Having within the company’s awareness also on the part of SAP developments is certainly important. Especially in order not to be dependent on third parties even for simple problems.
We don’t talk about ABAP developers directly. But what are or could be the impacts in having an internal group of developers for the security aspects.
Is it better, regarding the SAP security, to have an internal or external development team?
One of the greatest difficulties is to verify that software developments are safe. It is not easy to do this because it presupposes a very thorough technical knowledge of Language and a wide availability of time.
These two resources are frequently difficult to find in a company and probably also unjustified.
Being able to identify security problems during development has lower costs than discovering anomalies in programs already active and used.
SAP provides different ways to monitor developments from a safety perspective.
In the support activity that the IT performs there could be different types of support:
Business replacement is never a proper way of management (although sometimes it may apparently simplify management) it could bring along some process anomalies which would emerge, for example, at segregation of tasks' stage.
The emergency can lead to the compulsive definition of custom transactions defined on a personal basis. Each department requires specific customization and doesn’t get used to find standard features that can be applied.
Often confusing transactional systems (OLTP Online Transaction Processing) with those of analysis (OLAP Online Analysis Processing). Every custom object defined in the system has huge operating costs. Many of the custom features are no longer used after a few years.
There are certain advantages. But also points of attention to be taken into account.
What are the advantages of having an external development team?
Attention, the above aspects can be points of advantage. But it's not always like this. Contract agreements may in some cases favor or disadvantage certain virtuous behavior by the supplier.
It is therefore essential to have an in-house contact who can also understand the proposals from a technical point of view, evaluate them before proceeding with development. Especially on the SAP security aspects.
In many cases, if in the specifications' documents there are no authorization and/or safe development aspects, these are not considered.
It is also important to have tools that can certify the work of third-party development companies. The instruments mentioned at the outset can help in setting development acceptability thresholds.
It's possible to include specific conformity clauses in contracts based on analyses carried out by third party control instruments.
Not in all scenarios the same selection criteria can be applied. However, some considerations may be common.
Blog post originally translated from: https://www.aglea.com/blog/sviluppatori-sap.-meglio-un-team-di-sviluppo-interno-o-esterno