Security risks with new SAP technologies
SAP is continuously improving their products with new features and new technology. Thereby is the focus on business improvements and giving end users a better SAP experience.
It's not surprising that security hasn't got first priority. Certainly, it's always a part of the new developments, but it's (similar as the non security aspects) never fully mature. With a new product, standard roles or authorizations groups are provided to get things up and running and often the advice is just to use these or copy them.
In the recent SAP security and authorizations world this was all linked to ABAP, transactions and maintained with the profile generator (PFCG). Nowadays there is also Webdynpro, Web UI’s , HANA etc. For some parts the PFCG can still be used, but not always in the same way and more needs to be done to get this operational.
After some time improvements are made in the security and authorizations area with new releases for the specific products or with for Netweaver versions for basis. All this supported with OSS (security) notes to solve issues and explain solutions.
If a new product or new technology is introduced within an organization, then there is mostly no focus on security. Only if the organizational power of security and authorizations is strong, this is a part of the implementation of the new technology. It also requires a high level of experience and education for security and authorizations. Unfortunately this isn't always the case within organizations where cost reductions and outsourcing are common.
For an organization it is important to keep the knowledge and experience of their security and authorization experts up to date.
Or you can contact 2ARC! We've got the expertise.