#81: Innovation, Security, Annotations
In this issue:
Full Stack SAP Security
Security specialty in the SAP world has always been an odd one. What do these people even do, and why do we need them? That’s an unspoken question in the heads of many other SAP consultants.
As Security expert Otto Gold wrote in this incisive post, “SAP Security is now officially so vast and complicated, that it no longer has much of a meaning.” If you still think this is just about assigning roles, the list of subjects in this post will make it very clear that there is way, way more to it.
Even for ABAP developers, security-related subjects have been multiplying like bunnies in spring. Weird words like SSO or OAuth are not just for Basis or Security folks anymore. When interviewing some developers recently, I realized it’s not clear what “security” even means in the web service context, for example. It might also be news to many that, by having access to an OData service, anyone could simply manipulate the URL in the browser to retrieve any exposed data. (Tobias Hoffmann has done quite a bit of that with SAP services - sometimes with alarming results. You don’t want to end up in his blog.)
When “security” means everything and nothing at the same time, how can we have intelligent discussions around it? Next time you speak about the subject, consider being more precise. JP
Innovate the Innovation Awards
I don't always catch them right away, but I try to go out and read the SAP Innovation Awards when they appear yearly. Cynically, you expect that a vendor's award process is going to deeply involve their own offerings. Otherwise, why bother creating the awards?
There are two overall types of winners that I'll call bakers and buyers. I notice the distinction this year more starkly than usual.
Bakers take the SAP offerings and really dive deeply into crafting their own flavors on top of them. I think my favorite example this year is The Hershey Company story. There are cool design screenshots, clear business challenges, and techie mambo-jumbo about "scalable mathematical optimization" frameworks. I come away definitely feeling like innovation happened.
Buyers' stories follow a different path:
We have $PROBLEM
We bought SAP's $SOLUTION for $PROBLEM
Innovation!
Good for the customer, and good for SAP - but this pattern doesn't leave me feeling like innovation happened. Maybe it's time to be more choosy of overall winners? Maybe it's time to ask for more details from some submissions? Customer stories are always powerful, but the innovation awards leave a little to be desired. PM
Code Review Confusion
I struggled to come up with a banger opening for this story, so I asked ChatGPT for ideas. Let me tell you: based on the response, ChatGPT is also clearly confused about what “code review” actually means.
Wikipedia calls code review a “software quality assurance activity,” which only adds to the confusion. Because “software quality” means different things to different people. Here are some common misconceptions I’ve heard about code reviews in ABAP:
“It’s to make sure there are no bugs”. Nope, that’s what testing and unit tests are for.
“It’s to check that code matches specification.” Again, that’s something testing should uncover.
“It’s about compliance with coding standards.” Uh… Do you even have standards? When were they last updated, 2012? That’s what static check tools like ATC are for anyway.
“It’s a CYA activity for the development team and/or just an ego trip”. Please seek professional help.
As Matt Billingham put it in a comment to this blog post:
Essentially the goal is for all programmers to code as though if a bug ever needs fixing at 3am on a Sunday morning, the person who has to deal with it is a psychopath who knows where you live.
Code review is your chance to talk to that psychopath in advance.
Ideally, peer reviews should be a routine part of the development process, not a step that follows. Feedback from another developer can be surprising, regardless of their experience level. Don’t wait until the transport release to hear it. JP
Reasoning Models For Fun And Profit
AI nerds out there have noticed the onslaught of "reasoning" models appearing, since the announcement of OpenAI's o1 model last year. These models will continue to explode in importance, so I want to make sure my fellow SAP nerds devote some thought-time to them.
Prompting style is a little different. Refer to the image above, and when you formulate a prompt take the time to make it explicit and clear. Your goal is to give the reasoning model a clear goal. And don't be afraid to feed a LOT of context. The AI can't possibly know all about your pet z-code - you have to show it, just like you'd show a human that you wanted to collaborate with. Your mileage may vary with IT department restrictions on using AI models. I think that's unfortunate, but you probably prefer remaining employed to prompt mastery.
Hallucinations greatly reduce - not perfect yet! - when you use a model that can also do internet search to fill in missing information. We've all seen AIs dream up functions and features - but when they can search for the real thing, they make up less science-code-fiction. At the moment, I find OpenAI's o3 to be the best at mixing search with its thinking, but Claude and Gemini can also do this.
The other great feature, related to reasoning but offered in distinct packaging, is the "deep research" flavor that several AI makers offer. You give them a big task, involving lots of hunting around and sifting through information, and they come back to you a few minutes later with an amazing report created for you.
SAP folks: the AIs can search all of the various help portals, community pages, and internet blogs out there. For example, when I've had an intricate question about software component compatibility that couldn't really be answered by any one resource…OpenAI Deep Research nailed it.
Even if you don't believe AI can actually think, you should treat it like it can. PM
The Philosophy of Architecture
When I saw this video title, I thought it was a metaphor. Something like “The Art of <insert some non-artsy word>”. But it turns out, this NDC talk is quite literally about philosophy and [software] architecture.
It begins with the disconnect between theory and practice (“architecture in practice is sheer, unadulterated panic”) and somehow ends up in The Matrix. I hate how LinkedIn cringified the word “insightful” - it really would’ve been a perfect description for this talk.
It reminded me again of the importance of a well-rounded education for developers. Software isn’t just about design patterns or microservices. It’s about life, the world, art, history. It’s about people. We all should learn more about those fascinating creatures. JP
ANNOTATION DOMINATION
When I do CAP and RAP stuff, I often feel the weakest part of my mental model is the annotation layer. I think it’s that declarative style…I’m more accustomed to telling the computer how to do a thing, and annotations are all about the what. It kind of makes it hard to trace a full cause-and-effect path between an annotation that the syntax checker is OK with but doesn’t seem to do anything.
So here are some of the things I do to help untangle myself. I offer these to anyone just dropping into this approach having that familiar “what the heck is going on?” feeling.
Remember and follow the chain: one line in CDS -> a block of OData metadata -> automatic UI controls. If the UI isn’t doing what you think it should, look at the metadata the service outputs. Does it have the stuff you expect in it, in the places you expect? Then follow it back to the annotations themselves.
You can put annotations in a couple of different places in the structure of an application. I find it easier to set up a one-stop-shop for the annotations early in the development process, to help me keep better awareness of all the pieces.
Comment your annotations in the same style you comment your procedural code.
Instead of reading my boring, meandering prose, just go learn from the master, DJ Adams.
Annotate away, friends. PM
Watch the corresponding Nerdletter Talk on our YouTube channel for what’s been left behind the scenes of this issue.
Additional stop has just been added to Jelena’s European ‘Skillpocalypse’ Tour! Meet Jelena in person at SAP Community Meetup Riga on May 29th. (Come for the meetup, stay for the weekend! Riga is The New Prague!) And see Jelena’s ABAPConf presentation on June 5th in Vienna. Join waitlist for in-person tickets or watch live feed on YouTube.
Can’t get enough of our writing? Read Jelena’s rare EWM blog post on SAP Community.
This newsletter is written by humans. Who run mostly on coffee. Support the Boringverse by buying us a cup or two. Well, there are two of us, so two cups really should be minimum. As always, thank you for your readership and support!