Cyber attacks: TU Darmstadt relies on Virtual Forge


With around 26,000 students and 4700 employees, the TU Darmstadt is one of the leading technical universities in Germany.
Here, SAP is used both in the central university administration and in the departments, institutes and decentralized facilities to control central business processes: from budget and personnel management to construction and real estate management to third-party funding management and controlling.
"If an SAP system fails, essential administrative processes can come to a standstill"
reports Dorothee Krohberger-Stock, who heads the SAP CCoE and IT and process coordination at Darmstadt Technical University.
To prevent operational disruptions and be prepared against external and internal cyber attacks, SAP managers planned to install an effective SAP security concept.
To this end, three areas were initially identified: system configurations, system-critical authorizations, and Abap custom developments. Since manual analyses of these audit areas would exceed the available resources, the decision was made to use the SAP security tools from Virtual Forge.
Faulty configurations detected
In 2014, for example, TU Darmstadt introduced the SystemProfiler to automatically identify and eliminate faulty or suboptimal configurations in the SAP systems.
The tool combines many years of security know-how with current security guidelines and recommendations, for example from SAP, the German-speaking SAP User Group (DSAG) and the German Federal Office for Information Security (BSI).
"With the SystemProfiler, we can analyze all SAP system settings at the push of a button."
Silke Kubelka, who heads SAP applications at Darmstadt Technical University, sums up the advantages.
"If errors and weaknesses are discovered, many parameters and settings can be adjusted quickly and easily."
In addition, the solution is used to check system-critical SAP authorizations. Automatically, the tool detects when a user has access rights based on multiple assigned roles that, taken together, could lead to an SAP security risk.
Used during the import of SAP updates, the SystemProfiler helps to adapt maintenance adjustments made or new systems with the best practices configuration.
Abap modifications in sight
The CodeProfiler is also used regularly to identify risks and optimization potential in the Abap customer code (Z namespace). TU Darmstadt uses it to check the existing SAP in-house developments for security, compliance, quality and S/4 Hana suitability.
At the same time, the tool will be used in the future for the acceptance of new programs and add-ons that are developed internally or by external partners and service providers. If weak points in the code come to light in the process, clean-up measures are initiated.
This prevents corrupt code from getting into the existing SAP systems. In order to keep the operating costs as low as possible, the TU Darm- city uses the CodeProfiler "as a Service".
"Since we only develop or have our own Abap code developed to a limited extent, the cloud offering accommodates our desire to use the tool on an as-needed basis"
explains Dorothee Krohberger- Stock.
"Our long-term goal is to ensure that all of our SAP custom developments are robust, secure, maintainable, and compatible with emerging requirements such as Hana."
"The combined use of the two analysis tools has enabled us to increase the security and quality of our SAP applications"
SAP application manager Silke Kubelka takes stock.
"In all three defined testing areas, these tools largely meet our security and compliance requirements."