Xpandion Blog

  • Home
    Blog Home This is where you can find all the blog posts throughout the site.
  • Tags
    Tags Displays a list of tags that have been used in the blog.

Office Space- A funny movie about hackers or a real life security threat?

Posted by in Xpandion
  • Font size: Larger Smaller
  • Hits: 5542
  • Print

Though most SAP programmers are reliable, serious professionals, there are a few who are intent on harming their organizations – and because of these few, we are rightfully afraid of the power of SAP Programmers. They almost always have a significant number of authorizations in the production system - and access to almost every part of the system.

Because of this clear threat, for the last few years I have been a strong advocate in pushing the idea that programmers shouldn't have access to production systems; they should only have access to DEV and QA systems - and if there’s a real bug in production – they can use a special username to perform a debugging for a limited time. Unfortunately, the idea was premature and I wasn't able to convince any of the organizations I worked with about the importance of segregation of duties and reduction of absolute power to any one user.

They always said that they trusted their programmers….mistake.



From my experience in the field, I see three types of potential risks from programmers in the SAP production system:

1.   Risk of stealing sensitive data. The simplest way would be to use table browsing (SAP transaction SE16) to downloading all the required data to a disk-on-key/local file.

2.   Risk of performing business processes on behalf of someone else. For example, transferring money to an account. A good programmer can change the name of the creator, so no one knows who really made the transfer.

3.   Risk of transferring malicious codes - and by “malicious” here, I am not referring to a malignant virus, I am speaking from a business perspective. For example, when a purchase order from a customer is issued, and the amount is greater than $100K and I send an email so I can buy the stock. Another example is to take 1 cent from each money transfer and move it to a shadow account as in the movie ‘Office Space’.

While designing our product, ProfileTailor Dynamics, we’re currently focusing on dynamic security from a business perspective: Who accessed HR-sensitive data? Who attempted a money transfer even though it is not part of their usual day-to-day activity?

We just wonder why customers don’t seem to understand the security risk posed by a few bad seed programmer’s intent on causing harm.


Yoav Michaeli joined Xpandion in 2008 as a team leader, and in 2010 Mr. Michaeli began managing the entire Research & Development group of the company. Prior to joining Xpandion, Mr. Michaeli served in an elite technological unit of the Israeli Defense Forces as a team leader for various key military projects. Among other achievements, he was instrumental in pioneering the use of advanced .NET technologies for large scale distributed systems. Mr. Michaeli is an expert in programming, agile development, application security and specialized programming techniques.


  • No comments made yet. Be the first to submit a comment

Leave your comment

Guest 21/07/2017


in XpandionPosted by Yoav Michaeli

Optimize Licensing Costs. Increase Security

These are amongst some of the most worrying words that enterprises and managers can hear.  And, yet, they are a part of day to day terminology- whether whispered behind  soundproof board room doors, discussed openly by upper management or colleagues addressing them casually over the wate...
in XpandionPosted by Yoav Michaeli

Do You Understand the Meaning of Behavior-Based Profiling?

Xpandion creates “behavior-based profiling” for business applications. Sounds impressive, huh? However, do you know what it means, exactly?

in Security & AuthorizationsPosted by Dror Aviv

Eliminating the Wrong Guy…

A couple of years ago, we included a “Lock User” button feature into our security product. If you received a “very high” alert, you could log into the system, catch the fraud in action, press the “Lock User” button and prevent the thief from stealing. Bam…. you’re the hero.


in Security & AuthorizationsPosted by Yoav Michaeli

Hooray! We Caught a Thief!

This is a true story from last week – an Xpandion expert received a phone call from one of our European clients, claiming they just received a High Risk Irregular Behavior alert pertaining to unauthorized access of salary information. After a quick investigation using ProfileTailor™ Dynamics, it was...
in Security & AuthorizationsPosted by Dror Aviv

Take Your Hands off of SAP T-Code SU01!

In many organizations, the access to the sensitive SAP T-Code SU01 is much wider than needed. Let's explore why.



157 Yigal Alon Street,

Tel Aviv 67443, Israel


US Office


3310 W Braker Lane Suite 300-253

Austin, TX 78758, USA


India Office


C 103, Akruti Orchid Park, Andheri-Kurla Road,

Andheri East, Mumbai, India