How Pratt & Whitney Streamlined Their ABAP Security and Quality Code Review Process

/* How Pratt & Whitney Streamlined Their ABAP Security and

Quality Code Review Process */

#SAPtd

SEC 108 How Pratt & Whitney Streamlined Their ABAP Security and Quality Code Review Process

Giovanni Rondinelli SAP Data Management & IT Performance Lead UTC Pratt & Whitney © 2015, Virtual Forge, Inc.

All rights reserved.

ThisdocumentdoesnotcontaintechnicaldatatotheEARorITAR.

Agenda

 About UTC Pratt & Whitney

 Challenges

 Solution

 Results

 Recommendations


3

Your Speaker Giovanni Rondinelli

  Responsible for SAP Performance, Data Management, and HANA deployment

  20 years of SAP experience

  Worked at SAP for 7 years   At Pratt & Whitney for almost 12 years


4

About UTC Pratt & Whitney

  Founded in Hartford, Conn., in 1925   A United Technologies Corp. company

  World leader in the design, manufacture and service of aircraft engines

  Revenues: $14.5 billion (2014)   Operating Profit: $2.0 billion (2014)

  More than 11,000 customers around the world   Approximately 33,500 employees worldwide


5

Challenges


Challenges Limitations

Limitations with the existing process   Complex, slow and expensive review process

  Required extensive manpower and heavy time commitment

  Cumbersome email-based system with a lot of back-and-forth

  Manual process resulting in the inconsistent application of code review standards

  Previous performance process tool not available to developers


7

Challenges Limitations

Goals   Lower cost

  Reduce risk

  Streamline and simplify the code review process

Requirements   Maintain and improve code security

  Improve quality of custom ABAP code

  Implement user-friendly, standard tools for all developers

$ !


8

Cost to correct increases exponentially

$100 : $1,000 : $10,000

DEV QAS PRD

Average cost of a single code correction

UI5/Eclipse SE80 TMS QA/UAT Go Live Time (DEV, QAS, PRD) Development Functional Testing


9

Top 11 ABAP code security tests

ID Vulnerability Descrip2on

APP-01 ABAPCommandInjec<on Execu<onofarbitraryABAPCommands

APP-02 OSCommandInjec<on Execu<onofarbitraryOSCommands

APP-03 Na<veSQLInjec<on Execu<onofarbitrarySQLCommands

APP-04ImproperAuthoriza<on(Missing,Broken,Proprietary,Generic)

MissingorincorrectAuthoriza<onChecks

APP-05 DirectoryTraversal Unauthorizedwrite/readaccesstofiles(SAPServer)

APP-06 DirectDatabaseModifica<ons UnauthorizedAccesstoSAPStandardTables

APP-07 Cross-ClientDatabaseAccess Cross-ClientAccesstoBusinessData

APP-08 OpenSQLInjec<on MaliciousManipula<onofOSQLCommands

APP-09 GenericModuleExecu<on UnauthorizedExecu<onofModules(Reports,FMs,etc.)

APP-10 Cross-SiteScrip<ng Manipula<onoftheBrowserUI,Iden<tyThe_

APP-11 ObscureABAPCode Hidden/untestableABAPCode


10

Solution


Solution Automated Scanning

ABAP Scanning   Accurate results with prioritized findings

  Comprehensive testing for security, performance and quality

  Tightly integrated with SAP and the development process (available to all developers in the entire process)

  Detailed remediation instructions for on-the-job training (good for new developers)

  Automated audit reports


12

Solution A simple approach: Assess – Safeguard – Optimize

Assess: Continually test and correct ABAP code during development. Inspect entire code base regularly.

Safeguard: Implement automatic code testing to prevent risky code from reaching your productive systems. Optimize: Continually improve code to close security and quality gaps.

SAP Security, Compliance

& Quality

1. Assess

2. Safeguard 3. Optimize


13

Solution Incorporating into HANA Roadmap

  HANA Roadmap   Leverage CodeProfiler for code remediation in preparation for ECC on HANA

  Hybrid Performance Analysis in ECC


14

Results


Results Benefits Realized

  Effective governance: less effort and reduced costs

  Quality standards set for internal/external developments

  Accurate and resource-saving analysis and evaluation

  Reduction of security and compliance risks

  Reduced from from cyber-attack, fraud and system downtime

  Reduced development costs   Considerable cost reduction for development

and maintenance by improving program quality

  Improved availability: faster and safer programs

  Reduced runtime and hardware utilization through improved performance

  Minimized system failures and downtime using selective corrections


16

Results Today

  Nothing goes through unless ABAP scan is clean

  Big improvements across the entire code review process   All developers have access to CodeProfiler

  Common process for new and existing development objects

  More consistent code reviews

  Reduce overall code review time by 70%

  Reduce overall cost of review by 65%

  No code-related incidents since implementation

  TMS integration with approval and escalation process

  Continue to automate additional parts of the process and further reduce costs


17

Recommendations


Recommendations

  Include automated tools in your reviews in order to lower risk of costly errors

  Provide a solution all developers can use

  Simplify your review process with automated code scanning tools

  Expedite your reviews through automation in order to save time and money

  Use automation to fulfill security, performance and quality requirements

  You cannot fix everything at once. It’s an ongoing process.


19

Hybrid Performance Analysis


20

Automatic Scanning of All Changes


21

Scanning by Developers During Development (ECC)

Online development scans screenshot placeholder


22

Key Takeaways

  CodeProfiler has become an important asset to our quality review process   Easy to implement and maintain   Little or no training required for developers   Quick acceptance by the developers.   Developers become better developers

  CodeProfiler did not eliminate the need for code reviewers   The approval process still exists, but CodeProfiler made the process easier and faster


23

Virtual Forge CodeProfiler Free Risk Assessment Offer!

How good is your SAP system? Visit www.virtualforge.com

ü  Summary of

findings

ü  Priorization and

classification of

vulnerabilities

ü  Specific examples

of findings

ü  Code and system

metrics Quality

Compliance

Security

SAP- System

Risk Assessment / Penetration Test

•  SAP configuration •  Custom code

Free

24

www.virtualforge.com @Virtual_Forge

Thank you!

Disclaimer

© 2015 Virtual Forge Inc. All rights reserved.

SAP, R/3, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG. All other product and service names mentioned are the trademarks of their respective companies.

Information contained in this publication is subject to change without prior notice. It is provided by Virtual Forge and serves informational purposes only. Virtual Forge is not liable for errors or incomplete information in this publication. Information contained in this publication does not imply any further liability.

Virtual Forge Terms and Conditions apply. See www.virtualforge.com for details.

Software

How Pratt & Whitney Streamlined Their ABAP Security and Quality Code Review Process