Securing Custom SAP Code
Key Takeaways
⇨ Security is integrated into the development and maintenance of all SAP-delivered code.
⇨ Developers often lack the expertise to identify or remediate vulnerabilities in programs.
⇨ Code Vulnerability for Analysis for SAP solves these problems through automated detection of vulnerabilities in custom ABAP programs.
Secure Software Development Lifecycle
Following a secure software development lifecycle (SDL) is a fundamental requirement for all product teams at SAP. Security is integrated into the development and maintenance of all SAP-delivered code. This is supported by the use of a proprietary code scanning solution by SAP to detect and remove security vulnerabilities in developments during the SDL. SAP also coordinates the release of regular security patches known as security notes to address vulnerabilities discovered by internal and external security researchers.
The Challenges of Securing Custom Code
SAP is responsible for maintaining the security of standard code in SAP solutions. However, SAP systems often include a combination of standard and custom code. Custom code includes developments in ABAP and other programming languages created by customers or partners to meet business or technical requirements not met by standard SAP applications. Unlike standard code, customers are responsible for the security of custom code. Therefore, customers must ensure they have a secure software development lifecycle to identify and remediate vulnerabilities in custom programs that could be exploited to breach SAP systems and interrupt the availability, integrity or confidentiality of business-critical SAP applications. This includes code vulnerabilities such as SQL injection, OS command injection, cross-site scripting, directory traversal, and insufficient authorization checks.
Securing custom code is a significant challenge for SAP customers. Developers often lack the expertise to identify or remediate vulnerabilities in programs. Manual review of programs is also time consuming for programs with thousands of lines of code. It can also be error-prone, leading to numerous false positives and false negatives.
Code Vulnerability Analysis for SAP
Code Vulnerability for Analysis for SAP solves these problems through automated detection of vulnerabilities in custom ABAP programs. The addon for SAP NetWeaver Application Server ABAP (AS ABAP) scans custom developments to detect over 100 vulnerabilities inABAP code. Code Vulnerability Analysis for SAP performs static code analysis to discover paths in code where non-validated user input can inject malicious code or database queries. It also performs dynamic security testing to Reveal unprotected access paths, indirect object references, or errors that could lead to privilege escalation. The solution can be used during the development and maintenance phases of the SDL to secure both new developments and running applications in SAP systems. For running applications, the solution performs interactive code analysis through scheduled scans that detect changes in productive applications including the introduction of potentially malicious code.
Test cases include the discovery of calls to critical authorizations, function modules, reports, tables, and transactions. This includes standard and custom objects. It also identifies developments using insecure settings for FTP, RFC and other communication paths in Application Programming Interfaces (APIs). Code Vulnerability Analysis for SAP integrates with the SAP Transport Management System (TMS) to automatically block transport requests with unresolved security errors or warnings. It also integrates with development tools including the ABAP Test Cockpit (ATC) and Eclipse. Each finding includes a detailed breakdown of the vulnerability including a risk analysis and instructions for remediating the security weakness with sample code to illustrate the recommended fix. Code Vulnerability Analysis for SAP is a vital component of a secure software engineering process. It ensures custom SAP programs comply with the same security standards as standard SAP code to help protect SAP systems from the growing threat of cyber attack.
The solution can be licensed as a standalone subscription service. It is also included with the subscription for the Cybersecurity Extension for SAP.