• No results found

The Security Development Lifecycle at SAP How SAP Builds Security into Software Products

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "The Security Development Lifecycle at SAP How SAP Builds Security into Software Products"

Copied!
7
0
0

Loading.... (view fulltext now)

Download now ( 7 Page )

Full text

(1)

SAP Security Concepts and Implementation

The Security Development Lifecycle at SAP

How SAP Builds Security into Software Products

AP

affiliat

e c

omp

an

y.

All right

s r

es

er

(2)

Table of Contents

4

Integrating Security Right from the Start

4 Establishing a Standard for

Product Security

5 Quality Gates

5 Regulatory Compliance

5 Testing During Development

5 Product Security Consulting

6 Product Security Education and Training

6 Threat Modeling

(3)

SAP builds security into its software right from the

beginning. Because the strategy to achieve and maintain

security in SAP® software is so thorough and so well

conceived, SAP customers can:

Know they are running business processes on

products that have been carefully tested

Benefit from stable, secure software today and in

the long run

Achieve sustained regulatory compliance

Rely on a group of world-class security experts

professionally dedicated to managing product

security at SAP

Developing secure software requires a strategy

that covers not just the entire product lifecycle

but the product’s complete investment

program as well, starting with product concept

and embracing design, development, and

even shipment. Postdelivery, SAP continues

to protect its software by providing security

patches, so customers can

mitigate the

latest-breaking challenges to software security.

(4)

Even the most effective security measure will fail to deliver on expectations if it is implemented poorly. High-quality code is the most important basis for building secure products. To address this key issue, SAP approaches product security holistically to make sure there is no missing link. And the security development lifecycle in place at SAP makes sure product code is of the highest quality.

ESTABLISHING A STANDARD FOR

PRODUCT SECURITY

SAP employs a framework for product development to enforce a standard for achieving high product security and quality. The framework covers all organizational phases associated with product investment, from the initial decision to create the product to project execution and postdelivery. The framework is designed to see that security is built right into the software

so that all security and privacy requirements are fulfilled. The set of requirements is not static, however. It is updated on a continual basis from information provided by public sources dedicated to ferreting out and publishing software vulnerabili-ties. Just some of these sources include Common Weakness Enumeration (CWE), a software community that maintains a catalog of detected software vulnerabilities; Common Vulnerabilities and Exposures (CVE), a database of docu-mented computer security weaknesses; SANS Institute; and Open Web Application Security Project (OWASP), an open-source Web application project.

The product standard for security at SAP is based on SAP’s long tradition of building reliable and secure software. The standard encompasses a wide range of methodologies and measures, such as threat modeling, security assessment, security consulting for development teams, and training.

(5)

Quality Gates

SAP products in development undergo checks at specific points called quality gates (Q-gates). These are mandatory milestones that occur at each major stage in the development of a product. Not only is the quality of the software product assessed at these Q-gates, but the product must pass each Q-gate before it can move on to the next lifecycle phase. Q-gates verify the functionality and security of a product, along with performance and usability.

Regulatory Compliance

SAP has governance policies in place to oversee that whatever work is performed during the security development lifecycle complies with applicable legal requirements. These policies also require that each SAP software product meets all appli-cable legal regulations in the markets to which the software is to be shipped.

Testing During Development

Source code reviews, architecture audits, penetration tests, and security source code scans (static analysis) are integral parts of the security development lifecycle at SAP. SAP runs a scalable test infrastructure that seamlessly integrates with product development. This infrastructure ensures that every product is thoroughly tested before it is released.

Product Security Consulting

A team of world-class security experts helps product teams understand, address, and resolve complex security issues. This highly specialized internal security consulting enables SAP product teams to get architectures right from the outset and helps them eliminate potential security issues early on in the development process – before any code is committed.

The product standard for security at SAP

is based on SAP’s long tradition of building

reliable and secure software.

(6)

Product Security Education and Training

Awareness drives improvement. Security consulting plus in-depth training are key elements for enabling the develop-ment community at SAP to build and maintain secure soft-ware. In addition to developers, the vast majority of customer-facing people at SAP are familiar with the security “big picture” at SAP.

Threat Modeling

SAP introduced a refined threat modeling process within its security development lifecycle. Threat modeling is a proven method for achieving high product security. In addition, threat modeling provides tangible economic advantages by enabling developers to find and eliminate design issues at an early stage.

Find Out More

To learn more about the framework SAP uses to achieve world-class product security, please contact your SAP representative.

(7)

© 2013 SAP AG or an SAP affi liate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. National product specifi cations may vary.

These materials are provided by SAP AG and its affi liated companies (“SAP Group”) for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.

References

Download now ( PDF - 7 Page - 547.24 KB )

Related documents

Spotlight on Americans 50+

Awareness of video chat, voice control, text-to-voice and voice-to-text technologies often available as features on consumer electronics devices is moderate among those ages 50+

Turning the Battleship: How to Build Secure Software in Large Organizations. Dan Cornell May 11 th, 2006

– Application security training for developers, security professionals, and auditors – Software development lifecycle development (SDLC) consulting.. – Application security

SAP SECURITY OPTIMIZATION

1) Log on to the Portal as administrator. 2) Choose System Administration -> System Configuration -> Knowledge Management. 3) In Content Management, choose Utilities ->

QT Interval Prolongation Associated with Amiodarone Use in Cipto Mangunkusumo Hospital, Jakarta

In the present study, we found significant frequent of QT interval prolongation in the group receiving amiodarone or other drug causing QT prolongation, either alone or

SAP NetWeaver 04 Security Guide. Security Guide for SAP Mobile Infrastructure

If multiple users are using the same mobile device, they all need their own user IDs and must keep the ID and synchronization password synchronous with the settings used on

Quick Guide to Implementing the SAP Extended Financial Planning rapiddeployment

The product Security Guide provides an overview of the security-relevant information that applies to the SAP Business Planning and Consolidation version for the applicable

Security and Your SAP System When Working with Winshuttle Products

Identifying who users are, challenging them with a user name and password, and generally administering users is performed inside the SAP system but can be augmented using

Spatial Profit Differential of Yam Marketing in Gombe Metropolis, Gombe State, Nigeria.

In comparison of the four (4) selected markets in the study area, the result shows that the maximum average selling price and as well as the average profit were obtained in