SlideShare una empresa de Scribd logo

Custom security effective implementation

Descargar como PPTX, PDF
L
log2srini
EducaciónTecnología
1 de 13
Presenter: Srini, Flow Slf Authorizations 4/6/2014H&M Internal v1.0 1
 Introduction - Custom Security  Teams involved in Custom Security design  Different Project cycles of Custom Security design  Technical Tips for effective implementation 4/6/2014H&M Internal v1.0 2
4/6/2014H&M Internal v1.0 3  Additional control over SAP standard transactions/processes where the default authorization controls provided by SAP is not sufficient (or) Control any newly created SAP development object (eg: A custom report, transaction code or table, etc.,)  Implemented via ABAP code which invloves either standard/custom authorization object  Custom authorization object (which involves standard/custom Auth. Object class and Auth. Fields) is created by the Security team, while the ABAP code is done by the Development team
4/6/2014H&M Internal v1.0 4
Role Design Requirements Development Unit testing Integration testing User Acceptance testing PRD 4/6/2014H&M Internal v1.0 5
FA Sec Dev Sec FA Sec, Dev FA Sec, Dev 4/6/2014H&M Internal v1.0 6 Acronyms for teams • FA – Functional Area • Sec – Security • Dev - Development - Create RDD - Unit test - Unit test - Move security objects, ABAP code to T, Q - Integration testing - Move role changes, ABAP code to P - ABAP auth check code - Finalize security design Scenario: 1 Sec fully involved
FA Dev FA Dev FA Sec Dev Sec FA Dev, Sec FA Dev, Sec 4/6/2014H&M Internal v1.0 7 Acronyms for teams • FA – Functional Area • Sec – Security • Dev - Development- Create FS - Move ABAP code to T - ABAP Auth check code - Integration testing - Unit test - ABAP development Scenario: 2 - Create RDD - Integration testing - Finalize security design - Unit test - Unit test - Move security objects, ABAP code to P - Move security objects, ABAP code to T, Q Sec involved very late Impact:Sizeable
FA Dev FA Dev FA Sec Dev Sec FA Dev, Sec FA Dev, Sec 4/6/2014H&M Internal v1.0 8 Acronyms for teams • FA – Functional Area • Sec – Security • Dev - Development- Create FS - Move ABAP code to T - ABAP Auth check code - Integration testing - Unit test - ABAP development Scenario: 2 - Create RDD - Integration testing - Finalize security design - Unit test - Unit test - Move security objects, ABAP code to P - Move security objects, ABAP code to T, Q - Dev to inform Sec team at initial stage of any custom devleopment
FA Dev FA Dev FA Sec Dev Sec FA Dev, Sec FA Dev, Sec 4/6/2014H&M Internal v1.0 9 Acronyms for teams • FA – Functional Area • Sec – Security • Dev - Development- Create FS - Move ABAP code to T - ABAP Auth check code - Integration testing - Unit test - ABAP development Scenario: 2 - Create RDD - Integration testing - Finalize security design - Unit test - Unit test - Move security objects, ABAP code to P - Move security objects, ABAP code to T, Q - Dev to inform Sec team at initial stage of any custom devleopment
FA Dev FA Dev FA Dev 4/6/2014H&M Internal v1.0 10 Acronyms for teams • FA – Functional Area • Sec – Security • Dev - Development - Create FS - Unit test - Move development to T,Q - Integration testing - Move development to P - ABAP development Scenario: 3 Sec not involved Impact:Sizeable
4/6/2014H&M Internal v1.0 11  Avoid redundant code: Default authorization checks – S_TCODE, S_PROGRAM, S_RFC, S_TABU_DIS  Report/Transaction authorizations: • Avoid the possibility of provding backdoor access • Place authorization code checks before calling other development objects like program/transaction code For eg. When statements like CALL TRANSACTION or SUBMIT PROGRAM are used • Avoid using sy-uname in the development • Avoid using any sort of hardcoded authorization values • Use of Standard/Custom authorization objects? If your custom development is completely a new solution and not related to any of the SAP standard transaction/process, then use of custom authorization objects is recommended. Else, the best practise is to use standard authorization objects. Note: A good understanding of the business requirement and a wide knowledge on the standard SAP authorization objects is required to decide the type of authorization object that needs to be used in the custom development.
4/6/2014H&M Internal v1.0 12  Table Authorizations: • Use Authorization groups for any newly created tables ; Avoid using &NC& • Avoid using cross-client tables especially business users need to maintain the table entries • Possible to control table line entries – based on organizational values
4/6/2014H&M Internal v1.0 13

Recomendados

RemoteLaunch Overview Presentation (2022)
RemoteLaunch Overview Presentation (2022)RemoteLaunch Overview Presentation (2022)
RemoteLaunch Overview Presentation (2022)Inflectra
 
Jfrog artifactory artifact management c tamilmaran presentation - copy
Jfrog artifactory artifact management c tamilmaran presentation - copyJfrog artifactory artifact management c tamilmaran presentation - copy
Jfrog artifactory artifact management c tamilmaran presentation - copyTAMILMARAN C
 
What's new in visual studio 2013
What's new in visual studio 2013What's new in visual studio 2013
What's new in visual studio 2013Keith Lopez
 
KronoDesk Overview Presentation (2021)
KronoDesk Overview Presentation (2021)KronoDesk Overview Presentation (2021)
KronoDesk Overview Presentation (2021)Inflectra
 
Hp fortify source code analyzer(sca)
Hp fortify source code analyzer(sca)Hp fortify source code analyzer(sca)
Hp fortify source code analyzer(sca)Nagaraju Repala
 
CI-solutions-Versus-AutoRABIT
CI-solutions-Versus-AutoRABITCI-solutions-Versus-AutoRABIT
CI-solutions-Versus-AutoRABITalkhan50
 
Inflectra Partner Program 2022
Inflectra Partner Program 2022Inflectra Partner Program 2022
Inflectra Partner Program 2022Inflectra
 
How the U.S. Department of Defense Secures Its Custom ABAP Code
How the U.S. Department of Defense Secures Its Custom ABAP CodeHow the U.S. Department of Defense Secures Its Custom ABAP Code
How the U.S. Department of Defense Secures Its Custom ABAP CodeVirtual Forge
 

Recomendados

RemoteLaunch Overview Presentation (2022)
RemoteLaunch Overview Presentation (2022)RemoteLaunch Overview Presentation (2022)
RemoteLaunch Overview Presentation (2022)Inflectra
 
Jfrog artifactory artifact management c tamilmaran presentation - copy
Jfrog artifactory artifact management c tamilmaran presentation - copyJfrog artifactory artifact management c tamilmaran presentation - copy
Jfrog artifactory artifact management c tamilmaran presentation - copyTAMILMARAN C
 
What's new in visual studio 2013
What's new in visual studio 2013What's new in visual studio 2013
What's new in visual studio 2013Keith Lopez
 
KronoDesk Overview Presentation (2021)
KronoDesk Overview Presentation (2021)KronoDesk Overview Presentation (2021)
KronoDesk Overview Presentation (2021)Inflectra
 
Hp fortify source code analyzer(sca)
Hp fortify source code analyzer(sca)Hp fortify source code analyzer(sca)
Hp fortify source code analyzer(sca)Nagaraju Repala
 
CI-solutions-Versus-AutoRABIT
CI-solutions-Versus-AutoRABITCI-solutions-Versus-AutoRABIT
CI-solutions-Versus-AutoRABITalkhan50
 
Inflectra Partner Program 2022
Inflectra Partner Program 2022Inflectra Partner Program 2022
Inflectra Partner Program 2022Inflectra
 
How the U.S. Department of Defense Secures Its Custom ABAP Code
How the U.S. Department of Defense Secures Its Custom ABAP CodeHow the U.S. Department of Defense Secures Its Custom ABAP Code
How the U.S. Department of Defense Secures Its Custom ABAP CodeVirtual Forge
 
CPU Verification
CPU VerificationCPU Verification
CPU VerificationRamdas Mozhikunnath
 
Building a high quality+ products with SCA
Building a high quality+ products with SCABuilding a high quality+ products with SCA
Building a high quality+ products with SCASuman Sourav
 
TaraVault Overview Presentation (2021)
TaraVault Overview Presentation (2021)TaraVault Overview Presentation (2021)
TaraVault Overview Presentation (2021)Inflectra
 
Salesforce Continuous Integration with AutoRABIT
Salesforce Continuous Integration with AutoRABITSalesforce Continuous Integration with AutoRABIT
Salesforce Continuous Integration with AutoRABITVishnu Raju Datla
 
Viktor Tokar CV
Viktor Tokar CVViktor Tokar CV
Viktor Tokar CVViktor Tokar
 
Training Webinars - Secret hacks for OutSystems 10
Training Webinars - Secret hacks for OutSystems 10Training Webinars - Secret hacks for OutSystems 10
Training Webinars - Secret hacks for OutSystems 10OutSystems
 
Continuous Integration for Salesforce1 Platform
Continuous Integration for Salesforce1 PlatformContinuous Integration for Salesforce1 Platform
Continuous Integration for Salesforce1 PlatformTechsophy Inc.
 
Inflectracon2020: Advantages of Integrating a DevSecOps Pipeline with the Spi...
Inflectracon2020: Advantages of Integrating a DevSecOps Pipeline with the Spi...Inflectracon2020: Advantages of Integrating a DevSecOps Pipeline with the Spi...
Inflectracon2020: Advantages of Integrating a DevSecOps Pipeline with the Spi...Inflectra
 
How To Improve Quality With Static Code Analysis
How To Improve Quality With Static Code Analysis How To Improve Quality With Static Code Analysis
How To Improve Quality With Static Code Analysis Perforce
 
SonarQube: Continuous Code Inspection
SonarQube: Continuous Code InspectionSonarQube: Continuous Code Inspection
SonarQube: Continuous Code InspectionMichael Jesse
 
A year of SonarQube and TFS/VSTS
A year of SonarQube and TFS/VSTSA year of SonarQube and TFS/VSTS
A year of SonarQube and TFS/VSTSMatteo Emili
 
Functional verification techniques EW16 session
Functional verification techniques EW16 sessionFunctional verification techniques EW16 session
Functional verification techniques EW16 sessionSameh El-Ashry
 
Soirée du Test Logiciel - Présentation de Kiuwan (Jack ABDO)
Soirée du Test Logiciel - Présentation de Kiuwan (Jack ABDO)Soirée du Test Logiciel - Présentation de Kiuwan (Jack ABDO)
Soirée du Test Logiciel - Présentation de Kiuwan (Jack ABDO)TelecomValley
 
How to Avoid Continuously Delivering Faulty Software
How to Avoid Continuously Delivering Faulty SoftwareHow to Avoid Continuously Delivering Faulty Software
How to Avoid Continuously Delivering Faulty SoftwareParasoft
 
Best Practices for Ensuring SAP ABAP Code Quality and Security
Best Practices for Ensuring SAP ABAP Code Quality and SecurityBest Practices for Ensuring SAP ABAP Code Quality and Security
Best Practices for Ensuring SAP ABAP Code Quality and SecurityVirtual Forge
 
Journey to the center of DevOps - v6
Journey to the center of DevOps - v6Journey to the center of DevOps - v6
Journey to the center of DevOps - v6Venkat Janardhanam, MS, MBA
 
Static code analysis
Static code analysisStatic code analysis
Static code analysisPrancer Io
 
Lessons learned validating 60,000 pages of api documentation
Lessons learned validating 60,000 pages of api documentationLessons learned validating 60,000 pages of api documentation
Lessons learned validating 60,000 pages of api documentationBob Binder
 
How to Release Rock-solid RESTful APIs and Ice the Testing BackBlob
How to Release Rock-solid RESTful APIs and Ice the Testing BackBlobHow to Release Rock-solid RESTful APIs and Ice the Testing BackBlob
How to Release Rock-solid RESTful APIs and Ice the Testing BackBlobBob Binder
 
Game Development Best Practices
Game Development Best PracticesGame Development Best Practices
Game Development Best PracticesPerforce
 
Harman deepak v - agile on steriod - dev ops led transformation
Harman deepak v - agile on steriod - dev ops led transformationHarman deepak v - agile on steriod - dev ops led transformation
Harman deepak v - agile on steriod - dev ops led transformationXebia India
 
DevOps on AWS: Accelerating Software Delivery with the AWS Developer Tools
DevOps on AWS: Accelerating Software Delivery with the AWS Developer ToolsDevOps on AWS: Accelerating Software Delivery with the AWS Developer Tools
DevOps on AWS: Accelerating Software Delivery with the AWS Developer ToolsAmazon Web Services
 

Más contenido relacionado

La actualidad más candente

Building a high quality+ products with SCA
Building a high quality+ products with SCABuilding a high quality+ products with SCA
Building a high quality+ products with SCASuman Sourav
 
TaraVault Overview Presentation (2021)
TaraVault Overview Presentation (2021)TaraVault Overview Presentation (2021)
TaraVault Overview Presentation (2021)Inflectra
 
Salesforce Continuous Integration with AutoRABIT
Salesforce Continuous Integration with AutoRABITSalesforce Continuous Integration with AutoRABIT
Salesforce Continuous Integration with AutoRABITVishnu Raju Datla
 
Training Webinars - Secret hacks for OutSystems 10
Training Webinars - Secret hacks for OutSystems 10Training Webinars - Secret hacks for OutSystems 10
Training Webinars - Secret hacks for OutSystems 10OutSystems
 
Continuous Integration for Salesforce1 Platform
Continuous Integration for Salesforce1 PlatformContinuous Integration for Salesforce1 Platform
Continuous Integration for Salesforce1 PlatformTechsophy Inc.
 
Inflectracon2020: Advantages of Integrating a DevSecOps Pipeline with the Spi...
Inflectracon2020: Advantages of Integrating a DevSecOps Pipeline with the Spi...Inflectracon2020: Advantages of Integrating a DevSecOps Pipeline with the Spi...
Inflectracon2020: Advantages of Integrating a DevSecOps Pipeline with the Spi...Inflectra
 
How To Improve Quality With Static Code Analysis
How To Improve Quality With Static Code Analysis How To Improve Quality With Static Code Analysis
How To Improve Quality With Static Code Analysis Perforce
 
SonarQube: Continuous Code Inspection
SonarQube: Continuous Code InspectionSonarQube: Continuous Code Inspection
SonarQube: Continuous Code InspectionMichael Jesse
 
A year of SonarQube and TFS/VSTS
A year of SonarQube and TFS/VSTSA year of SonarQube and TFS/VSTS
A year of SonarQube and TFS/VSTSMatteo Emili
 
Functional verification techniques EW16 session
Functional verification techniques EW16 sessionFunctional verification techniques EW16 session
Functional verification techniques EW16 sessionSameh El-Ashry
 
Soirée du Test Logiciel - Présentation de Kiuwan (Jack ABDO)
Soirée du Test Logiciel - Présentation de Kiuwan (Jack ABDO)Soirée du Test Logiciel - Présentation de Kiuwan (Jack ABDO)
Soirée du Test Logiciel - Présentation de Kiuwan (Jack ABDO)TelecomValley
 
How to Avoid Continuously Delivering Faulty Software
How to Avoid Continuously Delivering Faulty SoftwareHow to Avoid Continuously Delivering Faulty Software
How to Avoid Continuously Delivering Faulty SoftwareParasoft
 
Best Practices for Ensuring SAP ABAP Code Quality and Security
Best Practices for Ensuring SAP ABAP Code Quality and SecurityBest Practices for Ensuring SAP ABAP Code Quality and Security
Best Practices for Ensuring SAP ABAP Code Quality and SecurityVirtual Forge
 
Static code analysis
Static code analysisStatic code analysis
Static code analysisPrancer Io
 
Lessons learned validating 60,000 pages of api documentation
Lessons learned validating 60,000 pages of api documentationLessons learned validating 60,000 pages of api documentation
Lessons learned validating 60,000 pages of api documentationBob Binder
 
How to Release Rock-solid RESTful APIs and Ice the Testing BackBlob
How to Release Rock-solid RESTful APIs and Ice the Testing BackBlobHow to Release Rock-solid RESTful APIs and Ice the Testing BackBlob
How to Release Rock-solid RESTful APIs and Ice the Testing BackBlobBob Binder
 
Game Development Best Practices
Game Development Best PracticesGame Development Best Practices
Game Development Best PracticesPerforce
 

La actualidad más candente (20)

CPU Verification
CPU VerificationCPU Verification
CPU Verification
 
Building a high quality+ products with SCA
Building a high quality+ products with SCABuilding a high quality+ products with SCA
Building a high quality+ products with SCA
 
TaraVault Overview Presentation (2021)
TaraVault Overview Presentation (2021)TaraVault Overview Presentation (2021)
TaraVault Overview Presentation (2021)
 
Salesforce Continuous Integration with AutoRABIT
Salesforce Continuous Integration with AutoRABITSalesforce Continuous Integration with AutoRABIT
Salesforce Continuous Integration with AutoRABIT
 
Viktor Tokar CV
Viktor Tokar CVViktor Tokar CV
Viktor Tokar CV
 
Training Webinars - Secret hacks for OutSystems 10
Training Webinars - Secret hacks for OutSystems 10Training Webinars - Secret hacks for OutSystems 10
Training Webinars - Secret hacks for OutSystems 10
 
Continuous Integration for Salesforce1 Platform
Continuous Integration for Salesforce1 PlatformContinuous Integration for Salesforce1 Platform
Continuous Integration for Salesforce1 Platform
 
Inflectracon2020: Advantages of Integrating a DevSecOps Pipeline with the Spi...
Inflectracon2020: Advantages of Integrating a DevSecOps Pipeline with the Spi...Inflectracon2020: Advantages of Integrating a DevSecOps Pipeline with the Spi...
Inflectracon2020: Advantages of Integrating a DevSecOps Pipeline with the Spi...
 
How To Improve Quality With Static Code Analysis
How To Improve Quality With Static Code Analysis How To Improve Quality With Static Code Analysis
How To Improve Quality With Static Code Analysis
 
SonarQube: Continuous Code Inspection
SonarQube: Continuous Code InspectionSonarQube: Continuous Code Inspection
SonarQube: Continuous Code Inspection
 
A year of SonarQube and TFS/VSTS
A year of SonarQube and TFS/VSTSA year of SonarQube and TFS/VSTS
A year of SonarQube and TFS/VSTS
 
Functional verification techniques EW16 session
Functional verification techniques EW16 sessionFunctional verification techniques EW16 session
Functional verification techniques EW16 session
 
Soirée du Test Logiciel - Présentation de Kiuwan (Jack ABDO)
Soirée du Test Logiciel - Présentation de Kiuwan (Jack ABDO)Soirée du Test Logiciel - Présentation de Kiuwan (Jack ABDO)
Soirée du Test Logiciel - Présentation de Kiuwan (Jack ABDO)
 
How to Avoid Continuously Delivering Faulty Software
How to Avoid Continuously Delivering Faulty SoftwareHow to Avoid Continuously Delivering Faulty Software
How to Avoid Continuously Delivering Faulty Software
 
Best Practices for Ensuring SAP ABAP Code Quality and Security
Best Practices for Ensuring SAP ABAP Code Quality and SecurityBest Practices for Ensuring SAP ABAP Code Quality and Security
Best Practices for Ensuring SAP ABAP Code Quality and Security
 
Journey to the center of DevOps - v6
Journey to the center of DevOps - v6Journey to the center of DevOps - v6
Journey to the center of DevOps - v6
 
Static code analysis
Static code analysisStatic code analysis
Static code analysis
 
Lessons learned validating 60,000 pages of api documentation
Lessons learned validating 60,000 pages of api documentationLessons learned validating 60,000 pages of api documentation
Lessons learned validating 60,000 pages of api documentation
 
How to Release Rock-solid RESTful APIs and Ice the Testing BackBlob
How to Release Rock-solid RESTful APIs and Ice the Testing BackBlobHow to Release Rock-solid RESTful APIs and Ice the Testing BackBlob
How to Release Rock-solid RESTful APIs and Ice the Testing BackBlob
 
Game Development Best Practices
Game Development Best PracticesGame Development Best Practices
Game Development Best Practices
 

Similar a Custom security effective implementation

Harman deepak v - agile on steriod - dev ops led transformation
Harman deepak v - agile on steriod - dev ops led transformationHarman deepak v - agile on steriod - dev ops led transformation
Harman deepak v - agile on steriod - dev ops led transformationXebia India
 
DevOps on AWS: Accelerating Software Delivery with the AWS Developer Tools
DevOps on AWS: Accelerating Software Delivery with the AWS Developer ToolsDevOps on AWS: Accelerating Software Delivery with the AWS Developer Tools
DevOps on AWS: Accelerating Software Delivery with the AWS Developer ToolsAmazon Web Services
 
Nishant Kumar_Resume
Nishant Kumar_ResumeNishant Kumar_Resume
Nishant Kumar_ResumeNishant Kumar
 
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things BetterTaking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things BetterMatt Tesauro
 
SCM Migration Webinar - English
SCM Migration Webinar - EnglishSCM Migration Webinar - English
SCM Migration Webinar - EnglishCollabNet
 
Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016Matt Tesauro
 
20141024 AgileDC 2014 Conf How much testing is enough for software that can c...
20141024 AgileDC 2014 Conf How much testing is enough for software that can c...20141024 AgileDC 2014 Conf How much testing is enough for software that can c...
20141024 AgileDC 2014 Conf How much testing is enough for software that can c...Craeg Strong
 
Continuous Delivery Agiles 2014 Medellin
Continuous Delivery Agiles 2014 MedellinContinuous Delivery Agiles 2014 Medellin
Continuous Delivery Agiles 2014 MedellinDiego Garber
 
Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...Achim D. Brucker
 
PrashantSoni_exp_embeddedSwDevelopment_latest
PrashantSoni_exp_embeddedSwDevelopment_latestPrashantSoni_exp_embeddedSwDevelopment_latest
PrashantSoni_exp_embeddedSwDevelopment_latestPrashant Soni
 
AWS re:Invent 2016: DevOps on AWS: Accelerating Software Delivery with the AW...
AWS re:Invent 2016: DevOps on AWS: Accelerating Software Delivery with the AW...AWS re:Invent 2016: DevOps on AWS: Accelerating Software Delivery with the AW...
AWS re:Invent 2016: DevOps on AWS: Accelerating Software Delivery with the AW...Amazon Web Services
 
Cerberus : Framework for Manual and Automated Testing (Web Application)
Cerberus : Framework for Manual and Automated Testing (Web Application)Cerberus : Framework for Manual and Automated Testing (Web Application)
Cerberus : Framework for Manual and Automated Testing (Web Application)CIVEL Benoit
 
Cerberus_Presentation1
Cerberus_Presentation1Cerberus_Presentation1
Cerberus_Presentation1CIVEL Benoit
 
Automation Deployments and Gudielines.pptx
Automation Deployments and Gudielines.pptxAutomation Deployments and Gudielines.pptx
Automation Deployments and Gudielines.pptxNikhileshSathyavarap
 
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...Denim Group
 
Case Study: How CA’s IT Automated Salesforce Deployments with CA Release Auto...
Case Study: How CA’s IT Automated Salesforce Deployments with CA Release Auto...Case Study: How CA’s IT Automated Salesforce Deployments with CA Release Auto...
Case Study: How CA’s IT Automated Salesforce Deployments with CA Release Auto...CA Technologies
 
Utilizing SVN Jenkins to Manage Multi-line Development to Deployments
Utilizing SVN Jenkins to Manage Multi-line Development to DeploymentsUtilizing SVN Jenkins to Manage Multi-line Development to Deployments
Utilizing SVN Jenkins to Manage Multi-line Development to DeploymentsTeresa Garcia-Bovenmyer ☁
 

Similar a Custom security effective implementation (20)

Harman deepak v - agile on steriod - dev ops led transformation
Harman deepak v - agile on steriod - dev ops led transformationHarman deepak v - agile on steriod - dev ops led transformation
Harman deepak v - agile on steriod - dev ops led transformation
 
DevOps on AWS: Accelerating Software Delivery with the AWS Developer Tools
DevOps on AWS: Accelerating Software Delivery with the AWS Developer ToolsDevOps on AWS: Accelerating Software Delivery with the AWS Developer Tools
DevOps on AWS: Accelerating Software Delivery with the AWS Developer Tools
 
Nishant Kumar_Resume
Nishant Kumar_ResumeNishant Kumar_Resume
Nishant Kumar_Resume
 
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things BetterTaking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
 
SCM Migration Webinar - English
SCM Migration Webinar - EnglishSCM Migration Webinar - English
SCM Migration Webinar - English
 
Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016
 
Gowrisankar_Resume
Gowrisankar_ResumeGowrisankar_Resume
Gowrisankar_Resume
 
20141024 AgileDC 2014 Conf How much testing is enough for software that can c...
20141024 AgileDC 2014 Conf How much testing is enough for software that can c...20141024 AgileDC 2014 Conf How much testing is enough for software that can c...
20141024 AgileDC 2014 Conf How much testing is enough for software that can c...
 
Continuous Delivery Agiles 2014 Medellin
Continuous Delivery Agiles 2014 MedellinContinuous Delivery Agiles 2014 Medellin
Continuous Delivery Agiles 2014 Medellin
 
Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...
 
PrashantSoni_exp_embeddedSwDevelopment_latest
PrashantSoni_exp_embeddedSwDevelopment_latestPrashantSoni_exp_embeddedSwDevelopment_latest
PrashantSoni_exp_embeddedSwDevelopment_latest
 
Kumar_Saurabh_CV
Kumar_Saurabh_CVKumar_Saurabh_CV
Kumar_Saurabh_CV
 
AWS re:Invent 2016: DevOps on AWS: Accelerating Software Delivery with the AW...
AWS re:Invent 2016: DevOps on AWS: Accelerating Software Delivery with the AW...AWS re:Invent 2016: DevOps on AWS: Accelerating Software Delivery with the AW...
AWS re:Invent 2016: DevOps on AWS: Accelerating Software Delivery with the AW...
 
Cerberus : Framework for Manual and Automated Testing (Web Application)
Cerberus : Framework for Manual and Automated Testing (Web Application)Cerberus : Framework for Manual and Automated Testing (Web Application)
Cerberus : Framework for Manual and Automated Testing (Web Application)
 
Cerberus_Presentation1
Cerberus_Presentation1Cerberus_Presentation1
Cerberus_Presentation1
 
Automation Deployments and Gudielines.pptx
Automation Deployments and Gudielines.pptxAutomation Deployments and Gudielines.pptx
Automation Deployments and Gudielines.pptx
 
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
 
Case Study: How CA’s IT Automated Salesforce Deployments with CA Release Auto...
Case Study: How CA’s IT Automated Salesforce Deployments with CA Release Auto...Case Study: How CA’s IT Automated Salesforce Deployments with CA Release Auto...
Case Study: How CA’s IT Automated Salesforce Deployments with CA Release Auto...
 
Utilizing SVN Jenkins to Manage Multi-line Development to Deployments
Utilizing SVN Jenkins to Manage Multi-line Development to DeploymentsUtilizing SVN Jenkins to Manage Multi-line Development to Deployments
Utilizing SVN Jenkins to Manage Multi-line Development to Deployments
 
S4H_059.pptx
S4H_059.pptxS4H_059.pptx
S4H_059.pptx
 

Último

Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationnomboosow
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...Marc Dusseiller Dusjagr
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformChameera Dedduwage
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfchloefrazer622
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingTechSoup
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactPECB
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introductionMaksud Ahmed
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13Steve Thomason
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxiammrhaywood
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991RKavithamani
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesFatimaKhan178732
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...EduSkills OECD
 
URLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppURLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppCeline George
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3JemimahLaneBuaron
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdfQucHHunhnh
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpinRaunakKeshri1
 
Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Sakshi Ghasle
 

Último (20)

Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communication
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy Reform
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdf
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
 
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and Actinides
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
URLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppURLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website App
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpin
 
Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application )
 
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
 

Custom security effective implementation

  • 1. Presenter: Srini, Flow Slf Authorizations 4/6/2014H&M Internal v1.0 1
  • 2.  Introduction - Custom Security  Teams involved in Custom Security design  Different Project cycles of Custom Security design  Technical Tips for effective implementation 4/6/2014H&M Internal v1.0 2
  • 3. 4/6/2014H&M Internal v1.0 3  Additional control over SAP standard transactions/processes where the default authorization controls provided by SAP is not sufficient (or) Control any newly created SAP development object (eg: A custom report, transaction code or table, etc.,)  Implemented via ABAP code which invloves either standard/custom authorization object  Custom authorization object (which involves standard/custom Auth. Object class and Auth. Fields) is created by the Security team, while the ABAP code is done by the Development team
  • 6. FA Sec Dev Sec FA Sec, Dev FA Sec, Dev 4/6/2014H&M Internal v1.0 6 Acronyms for teams • FA – Functional Area • Sec – Security • Dev - Development - Create RDD - Unit test - Unit test - Move security objects, ABAP code to T, Q - Integration testing - Move role changes, ABAP code to P - ABAP auth check code - Finalize security design Scenario: 1 Sec fully involved
  • 7. FA Dev FA Dev FA Sec Dev Sec FA Dev, Sec FA Dev, Sec 4/6/2014H&M Internal v1.0 7 Acronyms for teams • FA – Functional Area • Sec – Security • Dev - Development- Create FS - Move ABAP code to T - ABAP Auth check code - Integration testing - Unit test - ABAP development Scenario: 2 - Create RDD - Integration testing - Finalize security design - Unit test - Unit test - Move security objects, ABAP code to P - Move security objects, ABAP code to T, Q Sec involved very late Impact:Sizeable
  • 8. FA Dev FA Dev FA Sec Dev Sec FA Dev, Sec FA Dev, Sec 4/6/2014H&M Internal v1.0 8 Acronyms for teams • FA – Functional Area • Sec – Security • Dev - Development- Create FS - Move ABAP code to T - ABAP Auth check code - Integration testing - Unit test - ABAP development Scenario: 2 - Create RDD - Integration testing - Finalize security design - Unit test - Unit test - Move security objects, ABAP code to P - Move security objects, ABAP code to T, Q - Dev to inform Sec team at initial stage of any custom devleopment
  • 9. FA Dev FA Dev FA Sec Dev Sec FA Dev, Sec FA Dev, Sec 4/6/2014H&M Internal v1.0 9 Acronyms for teams • FA – Functional Area • Sec – Security • Dev - Development- Create FS - Move ABAP code to T - ABAP Auth check code - Integration testing - Unit test - ABAP development Scenario: 2 - Create RDD - Integration testing - Finalize security design - Unit test - Unit test - Move security objects, ABAP code to P - Move security objects, ABAP code to T, Q - Dev to inform Sec team at initial stage of any custom devleopment
  • 10. FA Dev FA Dev FA Dev 4/6/2014H&M Internal v1.0 10 Acronyms for teams • FA – Functional Area • Sec – Security • Dev - Development - Create FS - Unit test - Move development to T,Q - Integration testing - Move development to P - ABAP development Scenario: 3 Sec not involved Impact:Sizeable
  • 11. 4/6/2014H&M Internal v1.0 11  Avoid redundant code: Default authorization checks – S_TCODE, S_PROGRAM, S_RFC, S_TABU_DIS  Report/Transaction authorizations: • Avoid the possibility of provding backdoor access • Place authorization code checks before calling other development objects like program/transaction code For eg. When statements like CALL TRANSACTION or SUBMIT PROGRAM are used • Avoid using sy-uname in the development • Avoid using any sort of hardcoded authorization values • Use of Standard/Custom authorization objects? If your custom development is completely a new solution and not related to any of the SAP standard transaction/process, then use of custom authorization objects is recommended. Else, the best practise is to use standard authorization objects. Note: A good understanding of the business requirement and a wide knowledge on the standard SAP authorization objects is required to decide the type of authorization object that needs to be used in the custom development.
  • 12. 4/6/2014H&M Internal v1.0 12  Table Authorizations: • Use Authorization groups for any newly created tables ; Avoid using &NC& • Avoid using cross-client tables especially business users need to maintain the table entries • Possible to control table line entries – based on organizational values