ABAP Custom Code Security

ABAP Custom Code Security

A collaboration of:

SAP Global IT & SAP Product Management for Security, IDM & SSO

SAP Global IT - ABAP custom code security

1.

Introduction / Motivation

2.

Custom Code Scanning Project

Code-Security for ABAP-based applications

Tasks and Responsibilities

Phase 1:

Identify Security Issues

Phase 2:

Fixing Security Issues

Global IT Responsibility

Task:



review custom specific ABAP code

Solution:



Tool based approach with a

specialized ABAP security scanner

(Virtual Forge CodeProfiler)

SAP´s Responsibility

Task:



review codebase of approx. 280

million lines of code

Solution:



Tool based approach with an ABAP

security scanner

Task:



Implementation of published

Security Notes



Remediate potential security gaps

in ABAP custom code



Regularly search and implement

relevant security notes

Task:



Process issues in SAP standard code

Solution:



SAP Security Notes

: currently

approx.. 2400 notes released (up to

10/2012)



Introduction of

SAP Security Patch

day



New Secure Programming Guidelines

Entry points for security questions concerning custom

developed ABAP-applications

Are business critical

applications and

processes sufficiently

protected within

custom application?

Are compliance

guidelines adhered

within the custom

applications?

Are data protection

rules and guidelines

violated through

security flaws?

Get a general

overview of the

code quality

concerning the

security aspects

Are there

Backdoors or

malicious coding in

the customer

specific

developments?

Custom

Source

Code

Security

Key

Message



Ensuring Security and Compliancy of custom developed code is key



To ensure custom developed ABAP code a highly atomized solution is required



The solution must also support the developers requirements in his daily work in a

convenient way

SAP Global IT - ABAP custom code security

1.

Introduction / Motivation

2.

Custom Code Scanning Project

ABAP Custom Code Project

– Functionality / Characteristics of static code profiling approach -

Proceeding:

Key

Message



Virtual Forge CodeProfiler (VF CP)* uses static ABAP patterns to scan ABAP source code for potential

weaknesses and issues.



Allows prioritizing countermeasures by categorizing all findings regarding impact and probability



High number of constantly updated test cases for security checks



In conducted scans at Global IT the VF CP* showed a low number of false-positives

Core SAP Business

Systems

VF CodeProfiler*

TC 33 Missing AUTHORITY-CHECK in Reports

[#46] TID=80,

FID=5A66D9C5271AE8E7360B61F5F167B49D5

D890A40

Package: Z_BW_CORE, Program:

YBW_BW_CALL_STATISTICS

Extract via RFC

Analyze and Document

Output

CodeProfiler Test case Examples

Test Group

Potential Impact

Missing Authority Checks

ABAP can execute business transactions without privileges. Therefore, whenever

ABAP programs call functionality that requires certain privileges to run, an authority

check should be made programmatically. Otherwise users might get access to

restricted functionality

Dangerous ABAP

commands

These test patterns check if there are any commands used in an ABAP program that

could pose a security threat. Examples are access to files and low-level system

commands

Backdoors

There are several ways to include backdoors in ABAP programs. They allow

malicious developers to secretly access extra-functionality by feeding certain triggers

to the program

Hard-coded user credentials

These test patterns check if there are any hard-coded user credentials in the code

Generic Operations

Sometimes developers write code in a way that it can be used for a number of

different use cases. This flexibility often results in vulnerabilities when malicious

users discover unforeseen use cases nobody expected

Command execution

In some instances, ABAP code can be generated and executed at runtime. These

test patterns check, if such risky practices are used and if they are exploitable

SQL Injection

This coding defect allows malicious users to manipulate OSQL

statements. This can result in information disclosure and

manipulation of arbitrary data in the SAP database

Custom Code Security at SAP Global IT

Get secure – Stay secure



Implementation of Virtual Forge

CodeProfiler* and conduction of regular

code scans



Creation of agreed procedures and

guidance how to fix potential security gaps



Analysis and remediation of security

related issues identified by the Virtual

Forge CodeProfiler* for the four core SAP

Global IT Business Systems



Analysis and remediation of security

related issues identified by the Virtual

Forge CodeProfiler* for all SAP Global IT

Business Systems

Get Secure



SAP Global IT Secure Development

Framework – rules and standards for the

development of ABAP code



Secure ABAP development training for

developers at Global IT teaching how to

develop secure ABAP code



Full integration of security checks into the

ABAP development workbench with high

usability for developers and quality experts

using the ABAP Test Cockpit (ATC)



Perform security checks during transport

release (Q-Gate) to avoid new security

related issues in production

Stay Secure

SAP Global IT - ABAP Source Code Security Approach

Analysis and

Prioritization

of Issues

Monitoring

of

Remediation

Custom

Source

Code

Security

Holistic Custom Source

Code Scans

Remediation of

Source Code Issues

Secure

Programming Training

Secure Programming

Guide

Remediation

Scanning

Automat.

Periodization

Automat.

Monitoring

Project Level

Daily Operational Level

SAP Global IT - ABAP Custom Code Security

1.

Introduction / Motivation

2.

Custom Code Scanning Project

Motivation for ABAP Test Cockpit

Different Tools, Different UIs, Different Results



Different checks, messages, priorities



Different code checks before release of

transports



No common base for QM and developer

perspective



No central point to overview the quality of

What is it?



ATC is an ABAP check framework which allows running static checks and unit

tests for ABAP programs



ATC is designed to help meeting the production standard “Functional

Correctness” in the ABAP world



ATC is fully integrated into development environment and transport tools,

along with instant navigation, documentation and fix recommendation

What are the benefits?



ATC is the single point of entry for all static code check tools



ATC comprises a 4-eye principle exception process to handle false/ positive

findings effectively



ATC is fully integrated in the ABAP development workbench with a high

usability for developers and quality experts



ATC is not only a check tool but supports essential QA techniques like

Q-Gates or regression testing in a consolidation system

Code Scanning Tools at Global IT

Syntax Check (

Check

, SE 80)

Extended Program Check (

SLIN

)

•

checks the syntax and internal semantics of a

program.

SAP Code Inspector (

SCI

)

•

Performs extended checks e.g. searching for

obsolete ABAP statements

•

Additional checks for example adherence to

naming conventions or performance

optimization

Virtual Forge CodeProfiler (

CP

)*

•

Test Domains: Security & Compliance

•

Allows prioritizing countermeasures by

categorizing all findings

•

Establishes a baseline security level for all

ABAP-based business applications

•

Integration into ABAP Test Cockpit and

Transport Management System

•

High number of test domains and test cases

A

B

A

P

T

es

t Cockpit

(A

TC)

Thank You!

A collaboration of:

•

SAP Global IT

•

SAP Product Management for Security, Identity

ABAP Test Cockpit

Configuration of five-system landscape

DEV

PSS

QAS

FQA

PRD

Scanning of tasks / transports

perform full system scan

Developers run static / unit /

scenario tests on their objects

Periodic check runs to validate

code of a development team

Q-experts run mass checks and

distribute the results

i

Use ONE quality

standard for Q-Gates

ABAP Test Cockpit

Availability

The ABAP Test Cockpit (ATC) is a tool for doing static and dynamic quality checks

of ABAP code and associated repository objects

The ATC is now available with EhP2 for SAP NetWeaver 7.0 with support package

stack 12. Additionally, the ATC is planned for SAP NetWeaver AS ABAP 7.03

support package stack 5.

The ATC is introduced with the following releases:

•

SAP NetWeaver 7.0 EHP2 Support Package 12

•

SAP NetWeaver 7.31 Support Package 5 (planned)

•

SAP NetWeaver 7.32 initial release

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes,

BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.

Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.

Oracle and Java are registered trademarks of Oracle and/or its affiliates. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®_,

World Wide Web Consortium, Massachusetts Institute of Technology.

© 2012 SAP AG. All rights reserved.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.

Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an

SAP company.

Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP company.

All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.

The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP AG.