-follow norms, risk managers are certain to benefit from a significantly lower chance for risk alongside enhanced security throughout their organization.

Visit again next week to read about the full adventures of the bored programmer. I promise to also suggest an effective way to handle the “adventurous type” in a way that enables justified access to the production environment, yet ensures no breach in security.

Yoav Michaeli joined Xpandion in 2008 as a team leader, and in 2010 Mr. Michaeli began managing the entire Research & Development group of the company. Prior to joining Xpandion, Mr. Michaeli served in an elite technological unit of the Israeli Defense Forces as a team leader for various key military projects. Among other achievements, he was instrumental in pioneering the use of advanced .NET technologies for large scale distributed systems. Mr. Michaeli is an expert in programming, agile development, application security and specialized programming techniques.


  • No comments made yet. Be the first to submit a comment

Leave your comment

Guest 24/06/2017


in XpandionPosted by Yoav Michaeli

Office Space- A funny movie about hackers or a real life security threat?

Though most SAP programmers are reliable, serious professionals, there are a few who are intent on harming their organizations – and because of these few, we are rightfully afraid of the power of SAP Programmers. They almost always have a significant number of authorizations in the production system...
in Security & AuthorizationsPosted by Dror Aviv

Eliminating the Wrong Guy…

A couple of years ago, we included a “Lock User” button feature into our security product. If you received a “very high” alert, you could log into the system, catch the fraud in action, press the “Lock User” button and prevent the thief from stealing. Bam…. you’re the hero.


in Security & AuthorizationsPosted by Yoav Michaeli

Hooray! We Caught a Thief!

This is a true story from last week – an Xpandion expert received a phone call from one of our European clients, claiming they just received a High Risk Irregular Behavior alert pertaining to unauthorized access of salary information. After a quick investigation using ProfileTailor™ Dynamics, it was...
in Security & AuthorizationsPosted by Dror Aviv

Take Your Hands off of SAP T-Code SU01!

In many organizations, the access to the sensitive SAP T-Code SU01 is much wider than needed. Let's explore why.

in Security & AuthorizationsPosted by Yoav Michaeli

The Adventures of a Bored Programmer

What may be considered by a programmer as just playing around might end up as a security nightmare for a SAP® based enterprise. I actually want this to sound dramatic and grab your attention – I have dealt with the consequences of bored programmers' actions too many times...



157 Yigal Alon Street,

Tel Aviv 67443, Israel


US Office


33 West 19th Street, New York,

NY 10011, USA


India Office


C 103, Akruti Orchid Park, Andheri-Kurla Road,

Andheri East, Mumbai, India