Earlier this week I spent a day with one of our technology partners’ customers at the EPI-USE Labs user group event in Sydney. Part of the day included a presentation from David Powell, General Manager, IT Security Strategy at the National Australia Bank (NAB) around the criticality of IT security at both an individual level and at a corporate level.
The presentation was both fascinating and eye opening, to say the least.
For example, David told us that despite their best customer educational efforts, 4,000 NAB customers give away their financial credentials by way of phishing emails every month. Around 1 in every 3,500 or so emails being malware carriers the incidence of malware stealing personal information from right in front of us is inevitable from time to time.
In fact, David mentioned that malware is becoming so sophisticated that bank IT security had to become equally sophisticated. Software has been developed to detect the difference between a real human mouse move and a software produced one. This then identifies the malware takeover for the customer before they become aware of it themselves.
Another security risk is being led to your ‘supposed’ bank site. David mentioned that the NAB identifies and shuts down over 100 fake sites every month. In fact, I received a text just this morning asking me to go to my own bank’s site to ‘update my details’ via a dodgy URL.
On the corporate end, and this is where things begin to get hairy. In just 12 months, cyber-attack on the NAB IT infrastructure has increased from 7 million to 12 million per month. Around 1500 of these do get through to the next layer. David was quick to point out that those that do get through are identified and dealt with very quickly.
And it doesn’t stop there, with millions of connected machines coming online with the IoT, new source and entry points for cyber-attack are multiplying daily. David cited a recent DNS attack emanating from an air-conditioning unit in Bulgaria!
David’s presentation capped the day off well.
But what has this to do with SAP change control?
Quite a lot really. For example, is code vulnerability checking part of your change control process?
Whether manual or automated, Code vulnerability checking can be enforced as part of your SAP change control process. It provides greater assurance that your own organizations infrastructure is less likely to fall prey to external skullduggery.
Through an integration between code scanning software, such as Virtual Forge CodeProfiler and Rev-Trac’s change control automation platform, new ABAP code can be automatically checked and approved as ‘safe’ for sign off before the new code is approved to progress to QAS or PRD. This step can be enforced for certain types of development to assure teams that such checks have been undertaken for all new code.
So two things. First, consider the need for code vulnerability checking as part of your code development process. Second, automate and enforce the checks through a combination of code checking software and Rev-Trac change control automation software.
Is regular code vulnerability checking part of your change control process? Is it a topic of discussion? I’d love to hear your thoughts.