ABAP Custom Code Security 2012[1]

ABAP Custom Code Security

A collaboration of:

SAP Global IT & SAP Product Management for Security, IDM & SSO

November, 2012 Public

2012 SAP AG. All rights reserved. 2 Public

SAP Global IT - ABAP custom code security

1. Introduction / Motivation

2. Custom Code Scanning Project

3. Code Scanning Tools at SAP Global IT


Code-Security for ABAP-based applications

Tasks and Responsibilities

Phase 1:

Identify Security Issues

Phase 2:

Fixing Security Issues

Global IT Responsibility

Task:

review custom specific ABAP code

Solution:

Tool based approach with a specialized ABAP security scanner

(Virtual Forge CodeProfiler)

SAPs Responsibility

Task: review codebase of approx. 280

million lines of code

Solution:

Tool based approach with an ABAP security scanner

Task:

Implementation of published Security Notes

Remediate potential security gaps in ABAP custom code

Regularly search and implement relevant security notes

Task:

Process issues in SAP standard code

Solution:

SAP Security Notes: currently approx.. 2400 notes released (up to

10/2012)

Introduction of SAP Security Patch day

New Secure Programming Guidelines

SAP Security Patch day ABAP Source Code Project


Entry points for security questions concerning custom

developed ABAP-applications

Are business critical applications and

processes sufficiently protected within

custom application?

Are compliance guidelines adhered within the custom

applications?

Are data protection rules and guidelines

violated through security flaws?

Get a general overview of the

code quality concerning the

security aspects

Are there Backdoors or

malicious coding in the customer

specific developments?

Custom Source Code

Security

Key

Message

Ensuring Security and Compliancy of custom developed code is key

To ensure custom developed ABAP code a highly atomized solution is required

The solution must also support the developers requirements in his daily work in a convenient way


SAP Global IT - ABAP custom code security





ABAP Custom Code Project Functionality / Characteristics of static code profiling approach -

Proceeding:

Key

Message

Virtual Forge CodeProfiler (VF CP)* uses static ABAP patterns to scan ABAP source code for potential weaknesses and issues.

Allows prioritizing countermeasures by categorizing all findings regarding impact and probability

High number of constantly updated test cases for security checks

In conducted scans at Global IT the VF CP* showed a low number of false-positives

Core SAP Business

Systems

VF CodeProfiler*

TC 33 Missing AUTHORITY-CHECK in Reports

[#46] TID=80,

FID=5A66D9C5271AE8E7360B61F5F167B49D5

D890A40

Package: Z_BW_CORE, Program:

YBW_BW_CALL_STATISTICS

Extract via RFC

Analyze and Document

Output

* CodeProfiler is an add-on product from Virtual Forge (www.VirtualForge.com)


CodeProfiler Test case Examples

Test Group Potential Impact

Missing Authority Checks ABAP can execute business transactions without privileges. Therefore, whenever ABAP programs call functionality that requires certain privileges to run, an authority

check should be made programmatically. Otherwise users might get access to

restricted functionality

Dangerous ABAP

commands

These test patterns check if there are any commands used in an ABAP program that

could pose a security threat. Examples are access to files and low-level system

commands

Backdoors There are several ways to include backdoors in ABAP programs. They allow malicious developers to secretly access extra-functionality by feeding certain triggers

to the program

Hard-coded user credentials These test patterns check if there are any hard-coded user credentials in the code

Generic Operations Sometimes developers write code in a way that it can be used for a number of different use cases. This flexibility often results in vulnerabilities when malicious

users discover unforeseen use cases nobody expected

Command execution In some instances, ABAP code can be generated and executed at runtime. These test patterns check, if such risky practices are used and if they are exploitable

SQL Injection This coding defect allows malicious users to manipulate OSQL statements. This can result in information disclosure and

manipulation of arbitrary data in the SAP database


Custom Code Security at SAP Global IT Get secure Stay secure

Implementation of Virtual Forge CodeProfiler* and conduction of regular

code scans

Creation of agreed procedures and guidance how to fix potential security gaps

Analysis and remediation of security related issues identified by the Virtual

Forge CodeProfiler* for the four core SAP

Global IT Business Systems

Analysis and remediation of security related issues identified by the Virtual

Forge CodeProfiler* for all SAP Global IT

Business Systems

Get Secure

SAP Global IT Secure Development Framework rules and standards for the development of ABAP code

Secure ABAP development training for developers at Global IT teaching how to

develop secure ABAP code

Full integration of security checks into the ABAP development workbench with high

usability for developers and quality experts

using the ABAP Test Cockpit (ATC)

Perform security checks during transport release (Q-Gate) to avoid new security

related issues in production

Stay Secure



SAP Global IT - ABAP Source Code Security Approach

Analysis and

Prioritization

of Issues

Monitoring

of

Remediation

Custom Source Code

Security

Holistic Custom Source

Code Scans

Remediation of

Source Code Issues

Secure

Programming Training

Secure Programming

Guide

Remediation

Scanning

Automat.

Periodization

Automat.

Monitoring

Project Level

Daily Operational Level

Structural Level


SAP Global IT - ABAP Custom Code Security





Motivation for ABAP Test Cockpit Different Tools, Different UIs, Different Results

Different checks, messages, priorities

Different code checks before release of transports

No common base for QM and developer perspective

No central point to overview the quality of custom code


What is it?

ATC is an ABAP check framework which allows running static checks and unit tests for ABAP programs

ATC is designed to help meeting the production standard Functional Correctness in the ABAP world

ATC is fully integrated into development environment and transport tools, along with instant navigation, documentation and fix recommendation

What are the benefits?

ATC is the single point of entry for all static code check tools

ATC comprises a 4-eye principle exception process to handle false/ positive findings effectively

ATC is fully integrated in the ABAP development workbench with a high usability for developers and quality experts

ATC is not only a check tool but supports essential QA techniques like Q-Gates or regression testing in a consolidation system

ABAP Test Cockpit (ATC)


Code Scanning Tools at Global IT

Syntax Check (Check, SE 80)

Extended Program Check (SLIN)

checks the syntax and internal semantics of a program.

SAP Code Inspector (SCI)

Performs extended checks e.g. searching for obsolete ABAP statements

Additional checks for example adherence to naming conventions or performance

optimization

Virtual Forge CodeProfiler (CP)*

Test Domains: Security & Compliance

Allows prioritizing countermeasures by categorizing all findings

Establishes a baseline security level for all ABAP-based business applications

Integration into ABAP Test Cockpit and Transport Management System

High number of test domains and test cases

AB

AP

Test

Co

ckp

it (

AT

C)


Thank You!

A collaboration of:

SAP Global IT SAP Product Management for Security, Identity

Management and Single Sign-On

Backup


ABAP Test Cockpit Configuration of five-system landscape

DEV

PSS

QAS

FQA PRD

Scanning of tasks / transports perform full system scan

Developers run static / unit / scenario tests on their objects

Periodic check runs to validate code of a development team

Q-experts run mass checks and distribute the results

i Use ONE quality standard for Q-Gates


ABAP Test Cockpit Availability

The ABAP Test Cockpit (ATC) is a tool for doing static and dynamic quality checks

of ABAP code and associated repository objects

The ATC is now available with EhP2 for SAP NetWeaver 7.0 with support package

stack 12. Additionally, the ATC is planned for SAP NetWeaver AS ABAP 7.03

support package stack 5.

The ATC is introduced with the following releases:

SAP NetWeaver 7.0 EHP2 Support Package 12

SAP NetWeaver 7.31 Support Package 5 (planned)

SAP NetWeaver 7.32 initial release


No part of this publication may be reproduced or transmitted in any form or for any

purpose without the express permission of SAP AG. The information contained

herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain

proprietary software components of other software vendors.

Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of

Microsoft Corporation.

IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5,

System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries,

zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390

Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6,

POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes,

BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF,

Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere,

Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM

Corporation.

Linux is the registered trademark of Linus Torvalds in the U.S. and other

countries.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or

registered trademarks of Adobe Systems Incorporated in the United States and/or

other countries.

Oracle and Java are registered trademarks of Oracle and/or its affiliates.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and

MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C,

World Wide Web Consortium, Massachusetts Institute of Technology.

2012 SAP AG. All rights reserved.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects

Explorer, StreamWork, and other SAP products and services mentioned herein as

well as their respective logos are trademarks or registered trademarks of SAP AG

in Germany and other countries.

Business Objects and the Business Objects logo, BusinessObjects, Crystal

Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business

Objects products and services mentioned herein as well as their respective logos

are trademarks or registered trademarks of Business Objects Software Ltd.

Business Objects is an

SAP company.

Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other

Sybase products and services mentioned herein as well as their respective logos

are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP

company.

All other product and service names mentioned are the trademarks of their

respective companies. Data contained in this document serves informational

purposes only. National product specifications may vary.

The information in this document is proprietary to SAP. No part of this document

may be reproduced, copied, or transmitted in any form or for any purpose without

the express prior written permission of SAP AG.

Documents

ABAP Custom Code Security 2012[1]