Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Scores of Vulnerable SAP Deployments Uncovered

Unknown Lamer posted about a year ago | from the double-your-paycheck dept.

Security 118

mask.of.sanity writes "Hundreds of organizations have been detected running dangerously vulnerable versions of SAP that were more than seven years old and thousands more have placed their critical data at risk by exposing SAP applications to the public Internet. The new research found the SAP services were inadvertently made accessible thanks to a common misconception that SAP systems were not publicly-facing and remotely-accessible. The SAP services contained dangerous vulnerabilities which were since patched by the vendor but had not been applied."

cancel ×

118 comments

Sorry! There are no comments related to the filter you selected.

I can explain (5, Insightful)

slashmydots (2189826) | about a year ago | (#44035869)

As head IT manager, I can definitely explain this. The company approves a software suite that's seemingly "perfect" for 150% the anticipated budget. They really couldn't afford it in the first place so they already cut the support and upgrade path subscription. Then they never approve the absurdly high renewal/upgrade cost the next year and the next year and the next year and tada, you've got an outdated, insecure piece of crap.
When you buy a software suite, make sure you have the money to support it in the long term! It's all about the TCO!

Re:I can explain (1)

maden (1855410) | about a year ago | (#44035919)

I would have expected the feasibility of maintenance and support to be an important factor when adopting new software... I hardly see how this can be overlooked!

Re:I can explain (4, Insightful)

Scutter (18425) | about a year ago | (#44036021)

When it's all overhead, maintenance fees are a very attractive number for the budget-cut knife.

Re:I can explain (0)

Anonymous Coward | about a year ago | (#44036115)

Then you haven't worked in many IT departments!

Re:I can explain (0)

Anonymous Coward | about a year ago | (#44036129)

In many organizations it comes down to who is paying. For instance in the government department I contract into that got fucked over and went all out with SAP the actual project cost is worn on the budget but the support and ongoing maintenance is worn by the IT department who incidentally had no say in the purchase of SAP apart from pleading to management not to do it. SAP is what happens when Business people making IT purchasing decisions with no care of real world costs then in a few years they blame IT for not being able to maintain the seriously underfunded excessively expensive solution.

Re:I can explain (2)

skovnymfe (1671822) | about a year ago | (#44037131)

When IT doesn't buy software, IT doesn't get to make sure it is bought correctly. And it's usually not IT that buys "business critical" applications like these. It's accountants and receptionists and such types that get hoodwinked, and then proceed to supersede any IT decision by going directly to the CFO, who uses his political pull to force IT to install the application and then fuhgeddaboudit.

Re:I can explain (2)

DarkOx (621550) | about a year ago | (#44037935)

True but IT isn't usually able to evaluate the business requirements of something like an ERP package. You need a team with all the stake holds and they all need to be equal partners.

What you usually happens though is IT gets invited to the meetings, usually isn't allowed to ask to many questions and is told to by some currently political powerful middle manager to just be quiet when the lowest bid contractors proposes some infrastructure build out missing all the really expensive but show stopping parts like SAN switches.

Re:I can explain (1)

slashmydots (2189826) | about a year ago | (#44038413)

Work at my place then, lol. The bosses are basically the IT manager instead of me. If they like a shiny software suite, they buy it as long as I verify that it literally runs. We're also 85% behind on deploying Windows 7 machines to replace our 80% XP ones. That's right, 1/20th of the amount we needed to replace on my schedule haven't been replaced for budget reasons. So basically they don't approve any expense that we really need unless they personally like it or came up with the idea. That's pretty much every business' IT dept from what I've seen.

Re:I can explain (1)

Anonymous Coward | about a year ago | (#44036027)

You may be a head IT manager, but you're not a CxO, other executive or key investor/debt holders who keep the attention of the executive suite. They seem to care more at a fundamental level how their stock options, etc. are performing. Especially the CFO, balking at the costs of ongoing support contracts like for SAP. If they can get away with running it w/o ongoing support from the vendor (and, even more, the headcount that goes with it), they will.

Re:I can explain (4, Interesting)

sjwt (161428) | about a year ago | (#44036037)

I can also explain, having gone through a SAP implementation 2 years ago, we were still plagued with bugs that had fixes issued over 4 years ago..

Seems they somehow didn't install fully patched updated modules, and with a yearly renewal.upgrade cost it all makes sense now.

How do you explain (4, Insightful)

Anonymous Coward | about a year ago | (#44036045)

And how do you, as head IT manager, explain why they are public facing? This is the sort of ineptitude that I expect from people running Linksys routers for firewalls and Mom & Pop shops. I expect more from the head IT manager at a company that spent a quarter of a million dollars on ERP licensing alone. It's one thing to claim training and upgrade budget cuts, but it's another thing entirely to open your firewall to insecure services.

The problem described in the article is far from a new issue. But, it is a problem that should not be occurring at the level of these enterprises.

Re:How do you explain (0)

Anonymous Coward | about a year ago | (#44037065)

SAP is used for a multitude of things nowadays (many of them inappropriate). There are many many systems out there that utilise SAP for payment processing and guess where most payment activity happens. Over the web, so like it or not SAP is regularly required to be exposed to the web in some way, even if that is only via an API for the front end to call.

Re:How do you explain (1)

Hognoxious (631665) | about a year ago | (#44038123)

Jizz. Banking interfaces aren't my main thing but I have worked on them and generally they work like this:

1) Select the payments you want to make, click a few buttons & SAP spits out a file.
2) If it's not already on it, transfer that file to a dedicated PC used for that purpose, completely for that purpose and only for that purpose, so help it God.
3) Upload that file using software provided by the bank.

No exposure to APIs at all.

Re:I can explain (0)

Anonymous Coward | about a year ago | (#44036087)

How about not exposing your SAP applications to the public Internet?

Re:I can explain (5, Funny)

Flere Imsaho (786612) | about a year ago | (#44036139)

SAP - Send Another Payment, or, Sucks All Profit

Re: I can explain (0)

Anonymous Coward | about a year ago | (#44036241)

Stop All Progress

Re: I can explain (0)

Anonymous Coward | about a year ago | (#44036855)

Suffered After Paid

Re: I can explain (-1)

Anonymous Coward | about a year ago | (#44037129)

Send Another Paki

Re: I can explain (0)

Anonymous Coward | about a year ago | (#44037709)

Slow And Painful

Re:I can explain (1)

Bytes2go (704254) | about a year ago | (#44038043)

Select Another Product (credit goes to some folks @ Gillette a few years back).

Re:I can explain (5, Funny)

Anonymous Coward | about a year ago | (#44036199)

Chuckle. I used to work at a place that gave all their database stuff to a SAP outside vendor, all their letters and form documents.

One of the people who did interviewing later wanted one of his standard letters -- emailed as a PDF routinely -- to have yellow hilighting applied to an important sentence. He asked the vendor to make that change.

The vendor came back with a proposed work order for six hours of programmer time at $200/hour to make that change.

(My coworker printed that page, got a hilighter, hilighted the text, scanned it, and emailed that image thereafter.)

Re:I can explain (2)

Rich0 (548339) | about a year ago | (#44037613)

One of the people who did interviewing later wanted one of his standard letters -- emailed as a PDF routinely -- to have yellow hilighting applied to an important sentence. He asked the vendor to make that change...The vendor came back with a proposed work order for six hours of programmer time at $200/hour to make that change.

That seems awfully cheap, frankly. Maybe it was just the incremental cost to add it to an already-planned release.

When you're messing with software at this scale 95% of the effort goes into making sure that you don't break it, and documentation. Changing the report file probably takes 5 minutes, and then the rest of the time is writing the requirements, reviewing the prototype, having a PM check that it was done on time, writing up the system/acceptance tests, testing that all the other 47 requirements for that report are still met, writing up the install script and updating the install package, scheduling the downtime for the upgrade, updating the servers (likely on a weekend - oh and don't forget you have to do it once for your test instance as well), etc.

On large transactional systems I support we typically queue up requests for trivial changes like these until the report needs some major functional change, and then overhaul the report all at once. Otherwise you end up spending 98% of your money on overhead. There is no such thing as a simple change on a big system.

Re:I can explain (0)

drinkypoo (153816) | about a year ago | (#44037887)

When you're messing with software at this scale 95% of the effort goes into making sure that you don't break it, and documentation. Changing the report file probably takes 5 minutes, and then the rest of the time is writing the requirements, reviewing the prototype, having a PM check that it was done on time, writing up the system/acceptance tests, testing that all the other 47 requirements for that report are still met, writing up the install script and updating the install package, scheduling the downtime for the upgrade, updating the servers (likely on a weekend - oh and don't forget you have to do it once for your test instance as well), etc.

You're seriously talking about a graphical change. This would be about fifteen seconds' work on an IBM mainframe, to diddle the format. If it isn't on SAP, then SAP sucks shit and no amount of your apologizing will change it any more than it would change Lotus Notes.

Re: I can explain (2, Interesting)

Anonymous Coward | about a year ago | (#44038665)

No, he's correct. My last position involved a few cases of "just diddling the format" (literally changing a configuration variable in code I had already written and formally tested - including third-party validation). This particular report was glanced at by the head of a commission, then placed on the Governor's desk. Needless to say, 6 hours would be very short for a formatting change - 40 hours (in house, with an additional 4-8 third party billable) would be much more realistic.

Again, this is all for a "formatting" change. And required by state law.

Re:I can explain (1)

Rich0 (548339) | about a year ago | (#44038891)

You're seriously talking about a graphical change. This would be about fifteen seconds' work on an IBM mainframe, to diddle the format. If it isn't on SAP, then SAP sucks shit and no amount of your apologizing will change it any more than it would change Lotus Notes.

It is 15 seconds of work on any reporting tool, including SAP. The cost comes in all the release management.

Or do you just log into your production system and routinely edit your report files? If so, then your report fixes certainly will be faster, and that's good because I'm sure you'll be doing plenty of them...

Color me surprised... (4, Funny)

Anonymous Coward | about a year ago | (#44035915)

I once heard SAP described as "The Germany's way of getting back at us for winning the war." I've spent my fair share of time beating SAP abomination into submission. I'll be glad if this makes organizations think twice before allowing this atrocity to sink its teeth into their business processes.

Re:Color me surprised... (-1)

Anonymous Coward | about a year ago | (#44036023)

Fuck you, you racist fuck.

Re:Color me surprised... (-1, Troll)

c0lo (1497653) | about a year ago | (#44036257)

I once heard SAP described as "The Germany's way of getting back at us for winning the war."

Oh... get over it, will you? Do you really think being on the winning side almost 60 years ago bear any relevance to the lack of security in the deployments of overly expensive software? Or, for the matter, entitles you to anything today?
You reckon Oracle applications or Microsoft CRM/ERP suites fair better?

Re:Color me surprised... (3, Funny)

phantomfive (622387) | about a year ago | (#44036363)

I'm more interested by the fact that you think using angry words at an AC will accomplish anything......

(ot) Re:Color me surprised... (1)

c0lo (1497653) | about a year ago | (#44036391)

Interesting or intrigued? In other words, is your question a genuine one or just rhetorical?

Re:(ot) Re:Color me surprised... (1)

phantomfive (622387) | about a year ago | (#44036421)

Well, my own expectation is that your rant will have absolutely no effect whatsoever; but if you think otherwise, I am definitely both interested and intrigued in finding out why.

Re:(ot) Re:Color me surprised... (0)

Anonymous Coward | about a year ago | (#44036491)

Most replies to AC's don't have the AC in mind as the audience to begin with, more the people who would be reading through the thread afterwards.

Re:(ot) Re:Color me surprised... (1)

c0lo (1497653) | about a year ago | (#44036637)

Well, my own expectation is that your rant will have absolutely no effect whatsoever;

My motivation regarding the participation on /. have little to do with expectations of "impacting an effect". So, why not ranting?
From a pragmatical perspective, by itself, anything posted on /. may have absolutely no effect (except consuming energy, bandwidth, storage space and whatnot): do you expect otherwise?
From the "netiquette of /." perspective, my rant is entitled to existence.

but if you think otherwise, I am definitely both interested and intrigued in finding out why.

Why I chose to rant to the AC post? Be it only to vent my displeasure for a post displaying a position of "exceptionalism" ("we won the war [or any another "exceptionalist attribute"], so we are entitled to [insert there], even if has does nothing to do with the war".)
Another example: "Somebody hacked us. Send in the nukes, because - exceptionally - we have them plenty"

After seeing so many of the same genre, it stops even being funny (this allowing the benefit of the doubt warranted by the Poe's law)

Re:(ot) Re:Color me surprised... (1)

fustakrakich (1673220) | about a year ago | (#44036889)

It never stops being funny. I still laugh at Charlie Chaplin, and fart on a crowded subway.

Re:(ot) Re:Color me surprised... (0)

c0lo (1497653) | about a year ago | (#44036999)

It never stops being funny. I still laugh at Charlie Chaplin, and fart on a crowded subway.

I envy you... should be good to retain some infantile attributes over time, be it only for the reason it keeps attacks of acute hypo-alcoholism syndrome at bay.

Re:Color me surprised... (0)

Anonymous Coward | about a year ago | (#44036459)

You have a great sense of humor.

Re: Color me surprised... (0)

Anonymous Coward | about a year ago | (#44036495)

You win at the internet for today.

Re:Color me surprised... (0)

c0lo (1497653) | about a year ago | (#44036657)

You have a great sense of humor.

Or I might be tired of a certain types of jokes (or just tired), especially when they make the Poe's law applicable.

Re:Color me surprised... (0)

Anonymous Coward | about a year ago | (#44037079)

wooosh! There is this thing called humour, I suggest you go read up on it, especially if you want to hang around this site.

PS: I am not the OP AC but didn't want to undo my modding.

Re:Color me surprised... (1)

c0lo (1497653) | about a year ago | (#44038439)

wooosh! There is this thing called humour,

In addition to the Poe's law [wikipedia.org] , lets see if I understand humor:

I once heard SAP described as "The Germany's way of getting back at us for winning the war."
I've spent my fair share of time beating SAP abomination into submission.

* Humor: maybe it a good time to assemble again a CoW [wikipedia.org] , raise hell in the UN council and invade Germany for the deployment of SAP as weapons of mass destruction

* Humor: seize the SAP assets and send in the drones! Clearly SAP is a terrorist organisation, look how many in our IT industry are terrorized already.

* Humor: an ERP software with so many security holes, that's subversive! Surely some of them are actually planted backdoors to be exploited by zie Germans. Maybe they conspire to form an Axis of Evil with the Chinese. Good to have NSA on our side and intercepting them (together with the rest of Europeans, let God sort them out after we'll throw our nukes on their heads)

Do I consider the above humor? No I'm not and neither I would consider them acceptable.
I'm just playing on the "score" of latest US actions, using some position I've seen expressed on /. and also suggesting (of course, everybody should see it as joking only, it's preposterous to say otherwise!) that all Americans are a "belligerent bunch of inglourious basterds".
Pretty much as the "joke" (that wasn't even signaled as such) in the original post plays on the "score" of "Germans are a bunch of vindictive bastards".

Does it feel right?

Re:Color me surprised... (1)

h4rr4r (612664) | about a year ago | (#44038577)

You must be a lot of fun at parties.

It is a joke because it is absurd. The funny part is that this explanation cannot possibly be correct.

Re:Color me surprised... (1)

c0lo (1497653) | about a year ago | (#44039133)

It is a joke because it is absurd. The funny part is that this explanation cannot possibly be correct.

So either:
1. my lame attempts of humor are actually good jokes (at least as good as the one in the OP); *or*
2. what I posted is not humor because (you know?) they aren't absurd and it can actually happen (?!?)
I don't know which of the two I hate the most.

Anyway, time to give up. I'm better satisfied with the "A dyslexic walks into a bra" type of jokes, I find they work quite well at parties.

Re:Color me surprised... (1)

phantomfive (622387) | about a year ago | (#44036355)

The weird thing is, more companies seem to be using SAP. Certainly SAP owns more buildings in the Bay Area (maybe putting their name on buildings is their entire advertising budget), and their revenue seems to be up. I honestly don't understand why, and I don't entirely understand what they do.

Re:Color me surprised... (4, Insightful)

cusco (717999) | about a year ago | (#44036537)

If you ever have to deal with their software you'll eventually realize that they don't understand it either.

Re:Color me surprised... (1)

dargaud (518470) | about a year ago | (#44037853)

If you ever have to deal with their software you'll eventually realize that they don't understand it either.

I knew a freelancer who 'fixed issues with SAP'. She charged more per day than I make per month.

Re:Color me surprised... (1)

fustakrakich (1673220) | about a year ago | (#44036907)

I think they're some sort of brokerage house that manages and markets buzzwords.

Re:Color me surprised... (3, Insightful)

Rich0 (548339) | about a year ago | (#44037641)

I think they're some sort of brokerage house that manages and markets buzzwords.

++

They don't sell software - they sell a vision for your business. They don't sell it to anybody but the CEO.

They're also a classical example of how the usual RFP process fails. If you give me a list of 500 arbitrary requirements and ask "can SAP do this?" the answer is almost certainly yes. Go ahead and put landing a man on the moon on that list of requirements and the answer still is yes. The problem is that in order to do even the most trivial functions your employees will be exposed to something that almost outdoes the airline industry in terms of arcanity. For various reasons you're not allowed to put on the RFP the question "can your system be operated by anybody other than an SAP developer without first training them to be an SAP developer?"

This is a common failing in large systems. The only metric is checking all the boxes, so all the boxes get checked, and we don't even bother to deliver usability let alone try to measure it.

Re:Color me surprised... (0)

Anonymous Coward | about a year ago | (#44037777)

I once heard SAP described as "The Germany's way of getting back at us for winning the war." I've spent my fair share of time beating SAP abomination into submission. I'll be glad if this makes organizations think twice before allowing this atrocity to sink its teeth into their business processes.

It won't. Sales of SAP are still made in golf courses and bars, and have little to do with holding the salesliar's feet to the fire when the sun nor the moon are delivered with the product as sold.

No problem. .. (4, Insightful)

jd2112 (1535857) | about a year ago | (#44035923)

Nothing that a multi-year multi-million dollar project doomed to run obscenely over budget and schedule can't fix.

Re:No problem. .. (1)

Anonymous Coward | about a year ago | (#44035995)

IBM here ... did someone call me?

Re:No problem. .. (1)

c0lo (1497653) | about a year ago | (#44036301)

IBM here ... did someone call me?

Get off, IBM... Oracle [zdnet.com] leased [eaconsult.com] this line some time ago [blogspot.com.au] .

Security and Market Dominance by Obscurity (3, Interesting)

Anonymous Coward | about a year ago | (#44035959)

This might seem off topic, but SAP is perhaps unique among the major enterprise software vendors in making it intentionally difficult for someone to self-educate in their products without being a paying customer, and of course being a customer requires serious bucks. There's no "mySAP Express Edition" that I'm aware of, and I've actually bought a couple books on SAP (this was years ago) so I could at least get a grasp on what their software does, besides being "what large corporations run their businesses on". I threw them both out pretty quickly because they were useless.

So it could be that SAP was also banking on this tactic to stay below the radar of hackers. Well, as the slides point out, some of the bad guys are insiders and contractors who know all about SAP.

Contrast that with the products of Microsoft, Oracle, IBM, Red Hat, where there's lots of tutorials and express editions available for free, and 800-page books written by serious engineers available for reasonable prices.

Re:Security and Market Dominance by Obscurity (2)

ToadProphet (1148333) | about a year ago | (#44036133)

Contrast that with the products of Microsoft, Oracle

Apples to apples, I don't believe either of those companies provide an 'Express' version of the ERP software (Oracle/JDE/PeopleSoft/Dynamics AX/NAV). As an independent, it's always been frustrating to try to evaluate new releases from those vendors.

Re:Security and Market Dominance by Obscurity (1)

Anonymous Coward | about a year ago | (#44036239)

Just pointing out there is a demo "Lite" type version of MS' ERP, but there are more examples that don't and are used in the "Big 500" than the list above suggests.

I currently admin/manage/train/support/etc two ERP systems and I was shocked to find the MS is the better documented and more self trainable of the two and by far one of the best.

SAP is one of the worst ERP systems I've had the "fortune" of being exposed to, from a technical perspective and from a management perspective. That is without the constant cold calling from partners who think name dropping "SAP" in the same sentance as the word "cloud" is all they should have to say for me to buckle over and ask them to draft a contract to exchange both of my kidneys, my bigger testicle, and a more than my annual software license budget for a roadmap to having SAP implemented for more than sixty percent of my business in less than two years!

The flood of partners has also resulted in the same half arsed work practices as the explosion of MSPs had on the SME server world - so if you really want to stand out from the newsest half-qualified crowd specifically note on your CV that you don't give two rats arses about SAP and will not be willing to learn!

Re:Security and Market Dominance by Obscurity (2)

atom1c (2868995) | about a year ago | (#44036263)

I don't believe either of those companies provide an 'Express' version of the ERP software...

Tharr shur is. The entire Oracle stack is available in Developer and Trial forms; they only require 3x 6.8GB downloads but it's all there (see http://www.oracle.com/technetwork/indexes/downloads/index.html [oracle.com] ). The Microsoft Dynamics are available as part of TechNet and MSDN subscriptions -- if professional enough -- for trial purposes.

The use-restricted versions (i.e. Express-equivalent) are very limited, however... but as an ISV or consultant, there's enough developer access to learn their wares if you gave it a solid 6+ months.

Re:Security and Market Dominance by Obscurity (1)

ToadProphet (1148333) | about a year ago | (#44036445)

Ah, good info on the Oracle stuff. In a former life I had partner access and never bothered looking after I lost it... thanks!

Just can't bring myself to fork over for the MSDN sub though. Dynamics is only available at the Premium level ($6k) as far as I can tell.

Re: Security and Market Dominance by Obscurity (0)

Anonymous Coward | about a year ago | (#44036515)

Dynamics is dogshit, but it used to come with the action pack. Do yourself a favor and avoid it, though. Lord knows Microsoft has.

Re:Security and Market Dominance by Obscurity (1)

Buzer (809214) | about a year ago | (#44036687)

No need to get MSDN sub. Just get Technet if it's for evaluation (=self-training).

Re:Security and Market Dominance by Obscurity (0)

Anonymous Coward | about a year ago | (#44036595)

Oracle just started provided prebuilt VMs of PeopleSoft HRMS. Compared to Oracle, SAP is downright opaque; I agree with the parent's assessment that they use obscurity to help secure their revenue stream and control access to talent.

Re:Security and Market Dominance by Obscurity (2)

Nefarious Wheel (628136) | about a year ago | (#44036685)

Contrast that with the products of Microsoft, Oracle

As an independent, it's always been frustrating to try to evaluate new releases from those vendors.

I think that's also by design, to keep C-level business decisions from being influenced by criticism from the technically-astute tier. After all, these deals are often brokered at the golf course, where one's handicap is more relevant than platform or infrastructure culture.

Re: Security and Market Dominance by Obscurity (2, Insightful)

Anonymous Coward | about a year ago | (#44036137)

I have worked for SAP as a senior software engineer for 7 years now, though well outside of our main product line. I don't even know what it is the company software actually does after doing a bit of searching. Whenever someone starts asking me what the company does I just give a vague "business logistics software" and leave it at that.

Re:Security and Market Dominance by Obscurity (1)

phantomfive (622387) | about a year ago | (#44036375)

What do they actually do? I'm still not entirely sure.....ERP, whatever that is.

Re:Security and Market Dominance by Obscurity (3, Informative)

Rob_Bryerton (606093) | about a year ago | (#44036573)

ERP = Enterprise Resource Planning, a bad name for a general class of business software that does just about anything, from billing to shipping & receiving, warehouse automation, reporting, etc, etc. Basically a somewhat integrated suite of applications that tie all (or many) aspects of a business together, implementing business processes in software.

Implementations typically run in timescales of years and millions of dollars, with teams of developers, DBAs, etc. The software suite is a canned solution that you then slightly (or vastly) modify to tailor to your business needs. ( My job as a systems & storage administrator at a major US-based snack food company has me managing the ~30 Linux servers that run our Oracle databases on the DB tier and Oracle EBusiness suite at the application tier, backed by all manner of storage arrays, NAS devices, FC SANs, load balancers, etc, etc. Fun stuff! )

Think of it as Quicken, but on a very large scale.

Re:Security and Market Dominance by Obscurity (1)

phantomfive (622387) | about a year ago | (#44036653)

That's fascinating. Who uses it? Do people need to be trained to use it? Or is that just something you're expected to know if you're (for example) a warehouse automation kind of guy?

Re:Security and Market Dominance by Obscurity (0)

Anonymous Coward | about a year ago | (#44037057)

Large companies. For example every major car manufacturer runs SAP.
People need to be trained to use it.
I have no idea what is expected from a warehouse automation kind of guy.

Re:Security and Market Dominance by Obscurity (2)

Rich0 (548339) | about a year ago | (#44037677)

Who uses it?

Anybody who hasn't figured out how to avoid it. Unfortunately that usually ends up being most of the company. At my workplace SAP does everything from payroll to expenses to customs.

SAP's main advantage is in all its integration. That's about its only advantage. Any individual task done by SAP is usually better-done by something else which leads to endless frustration. The advantage it has is that if I want to get reimbursed for a drive to a meeting I can charge the money to a specific subtask of a project which is tied to an investment that was approved which is tied to the general ledger. If I bought an extra bag of pretzels which wasn't opened I could in theory still be reimbursed for it and then put it into inventory and then whatever project takes it out of inventory gets charged for the pretzels. Oh, and if somebody decided to mail that bag of pretzels to mexico the system would know exactly how much was paid for it and fill out the customs declaration appropriately.

Of course, nobody actually does all of that, but those kinds of features do come in handy in actual manufacturing.

The big push for ERP solutions came after Sarbanes-Oxley due to the demanded rigor on accounting. Previously it was spreadsheets all the way down and nothing ever added up (you can't keep 47,000 spreadsheets in sync no matter how hard you try).

Personally, I avoid it like the plague.

Re:Security and Market Dominance by Obscurity (0)

drinkypoo (153816) | about a year ago | (#44039291)

The thing is, you can accomplish everything in your theoretical peanut scenario with interactions between humans if they have adequate organization. But you can't accomplish any of that with SAP if you lack adequate SAP organization. So by spending the effort on SAP, what do you get? Maybe the same results if you're lucky and SAP doesn't explode, and now you get to pay for SAP.

Might as well just buy an AS/400 (can you even still do that?)

Re:Security and Market Dominance by Obscurity (0)

drinkypoo (153816) | about a year ago | (#44037909)

SAP is like an operating system for business intelligence applications. It has that much complexity. It's just further proof that those who do not understand Unix are doomed to reinvent it... poorly.

Re:Security and Market Dominance by Obscurity (1)

tibit (1762298) | about a year ago | (#44039251)

This is very insightful. SAP's biggest advantage (integration) is its biggest disadvantage, too. In software engineering, tight coupling in such a big system has been repeatedly shown to lead to disasters. By any reasonable metric of software structure, SAP is a disaster.

Re:Security and Market Dominance by Obscurity (1)

The Grassy Knoll (112931) | about a year ago | (#44037289)

The software suite is a canned solution that you then slightly (or vastly) modify to tailor to your business needs.

I always thought that you installed SAP, then re-configured your business to work with it :-)

Re:Security and Market Dominance by Obscurity (1)

PolygamousRanchKid (1290638) | about a year ago | (#44037271)

What do they actually do?

It's like drugs. You can do drugs, but sometimes, they do you.

You can do SAP, but sometimes, they do you.

Re:Security and Market Dominance by Obscurity (0)

Anonymous Coward | about a year ago | (#44037007)

If you're into application development, you can download the Netweaver application server trial for free, you can request a new (free) license every 90 days or so. With it, you basically get all that you need to learn application development. What you don't get are the components for the various functional areas - like SCM, HCM, PLM etc.
There's a "demo" ECC suite called IDES which contains these modules, but this is available only to customers and partners. And there's not a chance you would be able to actually install it without prior knowledge of SAP BASIS.

The books from SAP Press are expensive, but not one of them is useless. Don't buy that "Teach yourself.... in 21 days" crap.

SAP isn't really trying to hide anything - hell all those expensive SAP modules are written in ABAP, so you actually get the source codes to everything.

Re:Security and Market Dominance by Obscurity (1)

Hognoxious (631665) | about a year ago | (#44037171)

There's a "demo" ECC suite called IDES which contains these modules, but this is available only to customers and partners.

You used to be able to get it from some dodgy geezers in India. Umm, so I'm told.

And there's not a chance you would be able to actually install it without prior knowledge of SAP BASIS.

I managed it. Not saying it was easy - there's lots of things that can go wrong and the instructions aren't brilliant - but with a bit of googling and finding the right forums it's doable.

You need to know the OS you're installing on though, or be prepared to learn it as you go.

Re:Security and Market Dominance by Obscurity (1)

tibit (1762298) | about a year ago | (#44039377)

The screen-oriented workflow that is pretty much enshrined into the SAP Basis runtime's design is something that puts SAP firmly in the 20th century, usability-wise. There's no sane way to retrofit a SAP system into a modern, object-oriented UI. By object orientation I mean almost anything you use today: the file shell (explorer, finder, ...), any "editing" application where you manipulate objects (vector drawings in office suites or illustration packages, modern CAD, ...). In a usual deployment of a system like SAP, you can't, say drag the PO you're working on to a "desktop" to keep it there for easy reference, you can't tag things, there's no object-agnostic history of what you've been doing, etc. SAP is really just a green-screen-oriented design that keeps getting shoehorned into modern presentations, but the basic workflow is well understood to be nightmarish from the human efficiency standpoint.

Re:Security and Market Dominance by Obscurity (1)

headqtrs (467875) | about a year ago | (#44037093)

This is definitely not true. Go to http://scn.sap.com/ [sap.com] , register yourself and then go to the Downloads section. You will find express editions to your hearts content.

But, please be prepared to sink huge amounts of time and be very frustrated: The learning curve is very steep....

So.... (4, Funny)

wbr1 (2538558) | about a year ago | (#44036017)

Their IT departments are full of saps?

ba-dum-dam

Thanks, I'll be here all night.

Re:So.... (0)

Anonymous Coward | about a year ago | (#44036049)

OMG! has the interwebs affecting spelling this much?!!!

Ba-dam-dum, (crash cymbal) sorry, I couldn't spell the sound.

Re:So.... (-1)

Anonymous Coward | about a year ago | (#44036083)

Thanks, I'll be here all night.
 
Probably taking it up the ass from dirty faggots.

Re:So.... (2)

wbr1 (2538558) | about a year ago | (#44037881)

No, only the clean ones, so you're out.

mod 0p (-1)

Anonymous Coward | about a year ago | (#44036053)

getting together tO and suggesting dying. All major they are Come on

Charge for updates (0)

Anonymous Coward | about a year ago | (#44036089)

Receive buggy, unpatched systems

SAP - I know what that means (2)

boogahboogah (310475) | about a year ago | (#44036123)

It's German for 'Our hands in your wallet'

Re:SAP - I know what that means (3, Funny)

PolygamousRanchKid (1290638) | about a year ago | (#44036189)

Scheiß aufs Privatleben!

Re:SAP - I know what that means (0)

Anonymous Coward | about a year ago | (#44036545)

Strokenfureramerikaneerpenis?

Re:SAP - I know what that means (3, Interesting)

bemymonkey (1244086) | about a year ago | (#44036599)

As a German person, working in a German company that uses SAP... I couldn't agree more. It's a broken POS that has the tendency to break other applications (anything VB related) when installed or updated. Can't wait to be rid of that crap.

Re:SAP - I know what that means (1)

dargaud (518470) | about a year ago | (#44037857)

Can't wait to be rid of that crap.

And replace it with what ? At my work they are replacing homebrew java apps with SAP next week. I hope I get paid during the upcoming summer mayhem...

Re:SAP - I know what that means (0)

Anonymous Coward | about a year ago | (#44038017)

They really should replace it with Salesforce.

Re:SAP - I know what that means (0)

Anonymous Coward | about a year ago | (#44036781)

Stops All Progress

Law should require transparency (1)

schwit1 (797399) | about a year ago | (#44036141)

If you are a service provider you should be required to let your clientele know what versions of software you are using.

Re:Law should require transparency (0)

Anonymous Coward | about a year ago | (#44036249)

If you are managing a service and don't know what version of a platform you are subscribed to you deserve a hobo cup/sign combo and to be banned from having any input of IT ever again.

Re:Law should require transparency (2)

Charliemopps (1157495) | about a year ago | (#44036277)

That would violate one of the first fundamental laws of security. Despite what people on slashdot like to rant and rave about, many times being behind on updates has nothing to do with being cheap or lazy. Real networks are complicated... and often you have nested dependencies that force you into situations you'd rather not be in. Load Balancer A has a bug in it's newest OS update, so you can't upgrade to that unless you want to lose access to 4 of your biggest clients. So you have to wait 6 months for the patch to come down, meanwhile their older OS version is not compatible with the latest LDAP implementation so now you're out of date on your... yada yada yada...

Re:Law should require transparency (4, Informative)

cusco (717999) | about a year ago | (#44036555)

Or my particular headache, you run a 24x7x365 enterprise app distributed across 18 different countries on every continent but Antarctica. We're two years behind on updates because we can't take the system down for an hour.

Re:Law should require transparency (1)

dbIII (701233) | about a year ago | (#44036981)

I think we need to learn from the gamers and from other industries. If Blizzard can shut down for a few hours every Tuesday night why can't the rest of us shut down for half a day on Christmas or similar slow time? Mature heavy industries with huge opportunity costs from planned shutdowns still do them to avoid the much greater problem of unplanned shutdowns from failures. IT still looks far too much like random basket weaving than engineering and whoever put you in that spot of keeping the system up indefinitely (as in no maintainance shutdown after a year, or two, or three but never planned to happen ever) designed the system poorly.

Re:Law should require transparency (0)

Anonymous Coward | about a year ago | (#44037693)

client never paid for planning though.

Re:Law should require transparency (0)

Anonymous Coward | about a year ago | (#44037825)

Or my particular headache, you run a 24x7x365 enterprise app distributed across 18 different countries on every continent but Antarctica. We're two years behind on updates because we can't take the system down for an hour.

Good.

Then ensure you deliver your signature-series limited-edition TOLD-YA-SO untreated rough-cut 2x4 solidly up the CEOs ass without lube when the fucking thing falls over or gets hacked, and it's down for a month getting fixed/patched.

Of course, I would ensure you have an iron-clad legal CYA document in place for when this inevitable scenario happens, but that should come standard in the TOLD-YA-SO package.

Re:Law should require transparency (1)

drinkypoo (153816) | about a year ago | (#44037905)

Despite what people on slashdot like to rant and rave about, many times being behind on updates has nothing to do with being cheap or lazy.

Sure, there's also stupidity and incompetence.

If the system can't be taken down for maintenance, in pieces if necessary and with redundance if necessary, then the initial design was incompetent. And if the system is based on SAP, then whoever made the purchasing decision was not only incompetent, but also stupid. A cursory look around will tell you that everyone with SAP and without billions of dollars is very angry.

Training Day (0)

Anonymous Coward | about a year ago | (#44036209)

Lets send out deployment of killer to kill SAP international Staffs.

It's a job fair bonanza!

And the 'turn over' saves the companies a butt load of $billions if dollars per year.

Win Win Scenario Baby! Let's Go.

Nice 'stache! (1)

JimtownKelly (634785) | about a year ago | (#44036739)

That dude in the photo ain't no sap.

This is typical of any Vendor-slave environment (1)

Neo-Rio-101 (700494) | about a year ago | (#44036903)

Some of these vendor-ware boxes are so hard to install, patch and maintain, that quite often they are left alone to run for years in production until the hardware dies.
If it gets hacked... it's the hacker's fault.
When the hardware dies,... it's the hardware vendor's fault.
If it's left unmaintained, the company saves money
If it is maintained, the admins won't be allowed to do anything when the company won't give them an update window, out of fear of breaking it. So the admin's sit on their hands and spin in their chairs every day.

It's always someone else's fault when the server goes balls-up, and when that happens, they get someone in to reinstall the server on new hardware.
(after lengthy outages)

Corporate vs. Programmers. (3, Interesting)

Domini (103836) | about a year ago | (#44037805)

I would say it is because SAP's programming environment is rife with business people and very few programmers. 95% of programmers I have worked with were B.A. students who heard that programming pays more, and SAP pays a lot more. I've been doing SAP ABAP for about 10 years on and off. I've worked in both services and product development and have worked in many different capacities, companies and countries.

My background is strong C++, having also worked at high frequency traders and other tech companies writing compilers and schedulers and network messaging systems. Never have I encountered anyone in SAP that would care about security... with the exception of a few BASIS consultants. People are so focused on their small part and fear to rock the boat that is causing it to be the monolithic behemoth it has become. ABAP is an awful excuse for a language that pretends to be a cool 4GL, and the SAP system itself is layer upon layer of bugs, unused code and inefficiencies. One can see a hint of a bright SAP developer here and there, but the way it was finished off suggested they cut costs before everything was full completed (WebDynpro, OO ... I'm looking at you.).

I worked as a contractor at a bank about 10 years ago. And highlighted the fact that their vendors being able to upload file all to a common directory as the same normal user and password was a huge security issue as well as a client confidentiality problem (as various clients/vendors could read each other's files)... but if I could wager a guess they did nothing about it at least for the time I was working there.

Then there is SAP's resource site (Sap Developer Network), where they are still trying to figure out how to have host aliases and SSO even work reliably. Every time you connect you get a different load balanced host with new host name. The site is a mess and is still struggling to even resemble Web 1.0.

But all this trouble and incompetence is what makes working in SAP a challenge and earns you the big bucks. Not to mention aggressive and plain rude clients sometimes. I prefer product development instead of contracting, that way I feel I can actually do something concrete to help people.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>