The Window of Exposure revisited (in an SAP Context)

Software is never free of bugs. Some bugs introduce vulnerabilities that can be exploited by attackers and bring your system down, lead to data loss, etc. When vendors fix such bugs, patches are issued and should be installed asap. Nothing new so far. As you know, my core experience in software security, this article partly focuses an SAP related patches.

SAP started handling security things more systematically back in 2011. Since then, a lot has happened at SAP. There’s threat modelling everywhere, secure coding guidelines, tool support, Q-Gates, etc. etc. And there are still things found by researchers reported to SAP and fixed diligently. Patches (called Security Notes in SAP-slang) are released on the second Tuesday of every month. The track record showing the latest patches is publicly available (with no credentials needed at the time of writing this).

On the customer end of this story, processes need to be in place to apply the patches. Per se, this is not rocket science, but a question of know-how, resources, processes and most importantly priorities. A few years ago a study mentioned that only 30% of customers apply patches within 3 months. I assume that this number is better now but still far away from meeting a best-practise level.

During my PhD time (around year 2000), I stumbled of the Window of Exposure as described by the security guru Bruce Schneier. And I think it perfectly applies to the SAP world. As you can see in the figure, the risk increases the more a vulnerability is known to the public. Ironically, this is somewhat boosted when a patch is released. And it makes timely patching even more important.

Full Disclosure and the WIndow of Exposure, Source: Bruce Schneier

I have seen many researchers and organisations contributing to the security of the SAP standard by submitting the findings about vulnerabilities. And the SAP Security Response process in place helps us to get the patches out. Some sort of a Catch 22: we can observe that after patch days, exploits are made available, for example on Github, since the blueprint of the weakness is in the patch itself. This makes timely patching even more important.

Sometimes I have seen that some researchers or organisations literally orchestrate a global marketing campaign which is fired by the day of the patch release. While transparency about patches is a good thing, this is not. Because it a) increases the exposure of a vulnerability dramatically b) it puts even more risk and pressure on customers to literally apply a patch at the day of the release.

In short: SAP patches are the result of a well established process and timely application is key. Also: reasonable handling (versus ego or sales numbers) of researchers and organisations is key, too, Looking forward to your comments.

Selling through Partners. 100%.

I have written about Partnerships in Business (the Win:Win:Win triangle) before. I support some management teams of product companies and like to share the idea of selling products through partners only.

A key assumption here is that a product company is not offering consulting services (for many reasons, for example, a) because focus is getting blurred, b) because it could destroy certain partner markets, c) etc.

Here’s my view:

  1. WHY NOT selling through partners? One of the first counter-arguments against selling through partners is: we are quicker if we go direct. We safe money because we don’t need to pay their sales team. We can better support the customer in the after-sales phase. Etc.
  2. WHY selling through partners? Direct sales might sound attractive, however, it a) takes time to establish market recognition, b) takes money to pay your own sales force, c) might destroy the partner’s opportunity to offer services for your product. Last but not least: if you make your sales team all partner managers and each partner manager can support 2-3 partners, you can easily see the huge leverage effect.
  3. Quick thoughts how to get started:
    1. Define possible quick wins and focus on them. It could be even an idea to hand over some leads and prospects to partners in order to remove initial “resistance” before the wheel is turning.
    2. Go as a team and bring in your market and technical expertise (“direct touch” sales) but never be a competitor to your partner. Instead your partner knows that they can start without risk since they can rely on your support.
    3. Clear rules of customer engagement: how prospects are registered, what that means, and how registrations are extended / ended. By the end of the day this is teamplay and your partner managers should be very close to your partner’s sales team.

You walk better if you never walk alone!

100% Schutz gegen Covid-19 Viren

Im Juli habe ich über die Idee geschrieben, Covid-19 Viren mit geeigneter Technologie zu töten. In der Zwischenzeit hat sich einiges getan.

Als erster elektronischer Atemschutz, der Viren 100%ig abtötet, soll der “Securer” ab Herbst 2022 verfügbar sein. In einer aktuellen Pressemeldung wird der aktuelle Stand dargestellt:

“Derzeit sucht die SecureAir GmbH Technologiepartner, die in Lizenz produzieren und/oder das Produkt vertreiben möchten oder die komplette Technologie vollumfänglich als Weltmarktführer erwerben möchten.”

Ich habe gestern den aktuellen Stand des Produkts in den Händen gehalten. Hier hat sich sehr viel getan, es fühlt sich sehr wertig an, sieht gut aus und alle Gutachten zeigen, dass es funktioniert.

Der “Securer” tötet Covid-19 Viren (und noch viel mehr).

Es bleibt spannend.

My new rocket: Mac Mini 2014

As I have written before, I don’t really care which computer I use. I can be an Apple, a Windows machine, or something else. I have an old Mac Mini from 2014 that I use for managing my music library, for some playback, and minor audio editing stuff. Lately, I was more and more frustrated, because the machine seemed to get slower and slower. I took ages until it started and was usable. Also, there was a lot of dead time when the machine seemed to be idling.

So I started to do some research whether I can fix or whether I need something new. The hardware is still good for a Mac Mini: 2.6 Ghz, 16G of RAM, and 1TB hard disc. How to unleash this power again on an 8 year old computer?

I found this step-by-step guide that contains many useful links like cleaning up autostart items, remove slowing down settings with the free tool KnockKnock, cleaning up the hard disc, etc. I found that I have already applied some of these tipps but some not. I went through the entire exercise but the results were not that promising. Startup time was better, but responsiveness not.

During my research I have also found some commercial tools helping you to clean and speed up your Mac. You can find a comprehensive description of “CleanMyMac X” here. The software is very powerful and goes much deeper than anything you can do yourself. Besides an initial “get clean” scan, it can be used to “stay clean” and stay happy. My Mac Mini feels like a new machine and the tradeoff is great: 50 EUR for a perpetual license (break even of subscription in 2 years) vs. re–installing the OS and the apps vs. buying something new.

ADDENDUM: after a few days working with the Mini, I still can’t believe it. It feels like a new machine and is all fun again. Thanks to the IT god for the healing.

Ich habe es getan: Upgrade auf Windows 11

Ich bin recht leidenschaftslos, was Betriebssysteme und Hardware angeht. Ich habe MacOS, iOS, Linux und Windows im Einsatz. Windows ist tatsächlich am längsten dabei – seit Release 2.1 im Jahr 1988.

Heute ist es mir wichtig, dass es egal sein sollte, an welchem Rechner ich sitze. Die Daten sind in der eigenen oder eine Public Cloud und die typische Office-Software gibt es auch überall. Lediglich wenige spezifische Programme (z.B. für Ton-, Bild- oder Videobearbeitung) laufen nur auf bestimmten Maschinen.

Und gestern war es bei meinem Windows Rechner (ein Intel NUC) soweit: das Upgrade auf Windows 11 war verfügbar.

Das ist immer ein besonderer Moment, da es die nicht unberechtigte Sorge gibt, dass es irgendwie schief geht. Stichwort: “never change a running system!”. Aber hey, wer nicht wagt! Die Daten sind eh nicht auf der Maschine, System-Rücksetzpunkt erstellt und los …

… und eine Stunde später konnte ich mich wieder einloggen. Das fühlt sich an wie ein kleines IT Wunder. Jetzt heißt es, sich mit den neuen Features vertraut zu machen. Auf dass euer Upgrade auch so reibungslos läuft.

We are the best. Why (not)?

At the end of 2021 I was asked to conduct a market analysis of german companies in a certain IT domain. During that project I have screened 200+ Websites and corporate data of potential target companies. And one key finding was that many companies fail in telling their visitors what they really do for them.

Let’s drill that down.

These days, a companies Website is usually not only the first touchpoint of a prospect, it’s also the place where people try to find out as much as they can before they really get in touch (note: I write this from B2B perspective). Accordingly, I would expect that the content focuses on the need of the prospect. Need means: how do we deliver value for you? What’s your benefit? What’s a positive outcome for you if you use our stuff or work with us? etc. The focus should be on the WHY.

Instead of taking a customers view, many companies focus on their super technology, their great service, or themselves and why they are so great. This is an ego thing only. Even if all of that is true, why should a potential customer care? They don’t know you. Accordingly, they wouldn’t dive deeper if you don’t explain them the WHY.

While I understand the inner need to speak about great things in and about your company (I felt into that trap many times, too), I like to encourage you to turn the storytelling upside down: First the WHY- this is so much more important than technology, etc. Then the HOW (the rationale), then the WHAT (the proof).

My 2021 in Review – on Success, Failure, and the big C.

Last year was a special year for me. In summer 2021, I have started this Blog around topics that inspire myself and fill my days: business, fitness, and fun stuff. Since that time I had 15.000 visitors on my Blog and a lot of personal exchange around “my” topics. Thanks to everyone for this joyful experience.

A few thoughts on each focus topic:

  • I consider myself being successful reinventing myself as an advisor for several companies. I was looking for environments where respect, loyalty, and passion are not only words, but core values for growing a business. I really enjoy each of my assignments and I’m particularly happy having executed an M&A market analysis (I have learned a lot around that and will share some thoughts soon) at the end of the year. It’s great to use my own experience for such projects, it’s really big to share insights, and being part of something bigger.
  • The fitness side of my life was more disappointing. Year on year I set some personal goals, but I failed on all of them in 2021 due to an injury. My key lesson of life here was and is: if you cannot reach your goals anymore, adjust them, make alternative plans, and execute on that. That’s how I found new ways (for example working with fitness ropes and digging into Yoga again) to keep a healthy body (as foundation of a healthy mind).
  • The fun stuff side of life was also very rewarding. For example, I made a lot of new contacts just by driving that nice ’66 Mustang cabriolet. You meet all flavors of society at car meetings and that’s another experience that I really like. Everyone shares the same passion for one thing and color of skin, religion, politics, gender, etc. are not important at all.

The biggest on impact on our life is for sure the global pandemic. It has changed every aspect of living on every scale. While I enjoyed business travel so much, that came to a complete hold. I like to go to public music events, that came to a complete hold. I like to meet friends personally, that was at least much more difficult. And I have talked a lot about that also before/during/after my business sessions – mostly on Video these days. I know that the pandemic can bring individuals down and make them depressive. We don’t hear and read a lot about that. Even more importantly, I’m grateful for everything that I can give and that I receive on my mission of life.

Have a great and peaceful 2022.

The Mandalorian, the 13th Warrior, or: learning SAPanese

I smiled when these thoughts came to my mind again. I have evaluated Disney+ for the kids (could also be that I need to see The Mandalorian) and stumbled over a movie that I really liked when it was released. The movie was broadcasted in 1999 and one of the coolest moments was when the protagonist, Ahmad ibn Fadlan, all of a sudden spoke the language of the northmen. That didn’t come over night but was the result of listening to this strange language and adopting it piece by piece.

When I joined SAP a few years later in 2003, I felt a little bit like that. I couldn’t understand what the guys were talking about. All of those 3 or 4 letter acronyms, all those different concepts, this very special architecture. Just one example: an RFC was not a “Request For Comments”, but a “Remote Function Call”. It took a while digging into this new world but finally, I could join most of the discussions with confidence.

As a security academic that I was by that time, I can say that it’s possible to learn SAP. As an entrepreneur and founder of a company offering SAP Security solutions, however, I found it easier bringing people with SAP background on board. It’s quicker teaching them key security concepts than teaching a security professional all of the alien SAP concepts. Who (dis)agrees?

Bad Products, Good Products

In my new role as advisor I speak a lot with people in charge for the companies’ portfolio. As former managing director responsible for go-to-market (among other things) I went through such discussions many times. What’s a good product? What’s a bad product?

A product is not necessarily good …

  • … just because your CEO and management says so
  • … just because your engineers tell you it’s the best in class
  • … just because your marketing tells great stories about your stuff
  • … just because <add further internal only opinions here>

It’s always the customer and the market that makes the decision whether a product is good or bad. Thus I attend many customer demo sessions these days to understand what they like (and what not). This really helps you to tell a compelling story to the market. Assuming that your product is good, you need to have the right words for the market:

  • Stakeholders with budget often don’t speak a technical language. Thus, you need to translate technical terms to customer value: how does your product help the customer? Are they getting more productive? Or does it help them to avoid bad business outcome? etc.
  • Whenever you get new features from engineering ask yourself the value question again. How can this specific feature help a customer?
  • Write down customer value for your target groups, refine this while you go, and apply this messaging consistently. Over and over again – it’s not done if you use it only once.

You get this started by speaking with your customers and prospects exactly about this: what does value mean? How can your product help? What do they expect? Open minded customers appreciate such conversations and you should not be shy to not do this. A key challenge can be that your crew is not willing to do this because they might perceive this approach as too offensive. So start this discussion internally and never let go again.

Old School Calisthenics. Oder: “Trainieren wie im Knast”

Ich habe schon etwas allgemeiner über funktionales Training sowie über meinen Einstieg ins Training mit dem eigenen Körpergewicht geschrieben. Wie bereits erwähnt, bin ich immer wieder auf der Suche nach neuen Impulsen, um Abwechslung in mein Krafttraining zu bringen. Dabei bin ich über das Buch Trainieren wie im Knast von Paul Wade gestolpert.

Den Titel fand ich erstmal ein wenig albern, weil man sofort an Hofgang denkt, bei dem verrostete Gewichte gestemmt werden – so wie man es aus US Filmen und Serien kennt. Aber ich habe schnell gemerkt, dass es hier um mehr geht. Zwei Aspekte gefallen mir an dem Buch besonders: 1) die Reduktion auf ein Minimum an Übungen und 2) die schrittweise Steigerung der Belastung innerhalb einer Übung. Beides ergibt sich daraus, dass ein Häftling in seiner Zelle nichts außer seinem Körper hat und daher minimalistisch trainieren muss (wenn er das denn will). Das lässt sich natürlich auch auf das eigene Training übertragen, wenn ohne viel Aufwand an Material und Platz Muskeln aufgebaut werden sollen. Darauf gehe ich kurz ein.

  1. Mit 6 Grundübungen kann Kraft für den ganzen Körper aufgebaut werden. Mehr ist wirklich kaum nötig und es macht mir immer Spaß, diesen Ansatz ein paar Wochen in mein Training zu integrieren. Die Übungen selbst kennt jeder, u.a. das ist auch das tolle daran.
    1. Liegestütz: Brust und Trizeps
    2. Kniebeuge: Oberschenkel (Achtung: bei Kniebeugen kann viel falsch gemacht werden, da musste ich auf die harte Tour auch viel dazu lernen)
    3. Klimmzug: oberer Rücken
    4. Beinheben: Bauch
    5. Brücke: Wirbelsäulenmuskulatur
    6. Handstand-Liegestütz: Schultern

Wie üblich werden bei funktionalen Übungen auch immer andere Körperpartien mit trainiert. Es sind allerdings auch (mindestens) zwei Übungen dabei, für die man Hilfsmittel benötigt (Klimmzug) oder die nicht ganz so einfach sind (Handstand). Der Klimmzug ist eine spannende Übung – wenn nicht mal 1 Klimmzug möglich ist, ist man entweder zu schwach oder zu schwer. Oder im Zweifelsfall beides. Aber auch da hilft das Buch mit dem Ansatz der Steigerung von einfach zu maximal hart.

  1. Paul Wade geht pro Übung ausführlich auf die Durchführung ein. Und bringt das spannende Konzept der 10 Schritte für jede Übung ins Spiel. Schritt 1 ist die leichteste Ausführung, bei einer Liegestütz z.B. eine Liegestütze stehend an die Wand. Immer, wenn man das Trainingsziel für eine Übung erreicht hat, geht es zum nächsten Schritt, bis man den Gipfel erreicht hat. Bei einer Liegestütz ist das ein einarmiger (!) Liegestütz. Das ist dann wirklich unglaublich hart, aber selbst Schritt 6 oder 7 ist schon top und auch realistisch für jedermann machbar. Beim Klimmzug ist Schritt 1 ein senkrechter Zug. Dabei stellt man sich z.B. nah an einen Türrahmen, hält sich dort fest, streckt langsam die Arme aus und zieht sich wieder zurück. Das ist ein Schritt, den wirklich jeder gehen kann. Den Master Step (Schritt 10), der einarmige Klimmzug, sicherlich nur die wenigsten.

Fazit: Ich finde das Buch sehr gut, es ist einfach geschrieben und beruht auf praktischen Erfahrungen. (Pseudo)Wissenschaft wird außen vor gelassen. Gut ist auch, dass sofort losgelegt werden kann. Ich würde mir das Buch wieder kaufen und kann es empfehlen.

Für Klimmzüge habe ich mir übrigens eine Schiene besorgt, an der ich z.B. eine Stange befestigen kann, die nach den Übungen wieder leicht abgehängt oder aus dem Weg geschoben werden kann. Hier gibt es sicher auch andere Lösungen mit weniger Installationsaufwand (falls man doch eher in einer Zelle sitzt?).