Cybersecurity Tools and Testing

Access issues in SAP Fiori can be related to several factors, such as roles, authorizations, or system settings. Here's a step-by-step guide to troubleshoot and resolve Fiori access issues: 1. Verify User Roles and Authorizations: Check Assigned Roles: Ensure the user has been assigned the correct roles in the SAP backend system. Go to transaction PFCG and check if the user has the appropriate roles assigned for accessing the desired Fiori app. Check Authorization Objects: Each role contains authorization objects that control access to apps. Ensure that the necessary authorization objects (e.g., S_TCODE, S_SERVICE, etc.) are assigned to the user (Use Trace to get details for Missing Authorization Objects). Check Catalog and Group Assignment: The Fiori app must be part of a catalog, and the user must be assigned to that catalog. Use the Launchpad Designer to ensure the app is included in the relevant catalog and group. Transaction - /n/UI2/FLPCM/CUST – Search for Tile (Fiori App) for which user has issue and make sure respective Role is assigned to user. You can also check which catalog or role has corresponding tiles. 2. Launchpad Configuration: Check Launchpad Designer Configuration: Go to the Fiori Launchpad Designer (/ui2/flpd_cust) and ensure that: The target mapping for the application is correctly defined. The user has access to the catalogs and groups where the Fiori app is located. Verify App is Assigned to a Tile: Make sure the Fiori app is assigned to a tile and that the tile is part of a catalog the user has access to. Missing tiles are often a sign of catalog or group misconfiguration. 3. Backend System Configuration: Check For SAP Gateway Error - /IWFND/ERROR_LOG Check System Alias: Ensure that the system alias is correctly configured in the OData service. Go to transaction SM59 to check the RFC connection and /IWFND/MAINT_SERVICE for maintaining the services. Activate OData Service: If the OData service for the Fiori app is not activated, users will experience access issues. Use transaction /IWFND/MAINT_SERVICE to activate the service. 4. Clear Cache and Renew Session: Clear Fiori Cache: Clear the browser cache or go to /UI2/INVALIDATE_GLOBAL_CACHES in the backend to invalidate the cache for the user. Check User Sessions: If the user session is locked, ask the user to log out and back in, or unlock their user using transaction SU01. 5. Transport Issues: If the Fiori app was recently transported, ensure that all related configurations, services, and authorizations have been correctly transported to the target environment. By following these steps, you can systematically identify and resolve access issues in SAP Fiori. Let me know if you need help with any specific step! https://lnkd.in/dZZCeY3Y

API Security: 16 Critical Practices You Need to Know Drawing from OWASP guidelines, industry standards, and enterprise security frameworks, here are 16 critical API security practices that every development team should implement: 1. Authentication Your first line of defense. Implement OAuth 2.0, JWT, and enforce MFA where possible. 2. Authorization RBAC and ABAC aren't buzzwords - they're essential. Implement granular access controls. 3. Rate Limiting Had an API taken down by a simple script? Rate limiting isn't optional anymore. 4. Input Validation Every parameter is a potential attack vector. Validate, sanitize, and verify - always. 5. Encryption TLS is just the beginning. Think end-to-end encryption and robust key management. 6. Error Handling Generic errors for users, detailed logs for systems. Never expose internals. 7. Logging & Monitoring You can't protect what you can't see. Implement comprehensive audit trails. 8. Security Headers CORS, CSP, HSTS - these headers are your API's immune system. 9. Token Expiry Long-lived tokens are ticking time bombs. Implement proper rotation and expiry. 10. IP Whitelisting Know who's knocking. Implement IP-based access controls where appropriate. 11. Web Application Firewall Your shield against common attack patterns. Configure and monitor actively. 12. API Versioning Security evolves. Your API versioning strategy should account for security patches. 13. Secure Dependencies Your API is only as secure as its weakest dependency. Audit regularly. 14. Intrusion Detection Real-time threat detection isn't luxury - it's necessity. 15. Security Standards Don't reinvent security. Follow established standards and frameworks. 16. Data Redaction Not all data should be visible. Implement robust redaction policies. The key lesson? These aren't independent practices - they form an interconnected security mesh. Miss one, and you might compromise the entire system. What's your experience with these practices? Which ones have you found most challenging to implement?

In our latest The Wall Street Journal piece, Arun Perinkolam and I explore why many organizations have reached the point of diminishing returns with their cybersecurity tools and vendors (https://deloi.tt/3KPJP8w).   With the average enterprise managing 60–70 security tools and more than a dozen vendors, complexity becomes the enemy of security. Yes, each solves a specific problem – however, together they create inefficiency, integration challenges, and unnecessary risk.   Simplifying the stack isn’t just about consolidation. It’s about clarity. Platformization can streamline operations, reduce cost and duplication, and strengthen the foundation for AI-driven innovation across the enterprise.   For CISOs facing pressure to do more with less, a deliberate, phased approach to rationalizing the tech stack can unlock new value. It can simplify integrations and governance, improve efficiencies across tools and teams, and make way for new capabilities, like agentic and Gen AI.    The result is a cyber program that’s more secure and better aligned to longer-term strategies.  

AIM Research has just Launched its GenAI-Powered Cybersecurity Vendor Landscape Report. The cybersecurity landscape is undergoing a significant transformation with the integration of Generative AI. Here are some key Insights: ✢ Major cybersecurity providers are not just adding GenAI features—they're fundamentally rethinking their platforms to incorporate AI agents, copilots, and context-aware assistants. This shift is moving tools from private previews to public availability, signaling a readiness for broader implementation in 2024. ✢ The industry faces a skill-gap and burnout crisis. GenAI-powered tools are emerging as a solution to alleviate these challenges by handling repetitive and intricate tasks. ✢ Vendors are expanding beyond traditional solutions. We're seeing the rise of AI agents that autonomously monitor and respond to incidents, copilots that assist IT teams in real-time, and platforms that simulate attacks to test and strengthen security postures. ✢ The new wave of tools brings capabilities like intelligent summarization, natural language querying, multilingual conversational functions, proactive security measures, alert prioritization, decision-ready analysis, guided recommendations, and automation. ✢ Vendors are focusing on enhancing functionalities in autonomous threat detection and providing transparency in how AI systems reach conclusions. Access the complete report here: https://lnkd.in/gxj8vY3N Darktrace, Deep Instinct, Dropzone AI, ExtraHop, Fortinet, Mandiant (part of Google Cloud), Prophet Security, Torq, Radiant Security, ReliaQuest, SentinelOne, Simbian, Swimlane, Sysdig, Wiz, Stream.Security, Sysdig, CrowdStrike, Palo Alto Networks, Orca Security, Cisco, ZEST Security, Proofpoint, Aqua Security, Netskope, Dazz, Sweet Security, Zscaler, Sentra, Tenable, Mitiga, Rapid7, Trend Micro, Lacework, Uptycs

What if testing didn’t wait until the end but happened continuously throughout development? Continuous Testing (CT) brings tests into every stage of the software lifecycle. Where Continuous Integration focuses on code merges, CT ensures a constant stream of feedback—on functionality, performance, security, and beyond. It’s a natural extension of CI/CD pipelines, shifting testing left so problems get caught early. Instead of separate testing phases, you have incremental validations with each new feature or fix. CT can involve automated unit tests, performance checks, security scans, and even dynamic test environments for on-the-fly exploration. The result? Fewer late surprises, more confident releases, and a culture that treats quality as everyone’s responsibility.

Happy to see my article has been published at ABP Live on "Beyond AI: Why Quantum-Safe #Cryptography Is a Business Imperative in 2025" The alarming rise in cyberattacks—both in India and globally—makes one thing painfully clear: traditional encryption is no longer enough. In India alone, businesses stand to lose ₹20,000 crore this year, while global cybercrime costs are projected to reach $13.82 trillion by 2028. Even worse? The impending quantum era threatens to render our current cryptographic systems obsolete. Technologies like RSA, which power everything from internal communications to critical external collaborations, are vulnerable to quantum-enabled decryption. So what must businesses do right now? Embrace Quantum-Safe Messaging: Opt for end-to-end encrypted platforms designed to withstand quantum attacks, especially for communications with clients, partners, and vendors. Follow Standards and Best Practices: NIST has already rolled out the first wave of Post-Quantum Cryptography (PQC) standards—like ML-KEM for encryption and ML-DSA for digital signatures. Think Strategically, Not Just Tactically: Transitioning to PQC is more than a technical upgrade—it’s a strategic initiative. Build governance, crypto-agility, and roadmap planning into your cybersecurity strategy. What the world is doing: - Europe aims to migrate to quantum-safe encryption by 2030, starting with risk assessments and awareness campaigns in 2026 - The UK’s NCSC is urging organizations to begin full migration planning by 2028 and complete it by 2035 - Setting an example in the private sector, it has integrated post-quantum encryption into its WireGuard and Lightway protocols using NIST’s ML-KEM algorithm Reports from India’s BFSI sector show a worrying lack of readiness—yet almost 58% of CISOs recognize the threat within the next three years Key takeaway: Quantum-safe cryptography isn’t a futuristic concept—it’s a present-day necessity. The threat of "store now, decrypt later" attacks means the data we transmit today may be vulnerable tomorrow. Waiting isn’t an option Whether you’re in BFSI, government, telecoms, or healthcare, the time to act is now. Let’s lead the shift toward a secure quantum future. #QuantumSafe #Cybersecurity #PostQuantumCryptography #CryptoAgility #DigitalTrust #QuantumReady #QNulabs QNu Labs

𝑺𝒆𝒄𝒖𝒓𝒊𝒕𝒚 𝒊𝒔 𝒏𝒐𝒕 𝒂𝒏 𝒆𝒗𝒆𝒏𝒕. 𝑰𝒕’𝒔 𝒂 𝒑𝒓𝒐𝒄𝒆𝒔𝒔. 𝑽𝑨𝑷𝑻 𝒐𝒏𝒄𝒆 𝒂 𝒚𝒆𝒂𝒓 𝒅𝒐𝒆𝒔𝒏’𝒕 𝒎𝒂𝒌𝒆 𝒚𝒐𝒖 𝒔𝒆𝒄𝒖𝒓𝒆. 𝑰𝒕 𝒋𝒖𝒔𝒕 𝒎𝒂𝒌𝒆𝒔 𝒚𝒐𝒖 𝒂𝒖𝒅𝒊𝒕-𝒓𝒆𝒂𝒅𝒚—𝒇𝒐𝒓 𝒂 𝒎𝒐𝒎𝒆𝒏𝒕. Many organizations still treat Vulnerability Assessment / Penetration Testing as a checkbox activity—done once to satisfy audit or customer requirements. Most organizations do VA/PT for audits. ✔ Report generated ✔ Findings accepted ✔ Audit passed ❌ Security posture unchanged within weeks. Why One-Time VA/PT Fails • It’s a point-in-time snapshot • New vulnerabilities appear every day rather every hour or even faster • Cloud or Infrastructure changes, patches, and deployments shift risk constantly The problem? 🔴 Threats don’t wait for your next audit cycle. A one-time VA/PT gives you a snapshot in time. New vulnerabilities, misconfigurations, exposed assets, and exploit techniques emerge daily. Attackers operate continuously—automated, fast, and opportunistic—while organizations often take weeks or months to fix what was already identified. Attackers exploit the gap between discovery and patching. That gap = breach window, that is where breaches happen. Why continuous monitoring & patching matters: # Security posture changes every day with new CVEs, cloud changes, and deployments # Risk must be prioritized by exploitability and business impact, not just CVSS score # Faster detection + faster remediation drastically reduces attack surface Metrics like MTTR (Mean Time to Remediate) matter more than the number of findings Real security maturity comes from: ✔ Continuous vulnerability discovery ✔ Risk-based prioritization (what matters most, first) ✔ Timely patching and compensating controls ✔ Ongoing validation—not static reports Audits are important. VA/PT is important, but security cannot be static in a dynamic threat landscape that evolves every hour or even at much faster pace. 👉 Organizations that move from periodic testing to continuous exposure management don’t just pass audits—they reduce real business risk. #CyberSecurity #VulnerabilityManagement #ContinuousMonitoring #RiskBasedSecurity #CISO #vCISO #AuditAndCompliance #SecurityLeadership

Penetration Testing Tip of the Day! In today's AI driven age, it is critical to differentiate yourself from purely automated testing services. Here are a few tips on how to do that: 🔶 Communication Send regular updates. Elicit feedback or questions. Humans engage with humans. 🔶 Use Tools Strategically Don't spam automated tools against every service or host just to feel productive. Spend your time, and scanning tools, wisely. For example, don't use a web enumeration tool like dirb against an open-source software - just go look up the endpoints on Github. 🔶 Read Error Messages and Pivot Use the responses you are getting from testing to guide you in your follow-up tests. For example, if you are password spraying and you start seeing account lockout messages, stop spraying. Seriously, stop it. Adjust your timing and try again, but just spamming your client with "Account Lockout" log messages makes you look like amateur at best, and like an automated scanner at worst. 🔶 Identify Impact Don't capture generic proof of concept exploits. Nobody cares that SQL injection can find the SQL version number or that XSS can pop an alert box with the number "1" in it. Use your expertise to find the important data, trigger administrative functionality, or pivot to the critical systems. If not, at least identify the controls and issues that are preventing you and report it accordingly so the client can make an informed decision. The worst thing you can leave your client thinking after reading your report is "I could have gotten the same results from a vulnerability scanner" Because if they do, then next time, they will. #security #cybersecurity #pentesting #penetrationtesting

Let's get back to some basics. 83 security tools. Only 22% matter. That’s the brutal math of modern enterprise security stacks according to reports from IBM & Palo Alto Networks (“Capturing the Cybersecurity Dividend: How security platforms generate business value.") and IDG & ReliaQuest ("2021 Security Technology Sprawl Report" 𝗪𝗵𝘆 𝘀𝗽𝗿𝗮𝘄𝗹 𝗶𝘀 𝗸𝗶𝗹𝗹𝗶𝗻𝗴 𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗥𝗢𝗜 🔹Redundancy tax: Dozens of overlapping point products siphon budget and head-count. 🔹Alert overload: More consoles → more false positives → slower response. 🔹Blind spots: Siloed data leaves gaps attackers love. 🔹Burnout accelerator: Analysts spend more time babysitting tools than blocking threats. 𝗥𝗮𝘁𝗶𝗼𝗻𝗮𝗹𝗶𝘇𝗲 𝗼𝗿 𝗿𝗲𝗴𝗿𝗲𝘁 🔹Inventory & overlap map: visualize where “two is one, one is none.” 🔹Consolidate into integrated platforms: fewer panes, richer context. 🔹Decommission shelfware: reclaim budget for talent & automation. 🔹Quarterly ROI checks: every tool proves value or packs its bags. CISOs: tool count is vanity; utilization and outcomes are sanity. What’s your owned : trusted ratio, and how are you shrinking the gap? Tool rationalization isn't only about reducing costs and increasing ROI. It's also about regaining control. #Cybersecurity #CISO #ToolRationalization #SecOps

Most teams only think about cryptographic-agility after it’s too late. A vulnerability gets published. Or a regulator introduces a new mandate. Or support for an algorithm is deprecated. And suddenly, what used to be a secure-by-design system is now a liability. Here’s the truth: Cryptographic agility isn’t just about preparing for quantum. It’s about surviving basic operational realities: - Algorithms fall out of favor - Vendors deprecate formats - Threat models evolve - Implementation bugs surface in the wild If your encryption is hardcoded, deeply embedded, or coupled tightly to a single system, you’re stuck. You won’t just be patching. You’ll be rewriting, revalidating, and hoping you catch everything. What does crypto-agility actually look like? 1. Abstraction at the edge: Encryption should live at the edge of your architecture. Not deep inside your codebase. Use APIs, SDKs, or services to contain crypto logic and isolate it from business logic. 2. Algorithms are policy-driven: Your developers shouldn't need to choose between AES or a future PQC algorithm. That choice should live in policy, not code. The system should adapt without rewrites. 3. Central control with distributed enforcement: You want visibility and governance, without introducing bottlenecks. Let the control plane define what should happen. Let the data plane enforce it close to the source. 4. Built-in upgrade paths: If you can’t rotate keys, change algorithms, or re-encrypt without downtime, you’re not agile. Support versioning and transitional modes from the start. 5. End-to-end observability: Agility depends on knowing how encryption is being used. Log every encryption, decryption, and policy change. Without visibility, there’s no control. Agility isn’t an afterthought. It’s a design principle. And once it's missing, it's nearly impossible to bolt on later. We wrote a deeper guide that breaks this down with real implementation examples. Link in comments.