Though most SAP programmers are reliable, serious professionals, there are a few who are intent on harming their organizations – and because of these few, we are rightfully afraid of the power of SAP Programmers. They almost always have a significant number of authorizations in the production system - and access to almost every part of the system.

Because of this clear threat, for the last few years I have been a strong advocate in pushing the idea that programmers shouldn't have access to production systems; they should only have access to DEV and QA systems - and if there’s a real bug in production – they can use a special username to perform a debugging for a limited time. Unfortunately, the idea was premature and I wasn't able to convince any of the organizations I worked with about the importance of segregation of duties and reduction of absolute power to any one user.

They always said that they trusted their programmers….mistake.

From my experience in the field, I see three types of potential risks from programmers in the SAP production system:

1.   Risk of stealing sensitive data. The simplest way would be to use table browsing (SAP transaction SE16) to downloading all the required data to a disk-on-key/local file.

2.   Risk of performing business processes on behalf of someone else. For example, transferring money to an account. A good programmer can change the name of the creator, so no one knows who really made the transfer.

3.   Risk of transferring malicious codes - and by “malicious” here, I am not referring to a malignant virus, I am speaking from a business perspective. For example, when a purchase order from a customer is issued, and the amount is greater than $100K and I send an email so I can buy the stock. Another example is to take 1 cent from each money transfer and move it to a shadow account as in the movie ‘Office Space’.

While designing our product, ProfileTailor Dynamics, we’re currently focusing on dynamic security from a business perspective: Who accessed HR-sensitive data? Who attempted a money transfer even though it is not part of their usual day-to-day activity?

We just wonder why customers don’t seem to understand the security risk posed by a few bad seed programmer’s intent on causing harm.