SAP Fiori is SAP’s front-end user experience for SAP S/4HANA, as well as an installation option for customers to improve the look and feel of their SAP applications. The nature of SAP Fiori as an external-facing feature leaves it more vulnerable to security attacks. Those vulnerabilities aren’t addressed out of the box with SAP Fiori, according to Gary Prewett and Michael Pytel, authors of the SAP PRESS e-bite title “Implementing SAP Fiori Security.”
“SAP out-of-the-box doesn’t do a great job with security. It’s got six known vulnerabilities on Day 1,” says Pytel, who is the co-founder and CIO at SAP partner and professional service firm Nimbl. “SAP is a real target now, as we are exposing stuff outside of the firewall.”
Prewett, SAP security and compliance practice lead at Nimbl, says he has spent much of his 18-year career in IT hardening systems which may be targeted not only by organized crime, but also by niche hackers. Where SAP falls short out of the box, he explains, is the hardening steps to protect applications.
“App security is very complicated, taking all the dots and connecting them,” Prewett says. “That’s what we’ve tried to do in the book.”
In the course of his work, Prewett has come across many SAP shops which have security blind spots. They may execute on some security precautions well—such as roles and authorizations—however, a lot of shops assume that SAP Basis or developers will handle everything. “But they all need to be working together to deploy security,” he says. “Security practitioners aren’t going to fix ABAP code, but they need to know what to address.”
“Implementing SAP Fiori Security,” which was written with less technical product manager roles in mind, addresses hardening Fiori security with step-by-step instructions which even a security team without a lot of Basis support could understand. “We spent a lot of time on technical steps for deploying securely,” says Prewett.
And even though Nimbl itself can provide help with the process, having operated a SAP Fiori implementation practice since before SAP Fiori became a free product, “We make it so [Fiori security] is self-service,” says co-author Pytel.
“We are not SAP, we are able to say what is good and bad about products,” he adds. “We install in the real world.”