Tag Archives: SAP

The end of an era

Screen shot from very last SAP SF IAS IPS open office hour

It was with a fair bit of sadness that this week I was part of the end of something that I think was a bit special.

The SAP SuccessFactors IAS/IPS open office hour has been running for what I think was 2 years now, and for many of those Thursday evenings (it ran at 6:30pm to 7:30pm my local time) I would join, sometimes with a beer or wine in hand and would sit, listen and contribute.

I think Richard Feynman the American Nobel Laureate and Physic Professor once said :

“If you want to master something, teach it. The more you teach, the better you learn.

Richard P. Feynman

Well, I think that’s what happened to me! By spending so much time in this call, trying to help other people figure out how to solve their IAS and IPS issues, I’ve learnt so much! I’m waiting for an IAS/IPS certification to come out and nice easy one to pass!

During this journey, I’ve developed some great relationships with SAP teams in this space. I’ve presented at SAP TechEd on the topic, had multiple influence requests turned into reality and been involved in beta testing new functionality. And more importantly, made some good friends.

There is still so much more to learn, but this opportunity to gather weekly to help out other SAP customers that were stuck in a tight spot is now over. It probably had run its time and it was time to focus the support efforts elsewhere, but whilst it was there I really did enjoy it.

Thank you to all those who helped make it happen!

Grounded in Reality and Pragmatism.

That’s not a title to any piece about AI or ML that I’ve heard for quite some time, especially not something out of any HXM vendor’s keynote!

If you haven’t already – please listen (watch too if you like) to this really short – less than one minute, clip of Meg Bear talking about Artificial Intelligent and Machine Learning as part of the executive open Q&A at the last SuccessConnect conference (2021).

sourced from twitter: https://twitter.com/megbear/status/1467231582184296449

I’ve included the transcript (as I could make out) below:

“So what we know deeply, is that machine learning and AI are great tools but they are not sufficient conditions for the overall experience that we are trying to drive. It needs to be bringing that technology in concert with people, in concert with who I am and what I want to add to it. To create something that is truly powerful.

And, so, while we are absolutely putting machine learning and artificial intelligence inside our data model. We’re talking about it in a much broader way. Because we know that just saying that you have machine learning is not sufficient. It needs to be about what is the outcome for me as an individual and what is the outcome for the business, and it needs to be grounded in deep reality and pragmatism.”

Meg Bear – SuccessConnect Executive Keynote 2021

Okay firstly, hats off to Meg! When she gets going on a topic that she’s enthused about, there isn’t anyone that’s going to stop her. I think if you listen carefully you can hear some of the the rest of the the team giggling slightly in awe of Meg doing her thing. It was a completely passionate geek-out that was by far the highlight of the whole conference for me. Mainly because I couldn’t agree harder and would have had trouble articulating it more eloquently, especially if I were on a live Q&A in front of thousands of people. Thanks Meg for following up on my request to get that video. (I’ll not include the link to the original request because Amy Wilson might not ever speak to me again if I reposted that particular screen grab!) (oh to be able to retrospectively edit the photos in livestream tweeting)

The current state of ML in people management is pretty basic and some of the uses that have been attempted are pretty bad. For an interesting take on what not to use ML for – check out Thomas Otter’s piece on flight risk indicators. Just looking at what SAP have managed to deliver in this space recently and we haven’t got much more exciting than the Amazon “other shoppers who purchased a course in first aid also purchased a course in CPR”. It’s not inspiring (which is probably why some organisations try to do things like flight risk.

So, Meg turning the conversation around from a technology bang-whizz smoke and mirrors magic show to instead focus on the objective that we are trying to achieve of great employee experience is very important. We need to realise that there is very much a “human” in HXM and attempts to remove it will fail.

I watched a demo, in the same conference (eek), of a chat bot that had been put in place to help gather more details about how people were coping during lockdown due to COVID 19. What was very interesting to me (other than I manage to stop myself from screaming at the screen) was that there were quite a range of opinions in the session I was in about whether this was good or bad. Let’s just say I was in the “You have got to be f’ing kidding me” side of the opinion poll, whilst others were more on the “That’s a cool way to get feedback” side. The reason I think this is terrible is because if your outreach to people who are suffering because of isolation is to throw a bot at them then you’ve completely missed the H bit of HXM. And that bit is important to me (and Josh Greenbaum it seems.)

And so, why is Meg’s focus on HXM and not technology so important? Because if you give techies technology -> they will build with it, and scarily enough, they will also believe what they are doing is good. I know, I’ve fallen into this hole so many times that I have a ladder purpose built for climbing out of tech for tech’s sake holes (it’s called a phone call to my good friend who has no issues in telling me I’m an idiot and to stop being stupid.)

So, I look forward to what comes next. I would really like to be able to make ML models that could help recognise things like which managers are helping their teams perform better so we can all learn what human interaction driving better experience. I want ML to send me alerts when thresholds of leave liability are likely to be exceeded so that I can send dashboard to managers who can then use their on-the-ground relationships with their staff to check those numbers and have person-to-person conversations with them. But I want all of it in a supporting, not supplanting role. Tech to help people interact with people, not replace that interaction.

We are getting (slowly, oh so slowly) to a state where we have platforms that can build these types of experience enhancing solutions. But as Meg says only when “grounded in deep reality and pragmatism”.

Okay – that’s enough SAP SuccessFactors love for one evening.

SuccessFactors team, remember all these nice things I said when I start complaining (again) about the Reimagined Home Page Migration! 😉

What would you like in analytics?

Quick one today. Whilst I’m getting over (actually I’m not) my disappointment that Analytics Cards (Stories in People Analytics widgets) are very unlikely to be available as part of the 1H2022 release, and therefore dashboard tiles will not be part of the new SAP SuccessFactors homepage when it is forcibly pushed to all customers next year, I thought I’d write quickly about a different take.

Recently, I asked a senior non-HR exec what they wanted from their HR analytics dashboards. Any guess what they wanted?

“Don’t show me any dashboards. “

Senior Exec.

They didn’t want to be required to look at a dashboard. This is an extension of the themes I expounded on in my last post. This person wasn’t going to ever action anything based on glancing at a dashboard – mainly because they didn’t have the time to look at a dashboard. What they wanted instead was a prompt to investigate.

You might be devious and say – but I could just build a dashboard that only showed prompts where there was a need to investigate. But what this manager wanted, was external prompts. I.e. an email or a notification that then linked to dashboards and analytics pieces.

Good thing is that this 2H2021 release just enabled the possibility to deep-link to a given SiPA story. What we need now is some way to actually ping links to relevant analytical stories when they are needed.

This would be a super simple thing to do for some situations. Bets on SAP SuccessFactors tooling being introduced in next few years that allows for the configuration of ML based triggers that can then be linked to custom designed dashboards.

Then I can throw a link to custom dashboard at my exec when they have a huge spike in leave liability and people not taking leave. Then they only look at the dashboard when there is a need for them to take action.

So if I wrote an SAP BTP extension that enabled you to email links to specific dashboards to your managers based on certain thresholds being met (or not), would that help you get over not having dashboard tiles on the home page?

SuccessConnect 2019

Just some very brief highlights and musings from the lounge in LAX whilst I wait for my flight home to Melbourne.

This was the eXperience SuccessConnect, there were X’s everywhere! The amount of airtime that Qualtrics and experience management got may well have equalled the amount of time that the SuccessFactors product was discussed.

My SuccessConnect really kicked off with  the Monday partner briefing and meeting up with Sylvie Otten and introduced to Micheal Grimm from Ingentis. Was good to start off the event with a good moan about the state of CF vs Neo when it came to SuccessFactors extensions. Sorry Sylvie – I earned my namesake.

At least she was smiling in the photo!

 

Next up was the partner briefing – after having made the mistake of sitting near the front last year at it being the most boring multiple hours of the conference, I sat at the back so I could sneak out rather than pass out with boredom.

I was wrong.

David Ludlow completely creamed it with his update on roadmap and recent changes. That was probably the best 20mins of the entire conference. Wish I had sat nearer the front! Although have discovered that taking photos of slides in SAP’s newly preferred dark theme really doesn’t come out well, the black comes out browny grey – doesn’t look so cool… 🙁 But I got the slide deck – gold!

There were many cool things in there, but the new UI being proposed for the user landing page was probably the most exciting bit – which is why David didn’t say much about it, but left that for Amy the next day at the keynote.

Lots of debate about this new conversational AI based UI. With the biggest one being, there better still be menus and some way i can add a link to view my payslips, and apply for leave  with one click without having to type in “view my payslip”.

We’ll see how it develops as looks like planned delivery 2020 – but I’ll bet on it not being GA before next SuccessConnect. Perhaps beta with a couple of customers… lets see next year.

After David’s excellent presentation I got to catch up with the team of analysts and media folk who’d had a briefing that day. Josh Greenbaum was holding court and had some interesting comments around SAP’s strategy with payroll, but the wine and food was excellent and I left with some of the folks there to go to the exhibition show floor and do what I was supposed to be at the conference for (not chin wagging with analysts!)

I was here at SuccessConnect to sell a SAP CP extension for SuccessFactors that me and my team have built – it provides EHS functionality embedded into SuccessFactors. It’s pretty cool! But I would say that!

 

I have discovered that I sell much better with a glass of wine in my hand…

After that it was to Jewel nightclub to the Kronos and Rizing party (not sure I really should have continued drinking, next day was hard work!) But did get to meet up with Sherryanne Meyer which was nice.

 

The next day was lots of water and the keynote.

Image

Have to say, I love the moments that matter idea. as in consider where you are putting your effort in making certain processes work better. It’s probably much more important that the initial day one experience for an employee is better than the process they have to use to apply for leave. They might apply for leave hundreds of times, but they only have one day one and it will be a much bigger impact. Think about the return to work process for return from parental leave, make that a great experience don’t worry so much about timesheet entry….

However I heard the term FAR too over used during the conference and used outside of the context i just described.

And then the keynote just went to “eXperience”. It was wow, everything was about HXM or Human eXperience Management, not Human Capital Management. Look, I dislike the HCM idea of treating employees as “Capital”, that’s not what we try to do, but still there is a whole bunch more the the successful running of employees in a business than just looking after their experience!

I observed cynically to someone (the night club from night before possibly didn’t help my mood) that it seemed  that the SuccessFactors exec team had all been given bigger KPIs to sell Qualtrics than they had to sell SuccessFactors.

 

After the keynote were lots of general sessions including loads of roadmap sessions! The conference team really listened to the customer desire for roadmap sessions and most were repeated at least one. Even better the sessions were short on presentation and long on questions. This is why people come to conferences rather than reading the slides at home (and without having to fly stupid distances around the world). So SUPER KUDOS to the SuccessFactors team, your roadmap sessions were AWESOME! I had lots of fun in one run by Mark McCawley who I meet for the first time and leaked some news that I’m hoping we can reveal soon that will make many customers very happy!

Saw mention that instance sync tool will allow copy back of employee data from prod to non-prod systems (without full system refresh) allowing for trouble shooting of issues in test environments – this is awesome and will be a huge benefit for customers. When you look at the list price that Accenture were/are charging for a SAP CP tool that does similar thing, you can see how customers were really wanting this functionality!

Talking of the SAP App Store and SAP CP extensions, they were highly visible this year on the show floor and customers were clearly interested!

Final keynote was more eXperience Qualtrics puff along with 3 partner add on solutions, and a strange plug for SAP.io which I’m pretty sure the audience didn’t care about. Much disappointment that non of the partners on the stage with SuccessFactors add ons were using SAP Cloud Platform – a real lost opportunity to showcase the power and benefit of having extensions that look like they are just additional modules of SuccessFactors, a functionality that SuccessFactors has that is unique – I’m afraid integration to ServiceNow isn’t really that unique…

Last day and the team:

went to the golf driving range, where I discovered I’m not terrible at this golf lark, but not good at it either. Was fun!

Anyway – flight about to be called.

Was great to be at SuccessConnect, think it would be good for the SuccessFactors exec team to perhaps take a moment to listen to the SAP Mentor feedback – perhaps we can arrange something for next year?

On ABAP in the Cloud

ABAP in the cloud

Michael Koch kicked it all off with a tweet,

to which of course I had to reply:

then I was prodded:

and prodded:

and then James beat me to the blog:

and if you haven’t read James’ post, please do, it is excellent.

So whilst I’m waiting to hear how much it’s going to cost me to fix my car of which the engine has decided to stop working whilst on the way to work today, I thought that rather than drinking a bottle of Pinot Gris and attempting to forget about the shitty waste of a day I’ve had, I’d do something useful, productive (this post), and drink beetroot, apple, ginger and celery juice instead.

So here are thoughts upon which I will rant.

  • ABAP is a proprietary language which make its code costly to support.
  • Building for cloud is far more than just supporting cloud systems.
  • If you love ABAP to the exclusion of everything else that’s your bed, you lay in it. I like beetroot juice, I am so going to have pink pee later.
  • Java is the boring enterprise language of choice.
  • A PaaS really should be language agnostic, if not it’s a pretty crappy PaaS.
  • Why on earth have we ended up here? Who is paying for this?
  • Evolve or die.

These are all going to get intermixed in this rant, but I will still try to address them one by one.

Firstly, on the joys of ABAPers. I have discussed and even written about this, and it may just be the particular markets where I play, but it’s damn hard to find a good and excited ABAPer. People don’t learn the language unless they want to work on SAP products. Imagine how quickly that strips out the fun people. But where people have got good ABAP skills, they tend to have far more than that, also great business process understanding (Robbo has recently written about this https://blogs.sap.com/2017/10/02/abap-in-sap-cloud-platform-why/ ) Have a read, especially if you fall into the ABAP diehards camp, it will make you feel much happier than this blog post will.

But because the good ABAP folk have such great depth of business process understanding, they command a reasonable rate – and why not having a BA and a coder in one is a bit of a win is it not? So they are expensive. One hopes because they deliver better, but I find this is not true. They just cost more. But you have to have them to support the huge monolith that is your SAP ERP system. So embedded in companies around the world are these folk who can code ABAP, understand their systems and are if not well paid, expensive to have hanging around.

And you won’t find someone off the street who has just learnt ABAP who is useful, because the skill in ABAP isn’t in the language, it’s in understanding the existing library of  standard code and frameworks that you can use to get things done.

FFS the language still doesn’t have the concept of a Boolean!

The requirement for ABAP support is one of the reasons that SAP costs a decent amount to run. In the future as we move to S/4HANA public cloud (and we will, slowly but inevitably) cost saving will be essential. ABAP costs, so get rid of it in the equation. Out-source your custom development, even better, purchase it as SaaS from someone else, are you a custom software development house? No – they why do you try to build your own software? Concentrate on dishwasher powder, chocolate bars, beer or whatever it is you have as your core.

If we start building cloud extensions in ABAP we are locking down the list of people who could support them. This will cost us extra. Having worked with SaaS for the last few years, I can clearly state, cost of delivery is far more important now than it ever was on-prem. The expectations of customers are different. They will not pay the same amount to build an extension as they paid for the SaaS solution it enhances. ABAP ain’t cheap, and neither are ABAPers.

I don’t think ABAP and it’s whole lifecycle management is really well designed to build cloud apps. James mentioned some great points in his blog around dependency management, and how ABAP doesn’t support non-linear and project based development (hopefully ABAPGit will help here, the official voice of support from SAP is very encouraging.) But having spent the last 5 years build cloud apps that integrate to SAP systems, I have been so impressed by the huge amount of standard tooling and functionality that is available for projects outside of SAP. Like have you used Maven? It’s fricking awesome! To consider even thinking about managing the huge number of libraries that I use in most of my builds to do without this tooling would be unthinkable. Since James was probably more detailed and eloquent on this point I will stop there. But really, even if SAP support ABAPGit there is a hell of a long way to go to even think of being put into an imaginary cloud development language magic quadrant chart, let alone featuring anywhere but bottom left.

#ABAPisntDead. No of course it isn’t, there will be legacy on prem apps that will run and people will make businesses out of it, like those Rimini Street folk. But if you can’t see anything out there other than ABAP, my goodness you are short sighted. Any good programmer out there should be able to code in js (server side or browser), and should have a grasp of at least 2 other languages. If you can only deal with one, you’re not a programmer, you’re a liability for the people you work with. Having multiple skills is important, and it’s also important to know when to use them. Enlighten yourselves people, there is a whole world full of cool shite out there, go and have a look. If my post infuriates you because you believe that ABAP is the best thing ever, awesome, both for you and for me, because you have passion, go and use it, and me because it means I actually got some people who don’t agree with me to read this.

Java is boring, and safe, and commodity. And that is exactly what businesses love. You want something that is reliable, has been proven, does the job. Moreover, you want bucket loads of libraries that other people have built and tested that can do the things you want to do. Whilst I built an implementation of TFA that was compatible with Google’s TFA Authenticator app in ABAP, it was a pain in the arse, and hasn’t been updated since I wrote it and then worried about releasing it as open source because you weren’t allowed to do that with ABAP. There’s a standard lib for Java. Standard boring languages are the bedrock of good enterprise builds. I do like to play with server side js, (aka Node) but i’m still a sucker for strongly typed languages.

But if you don’t like Java, then awesome, choose something else. Indeed it should not matter what you choose, because any PaaS you build on should be language agnostic when it comes to providing services to you to consume. If you’re not consuming any services from your PaaS then you missed the memo about cloud development, please go back to your application server. A PaaS offers micro-services that should be able to be consumed by any application running on that platform. This inherently makes those services consumable in a fashion that is hard to use for ABAP and pretty standard for every other language. I’m sure that SAP could wrap their services into a consumable layer that would be easier to use in the Cloud based ABAP. But this then means we start losing one of the best bits of the PaaS, that it shouldn’t favour any runtime. We’ll see how this story plays out…

Which kinda segues into my next worry/rant/observation. How did we get here that a language that really isn’t suited to cloud extension ends up as an officially supported run time in SAP’s CF PaaS? This goes back to my original tweet.

I believe that it is clearly SAP’s strategy to move to the largest part of their revenue coming from public cloud based SaaS solutions (including ERP). Btw, I think this is a sound strategic vision, because if they don’t pivot to get there, someone else will take that space. The on-prem model will not make as much money in the future, todays small companies are tomorrows giants, and with SaaS solutions they don’t need to migrate/upscale, they will keep the solution they buy today. SAP needs to be in that space, and they need credibility that comes from large customers being there too.

To this end I envisage SAP have been discussing moving some very influential customers to the public cloud. Those customer, I would guess, have responded that they don’t want to loose their current people or custom build investments.

The obvious solution from SAP is to put together an ABAP cloud runtime. I cannot be cheap to do this though. The effort to make ABAP into a secure and lightweight containerizable solution will not be something that a team will do in a week or two. There must be some sound and solid business reasons to do this. For all the reasons I have previously mentioned I believe that if companies want to extend SAP SaaS solutions, they should think about using other languages, not ABAP. But I fear this is not about making a better solution, it is about making a marketable one. If customers believe that they can extend the value of their existing investments and also benefit from moving to SaaS based solution, that is a great sales pitch. It’s having your cake and eating it.

This vision (even if it doesn’t work out to be the reality) of a simple gateway to moving to SaaS ERP is what I believe we are now being sold. This isn’t a story for developers, this is a story for the high level execs that sign the S/4HANA subscriptions.

I hope that a cloud based ABAP will be the gateway that enables some organisations to get off the on-premise mode and head to the cloud. What I fully expect is that once they are there, they will realise that there are better and more supportable ways to extend. That would be great. In the meantime I fear that we start bringing non-cloudy ways of working into the cloud landscape, this will likely cause failed/cost overrun projects. We run the risk of preferring Cloud ABAP as a way to interact with S/4HANA cloud, that would be disastrous.

It has been suggested that Cloud ABAP will potentially be the solution that encourages adoption of the SAP Cloud Platform. I just hope it isn’t the solution that kills it. I would much rather the money being spent of putting ABAP into the cloud is used to handle some of the other issues I see with SAP CP, but clearly there is a view that it will be a return on investment.

Then again, if you’re not trying new stuff and making mistakes, you’re not learning. If you’re not learning, you’re falling behind. So here’s to making mistakes and learning! To steal the excellent closing lines from James’ post:

So buckle up because there’s no turning back at this point. It’s either evolve or die.

I look forward to a lively debate on this topic.

(James Wood – https://blogs.sap.com/2017/10/04/abap-in-the-cloud-is-this-a-good-thing/)

James, I couldn’t say it better mate. Although I would refer to the platform as SAP CP 😉

I think SAP Cloud Platform is and will be a key part of the story of SAP’s  and customers’ evolution to the cloud. If it takes putting an “runs ABAP” badge on it, to get people to see how useful it is, I’ll deal with it. But for sure, it would not be my recommendation to any organisation that it would be best practice. I’ll keep an open mind, perhaps it will be one day, if so I’ll adapt and evolve – because that’s what you should do.

As always, my own thoughts, not my company’s,  please feel free to jump onto SCN and reply to James’ post. I’ll probably read those comments as well as whatever gets posted on twitter.

 

#SConnect15 – SuccessConnect 2015 Sydney Day 1

I think perhaps my photo taken on the way to the airport this morning sums up today pretty well.

An empty road with a whole bunch of speed bumps. I’m afraid that’s what today felt like. It’s kinda weird starting off a conference without hearing the keynote to set the tone. Even with SAP conferences like TechEd we have “pre-conference” days – thanks ASUG! But today was part of the conference, and it didn’t really feel like it.

An example of the bumpy road was having a session today on the new support model for SuccessFactors, but without mentioning the SFXpert program. It was kinda weird – but apparently Mike Ettling will talk about that in the keynote tomorrow, it’s a little confusing.

Moreover, there weren’t an awful lot of people here. Which in someways is pretty good, it means that we’re able to have comfortable conversations, no running around with microphones to ask questions. But it certainly seems that running a SuccessConnect in Singapore may have reduced the number of Sydney attendees. I’m not sure, perhaps tomorrow will bring more people? It was a big ask to get people to come for a whole day for 3 sessions.

But it was a glorious evening in Sydney:

 

and we’re keeping on going with the saving of Elephants and Rhinos with the corporate social responsibility thing

Would love to know where we’re at with that total – hopefully we’ve got above a few thousand dollars by now.

So a few bumps, a fairly empty road, but the way ahead looks clear, and the weather is glorious. I look forward to tomorrow. I just hope that the panel session with David Ludlow goes well. 🙂

we shall see.

 

Further update on SAP Gateway CSRF token farce

So an update on recent rant about CSRF protection that isn’t needed on SAP Gateway.

The folks in the very attentive HCI team have just added functionality into their solution, so if you configure an OData call to an onPrem system via SAP HANA Cloud Connector, it will automatically do the GET with a fetch for the CSRF token for you whenever you configure a data update operation.

That’s kinda cool, but all it does is sweep the offending rubbish under the rug.

https://www.flickr.com/photos/bruce_krasting/7695348682 - Sweep under the rug, credit Bruce Krasting

https://www.flickr.com/photos/bruce_krasting/7695348682 – Sweep under the rug, credit Bruce Krasting

So now we have logic built into an integration platform that is needlessly slowing our integration flow because of a superfluous system requirement. An extra round trip for no reason.

In this case it is truly superfluous, because the original PUT that I was using had the user credentials as part of the header. That alone should make the CSRF token not required.

What this does show, is how SAP Cloud solutions like SAP HCI are able to update and fix stuff far faster than their onPrem partners. Even if it is a work-around to a problem that shouldn’t exist.

Security in depth – or a bug waiting to happen? – CSRF protection on SAP Gateway

What's that - It's the dragon that guards the locked door, we feed people who ask silly security questions to it

What’s that? – It’s the dragon that guards the locked door, we feed people who ask silly security questions to it.

<rant>

So I’ve got my knickers in a twist again. Recently I was playing around with sending some OData to my SAP server when it refused me. Now, I didn’t like that, but at least it was kind enough to tell me why. Apparently I hadn’t fed it a CSRF token. OK, so I looked in the headers of the GET that did work, and lo and behold there was a CSRF token there. I fed that into the POST I was doing, and bingo it worked.

Now it seems to me that many many people have hit the same thing and found the same solution. Indeed, I asked around some people I knew and they told me: “Get over it Chris, it’s in the header of your GET, it lasts all session, just use it!” But me being me, no, I wouldn’t accept that!

Slight aside – they also mentioned “Damnit, I remember when that patch came in, it buggered up my custom Gateway app and I had no warning that it was coming, took me ages to figure out why it wasn’t working.”

 

So I thought – OK? Why? Why do we have CSRF protection in the first place, what on earth is it?

CSRF protection – Cross Site Request Forgery protection, according to the websites I read is supposed to protect against the case where unknown to a user a cookie in the browser used for authentication allows a malicious site to alter data on your system. (And in the case of gateway, your SAP system).

So to send a PUT or POST or DELETE (the verbs that can change data) from a browser without user knowing is going to involve 1 of 2 things.

a) An injection of HTML on the page adds either a form that is going to POST some data (typical type of attack  CSRF protects against) or a link e.g. img tag which GETs data.

b) An injection of some script, e.g. JS on page that is going to do the PUT/POST/DELETE

In the case of (a – POST) the payload will be malformed and Gateway isn’t going to accept that as valid OData – so no security worries anyway. And for (a – GET) CSRF protection isn’t even applied.

In the case of (b) well if I can embed JS, I can just as easily embed a GET pull the header and then do an update with the CSRF token. Indeed the sites that advocate for the CSRF token approach make it clear that it cannot protect you in the case you have malicious Javascript.

In the case that the script is running on a page from a different domain, then CORS will kick in and stop the access – but if somehow the injection is on my own domain, I don’t see how we’re protected.

So I was at a loss. What protection does CSRF actually offer Gateway?

I further researched:

There’s a great explanation, which does better than I have at:

Play Framework

It is recommended that you familiarise yourself with CSRF, what the attack vectors are, and what the attack vectors are not. We recommend starting withthis information from OWASP.

Simply put, an attacker can coerce a victims browser to make the following types of requests:

  • All GET requests
  • POST requests with bodies of type application/x-www-form-urlencoded,multipart/form-data and text/plain

An attacker can not:

  • Coerce the browser to use other request methods such as PUT and DELETE
  • Coerce the browser to post other content types, such asapplication/json
  • Coerce the browser to send new cookies, other than those that the server has already set
  • Coerce the browser to set arbitrary headers, other than the normal headers the browser adds to requests

Since GET requests are not meant to be mutative, there is no danger to an application that follows this best practice. So the only requests that need CSRF protection arePOST requests with the above mentioned content types.

Since Gateway does not support POST requests with bodies of type application/x-www-form-urlencoded,multipart/form-data and text/plain (or if it does there’s your problem right there!) there is no need for CSRF protection.

I then had a fun conversation on Twitter with Ethan

The great thing about chatting with Ethan is you always come out having learnt something.

He makes a good point, and I’ll paraphrase him:

“The best security is deep and many layered and protects not only against the things that you know may happen, but also against those that you’re pretty sure won’t.”

I was wrong –  “to send a PUT or POST or DELETE (the verbs that can change data) from a browser without user knowing is going to involve 1 of 2 3 things. With the third being:

An exploitation of a hitherto unknown browser bug that allows it.

So now I’m confused. Is it worthwhile implementing the hassle that is CSRF protection, including the potential slowdown in speed of response from the solution (a paramount concern in a mobile app) for a situation that might happen.

When I’m writing ABAP code, I’m happy to trade away performance of the code for ease of maintenance. I don’t use pointers (field symbols) to loop over data that I do not intend to change, because some fool could come along later and accidentally do just that. If I instead use a work area, there isn’t that risk.

So in some respects I already do work that makes the solution slower to ensure lower risk, so shouldn’t I just do the CSRF thingy?

However, it is the reason for the risk – I don’t trust that the people maintaining the code after I leave will understand what I have done in my implementation of CSRF protection and won’t make a mistake. Even if I’m using UI5 in my application to update my SAP system, will they remember to call the refreshSecurityToken method every time before a PUT, POST or DELETE? Will they test it? Will they let the session expire in the testing so that they actually need to call the refreshSecurityToken method? I really hope so, but I doubt it. I see applications going into error and data not being updated when it should have been, because of “needless” CSRF protection.

weighing Dodgy Code vs Browser Bug risks

weighing Dodgy Code vs Browser Bug risks

So what I see is this: Security in enterprise is paramount, Gateway is enterprise software, it needs to be secure. So SAP made it so, even if it hasn’t really made a big difference or fixed any known security holes. But, “just in case”. However, custom code (and even standard code 😉 ) will have bugs, ones that rely on sessions timing out are particularly hard to test and will get through. The risk to your Gateway based mobile app is greater by having CSRF protection enabled than it is to your data being maliciously hacked through zero-day exploits. But I guess it depends on what that data is 🙂 .

</rant>

OK, one final bit…

<rant>

Given that I might not actually be using my Gateway for a UI app but for machine to machine transactions, would it PLEASE be possible that if I provide a valid authentication header in the PUT/POST/DELETE that we ignore the CSRF thingy? If I can somehow come up with a valid auth header, then we aren’t protecting anything with a CSRF token, we’re just making transactions slower by requiring multiple round trips that shouldn’t be needed.

</rant>

I feel better now. 🙂

 

Read how this discussion unfolds over at SCN…

http://scn.sap.com/community/gateway/blog/2014/08/26/gateway-protection-against-cross-site-request-forgery-attacks#comment-611490

P.S. my last post from SCN comment thread as I think it’s an important summary:

The thing is, by not implementing CSRF protection, we aren’t making our services insecure. There are no known ways to use CSRF against Gateway currently.

There is the case of protection against unknown attacks, but is that worth the cost, risk, effort?

Not using CSRF protection does not mean you are making your service insecure. It just trading “just in case” against real life complexity, risk and cost.

Depending on the data concerned, that “just in case” might be worth it. It won’t always be.

Architects have a responsibility to their companies to balance these risks and decide. We have the responsibility to inform them clearly and not just pretend that security is the only and overwhelming factor to consider.

Sometimes we put security on a pedestal and everything has to be done to address it. But we should remember that everything should have a risk/reward curve and sometimes NOT coding for a security risk is actually less risk than coding for it.

 

 

SuccessConnect 2014 – Las Vegas – initial thoughts

Mike Ettling shares SAP/SuccessFactors new commitment to inform customers

(Mike Ettling explains SuccessFactors new commitment to putting customers first)

So I’m in the lounge at LAX – the new OneWorld business lounge – it’s loads better than the old Qantas lounge, they have craft beer on tap for a start, which did lead to rather a few posts:

Which weren’t particularly related to themes I normally post on, but nevertheless probably tell you something, I’ll leave this as an exercise to the reader to speculate on what.

So whilst I’m nice and relaxed after a nice shower and looking forward to heading home, I thought I’d capture a couple of things that happened whilst I was at SuccessConnect this week, and hopefully this will also remind me to expand on them at a later time.

Firstly – customer first

The commitment by SuccessFactors to publish a roadmap to customers is a big win. And It’s not just a win for customers. As a partner it’s much easier to advise a customer when you have a good understanding of what _might_ happen in the near future. By making as much of the solution as possible accessible by the upgrade centre rather than provisioning (an ongoing effort) it removes from customers the need to engage an SI partner for what may well be just an administrative task. Allowing customers to attend the same training that partners can attend is also a great thing – so now there is a real possibility that customers can do some of their support in-house.

Why, you might ask, am I cheering this as a good thing? I am one of those partners who previously customers had to rely on to make these changes. Well, it’s really because I don’t like doing boring stuff. If as an SI all the work I do is very simple, then customers can be a little resentful for paying me as much as I would like to be paid. I see this as an opportunity to get rid of the boring work and instead focus on bringing real value through expertise. We shall see, but I’m hopeful that this is the path SAP envisages as well.

SAP a SuccessFactors company?

With Rob Enslin opening the conference, I got a real feeling of SAP being a full part of the conference, and not it being a SuccessFactors as a separate company anymore. That said, all the “Cloud DNA” was still there and it was interesting to see Lars make a guest appearance. The reaction from the SuccessFactors staff to seeing Lars was remarkable, it was all a surprise, and a nice one for most. However, Fiori making itself felt in the UI development pipeline amongst other “Simple” things shows that the “DNA” exchange isn’t just one way.

Dmitri demoing new features

Phased releases

The public announcement of a phase released of functionality, with updates being released a month earlier on the test instances of a customer is great news. This will help extension developers hugely (although ideally I’d like access to the update another few weeks before the customers get it in their test systems, but can work with this idea!) Customers too have the ability to check out any mandatory (although there are few of those) updates before they get deployed. All in all a great step forward to helping customers manage their solutions – and the spontaneous applause from the audience when it was mentioned shows it’s not just me as a developer that appreciates this.

Righto, that will do for now, Mike Ettling’s flight to Sydney has already left, and mine to Melbourne is going soon. I’ll be catching up with him and the team again for the Sydney version of SuccessConnect, but I’m so glad that I was here this week in Las Vegas, it has been great.