Upload
virtual-forge
View
504
Download
1
Embed Size (px)
Citation preview
SEC 108 How Pratt & Whitney Streamlined Their ABAP Security and Quality Code Review Process
Giovanni Rondinelli SAP Data Management & IT Performance Lead UTC Pratt & Whitney © 2015, Virtual Forge, Inc.
All rights reserved.
ThisdocumentdoesnotcontaintechnicaldatatotheEARorITAR.
Agenda
About UTC Pratt & Whitney
Challenges
Solution
Results
Recommendations
ThisdocumentdoesnotcontaintechnicaldatatotheEARorITAR.
3
Your Speaker Giovanni Rondinelli
Responsible for SAP Performance, Data Management, and HANA deployment
20 years of SAP experience
Worked at SAP for 7 years At Pratt & Whitney for almost 12 years
ThisdocumentdoesnotcontaintechnicaldatatotheEARorITAR.
4
About UTC Pratt & Whitney
Founded in Hartford, Conn., in 1925 A United Technologies Corp. company
World leader in the design, manufacture and service of aircraft engines
Revenues: $14.5 billion (2014) Operating Profit: $2.0 billion (2014)
More than 11,000 customers around the world Approximately 33,500 employees worldwide
ThisdocumentdoesnotcontaintechnicaldatatotheEARorITAR.
5
Challenges Limitations
Limitations with the existing process Complex, slow and expensive review process
Required extensive manpower and heavy time commitment
Cumbersome email-based system with a lot of back-and-forth
Manual process resulting in the inconsistent application of code review standards
Previous performance process tool not available to developers
ThisdocumentdoesnotcontaintechnicaldatatotheEARorITAR.
7
Challenges Limitations
Goals Lower cost
Reduce risk
Streamline and simplify the code review process
Requirements Maintain and improve code security
Improve quality of custom ABAP code
Implement user-friendly, standard tools for all developers
$ !
ThisdocumentdoesnotcontaintechnicaldatatotheEARorITAR.
8
Cost to correct increases exponentially
$100 : $1,000 : $10,000
DEV QAS PRD
Average cost of a single code correction
UI5/Eclipse SE80 TMS QA/UAT Go Live Time (DEV, QAS, PRD) Development Functional Testing
ThisdocumentdoesnotcontaintechnicaldatatotheEARorITAR.
9
Top 11 ABAP code security tests
ID Vulnerability Descrip2on
APP-01 ABAPCommandInjec<on Execu<onofarbitraryABAPCommands
APP-02 OSCommandInjec<on Execu<onofarbitraryOSCommands
APP-03 Na<veSQLInjec<on Execu<onofarbitrarySQLCommands
APP-04ImproperAuthoriza<on(Missing,Broken,Proprietary,Generic)
MissingorincorrectAuthoriza<onChecks
APP-05 DirectoryTraversal Unauthorizedwrite/readaccesstofiles(SAPServer)
APP-06 DirectDatabaseModifica<ons UnauthorizedAccesstoSAPStandardTables
APP-07 Cross-ClientDatabaseAccess Cross-ClientAccesstoBusinessData
APP-08 OpenSQLInjec<on MaliciousManipula<onofOSQLCommands
APP-09 GenericModuleExecu<on UnauthorizedExecu<onofModules(Reports,FMs,etc.)
APP-10 Cross-SiteScrip<ng Manipula<onoftheBrowserUI,Iden<tyThe_
APP-11 ObscureABAPCode Hidden/untestableABAPCode
ThisdocumentdoesnotcontaintechnicaldatatotheEARorITAR.
10
Solution Automated Scanning
ABAP Scanning Accurate results with prioritized findings
Comprehensive testing for security, performance and quality
Tightly integrated with SAP and the development process (available to all developers in the entire process)
Detailed remediation instructions for on-the-job training (good for new developers)
Automated audit reports
ThisdocumentdoesnotcontaintechnicaldatatotheEARorITAR.
12
Solution A simple approach: Assess – Safeguard – Optimize
Assess: Continually test and correct ABAP code during development. Inspect entire code base regularly.
Safeguard: Implement automatic code testing to prevent risky code from reaching your productive systems. Optimize: Continually improve code to close security and quality gaps.
SAP Security, Compliance
& Quality
1. Assess
2. Safeguard 3. Optimize
ThisdocumentdoesnotcontaintechnicaldatatotheEARorITAR.
13
Solution Incorporating into HANA Roadmap
HANA Roadmap Leverage CodeProfiler for code remediation in preparation for ECC on HANA
Hybrid Performance Analysis in ECC
ThisdocumentdoesnotcontaintechnicaldatatotheEARorITAR.
14
Results Benefits Realized
Effective governance: less effort and reduced costs
Quality standards set for internal/external developments
Accurate and resource-saving analysis and evaluation
Reduction of security and compliance risks
Reduced from from cyber-attack, fraud and system downtime
Reduced development costs Considerable cost reduction for development
and maintenance by improving program quality
Improved availability: faster and safer programs
Reduced runtime and hardware utilization through improved performance
Minimized system failures and downtime using selective corrections
ThisdocumentdoesnotcontaintechnicaldatatotheEARorITAR.
16
Results Today
Nothing goes through unless ABAP scan is clean
Big improvements across the entire code review process All developers have access to CodeProfiler
Common process for new and existing development objects
More consistent code reviews
Reduce overall code review time by 70%
Reduce overall cost of review by 65%
No code-related incidents since implementation
TMS integration with approval and escalation process
Continue to automate additional parts of the process and further reduce costs
ThisdocumentdoesnotcontaintechnicaldatatotheEARorITAR.
17
Recommendations
Include automated tools in your reviews in order to lower risk of costly errors
Provide a solution all developers can use
Simplify your review process with automated code scanning tools
Expedite your reviews through automation in order to save time and money
Use automation to fulfill security, performance and quality requirements
You cannot fix everything at once. It’s an ongoing process.
ThisdocumentdoesnotcontaintechnicaldatatotheEARorITAR.
19
Scanning by Developers During Development (ECC)
Online development scans screenshot placeholder
ThisdocumentdoesnotcontaintechnicaldatatotheEARorITAR.
22
Key Takeaways
CodeProfiler has become an important asset to our quality review process Easy to implement and maintain Little or no training required for developers Quick acceptance by the developers. Developers become better developers
CodeProfiler did not eliminate the need for code reviewers The approval process still exists, but CodeProfiler made the process easier and faster
ThisdocumentdoesnotcontaintechnicaldatatotheEARorITAR.
23
Virtual Forge CodeProfiler Free Risk Assessment Offer!
How good is your SAP system? Visit www.virtualforge.com
ü Summary of
findings
ü Priorization and
classification of
vulnerabilities
ü Specific examples
of findings
ü Code and system
metrics Quality
Compliance
Security
SAP- System
Risk Assessment / Penetration Test
• SAP configuration • Custom code
Free
24
Disclaimer
© 2015 Virtual Forge Inc. All rights reserved.
SAP, R/3, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG. All other product and service names mentioned are the trademarks of their respective companies.
Information contained in this publication is subject to change without prior notice. It is provided by Virtual Forge and serves informational purposes only. Virtual Forge is not liable for errors or incomplete information in this publication. Information contained in this publication does not imply any further liability.
Virtual Forge Terms and Conditions apply. See www.virtualforge.com for details.