[dotty-]

I hope SAP does a hard retrospective on why Wiz's research was not disrupted before they got full cluster admin. Like, I want to know from SAP's side whether they received any alerts for any of this activity and whether they investigated them properly. I wonder if there is any regulation SAP has to follow that requires them to have adequate alerting for suspicious network activity and whether this research can be used to show that they do not.

[Propelloni]

Oh, they have rules and regulations, for sure. Take a look at their certification page: https://www.sap.com/about/trust-center/certification-complia...

Question is, do they live it or is it just some binder sitting on a shelf.

[BodyCulture]

The problem is that people who do decisions don’t understand the technology. Most IT managers in Germany do not even know how programming works. There are exceptions, but the biggest players are people flying in blindsight.

[Propelloni]

That's not something I can confirm. I'm getting around in Europe and if anything, German management tends to be very technical, lots of engineers. Maybe not programmers, true, but bona fide engineers.

[uaas]

Usually security researchers are required to reach out to the target before escalating further into the systems, asking for permissions to proceed. This is also something bug bounty programs require as per their rules for their targets in scope. I’d expect this to be the case here as well, given the researcher is employed by a security company.

Researchers also usually mention which points they asked for additional permissions at in writeups, but now always.

[SoftTalker]

Indeed. And if they did not detect it, how can they know that customer data have not been compromised?

[fraggle_]

SAP lacks skills at cloud security. There's a long list of security issues on SAP cloud services. And it's only for the ones known.

[j45]

It would be a great post to see how they detect such things in AI.