1 Dr. Markus Schumacher PPT Reliable Masterfolie SAP Applications We protect your ABAP We protect your ABAP TM Code: Security, Compliance, Performance, Maintainability & Robustness
2 CONTENTS 1. About Virtual Forge 2. CodeProfiler Protecting your ABAP TM Code 3. CodeProfiler Approach and Test Domains 4. Technology Integration (SAP TMS/ChaRM, SAP BI, IBM) 5. CodeProfiler Certification and References 6. Professional Services 7. Summary & Discussion
3 1. PPT About Masterfolie Virtual Forge
4 Virtual Forge GmbH History & Facts Founded in 2001, headquarters in Heidelberg, Germany Privately held Long-term development & consultancy expertise in the area of SAP security audits SAP design and code reviews SAP penetration testing SAP Trusted Technology Partner Unique solution Virtual Forge CodeProfiler (1.0 in 2008) Data and Control Flow Analysis Automated testing of ABAP TM, ABAP Objects, BSP, WebDynpro ABAP Security, Compliance, Performance, Maintainability, Robustness Book Sichere ABAP-Programmierung, SAP Press 2009 Leading Industry Guideline for ABAP Development and Maintenance
5 Virtual Forge GmbH Vision and Promise zur environments. Erstellung von Präsentationen Virtual Forge is the leading provider for code security and quality solutions in SAP We help our clients as trusted advisor to identify code security & quality gaps. prioritize these gaps for mitigation and resolve them. significantly improve their SAP environment. We are able to offer our clients latest and market leading expertise through a clear focus on first-class research in SAP code security & quality. SAP s internal ABAP TM development uses Virtual Forge CodeProfiler in their security and quality processes. Thus, our clients benefit from first-hand experience from the world s largest SAP development projects.
6 2. PPT CodeProfiler Masterfolie Protecting your ABAP TM Code
7 Protecting your SAP applications Identify, prioritize, and mitigate issues in your ABAP TM Code Worldwide more than organizations of all sizes and industries are depending on SAP solutions and services to run their business, making SAP solutions highly critical. More than 90% of SAP applications are written in ABAP. Custom development adds specific functionality to applications Often no requirements for non-functional aspects No testing beyond functional testing Consequence: unknown risks in ABAP applications
8 How we help our Clients CodeProfiler delivering a Business Case in key areas
9 Protection by CodeProfiler Securing high risk areas in SAP infrastructures Virtual Virtual Forge Forge GmbH GmbH All All rights rights reserved. reserved.
10 Data Loss Prevention Asset Flow Analysis CodeProfiler determines, whether critical data leaves the boundaries of a trusted environment (asset flow analysis). Three simple steps 1. You define critical data (HR data, credit card numbers, etc.). 2. Conduct CodeProfiler scan against target application: results show where critical data is accessed and written to external context 3. Review findings, assess risk, and mitigate potential backdoors
11 Data Loss Prevention Sample Code Sample program accesses personal data from table PA0002. Data is passed to FORM that writes the critical data (asset). CodeProfiler highlights the flow of the assets (in red) throughout the complete program Data Loss Example PROGRAM zsimple_asset_demo. PERFORM example_asset. FORM example_asset. DATA : lv_id LIKE PA0002-PERID. SELECT PERID FROM PA0002 INTO lv_id WHERE PERNR = PERFORM example_leak USING lv_bc. ENDSELECT. ENDFORM FORM example_leak USING perid TYPE PRDNI. WRITE : / 'Social security number:', perid. ENDFORM.
12 3. PPT CodeProfiler Masterfolie Approach & Test Domains
13 CodeProfiler Engine Data and Control Flow Analysis CodeProfiler uses data and control flow analysis in combination with a comprehensive rule set that covers many data sources and dangerous ABAP TM statements. Data flow analysis is a technique that first identifies data source, i.e. points in the code where (external) data is read into variables. It then analyzes whether there are any connections between a data source and a potentially dangerous statement. Any identified connection (data flow) indicates that the dangerous statement is most likely exploitable. In addition to data and control flow analysis CodeProfiler applies further sanity tests like type checks, authority checks, usage of regular expresses etc. As a result we can prioritize the findings and improve the efficiency of the mitigation process.
14 CodeProfiler Engine Data and Control Flow Analysis
15 Testdomain Security Security This domain covers test cases related to classical security defects, i.e. code with hidden side effects that can be misused by an attacker. Visit for application security risks related to business applications. Testcases Examples: ABAP Command Injection Directory Traversal Cross-Site Scripting Missing AUTHORITY-CHECK Pishing SQL Injection
16 Protection by CodeProfiler Code Sample BIZEC APP/11 APP-01 (http://www.bizec.org) ABAP Command Injection: coding that dynamically creates and executes arbitrary ABAP programs based on user input on a productive system.
17 Testdomain Compliance Compliance This domain introduces test cases related to compliance defects, i.e. coding practices that bypass an important security mechanism in the SAP standard. Testcases Examples: Hard-coded User Name (sy-uname) Cross-Client Access to Business Data Hidden ABAP Code
18 Testdomain Performance Performance This domain includes test cases that identify coding practices that have adverse effects on the performance of an SAP system. Testcases Examples: Usage of WAIT Command Database Modifications in a Loop SELECT Statement in a Loop Usage of LIKE Clause Missing WHERE Restriction in SELECT Statement Nested SELECT Statement
19 Testdomain Quality (Maintainability) Maintainability This domain contains test cases that analyze the ABAP TM coding for issues that make the code difficult to maintain. Factors that reduce maintainability include Coding that is difficult to understand for a developer new to the project. Coding with a complex structure. Poor documentation. Testcases Examples: Empty Block Empty Module Overlong Module
20 Testdomains Quality (Robustness) Robustness This domain provides test cases that check for ABAP TM coding practices which jeopardize the reliable execution of a business application. An important benefit of having robust code is business continuity: Robust code reacts to error conditions in a controlled, reliable and predefined way. Testcases Examples: Insufficient Error Handling (TRY/CATCH) Incomplete CASE Statement Recursion (Immediate)
21 Naming Conventions Beyond Maintainability and Robustness, the test group Code Quality now also covers the frequently requested check for Naming Conventions Application specific rules different naming conventions per package Validity timeframe (from / to) Check of legacy and new code without conflicts with the applicable rules The naming conventions can be seamlessly integrated into the automated TMS/ChaRM code firewall.
22 Naming Conventions
23 CONTENTS CodeProfiler Status Quo: Getting Secure - As developer or auditor - Analysis of transports - Batch scheduling (SM37/SM36) 2. TMS/ChaRM Integration: Staying Secure - Automatic ti scan of transports t (SE10) - Approval Workflow (enforcement of requirements) 3. Work with Findings: Mitigation - Finding Manager (review, qualification and correction in SE80)
24 Predefined Roles, Menus and Authorization Objects
25 Configuration: Test Group Definition
26 CodeProfiler Analysis Packages, individual ABAP TM Object Types, or Transports
27 Batch Scheduling (SM36/SM37)
28 Result Navigation The executive summary report (PDF) contains a prioritized list of all discovered issues. This list provides immediate feedback on current business risks at code level. Following the executive summary, the full PDF report (or result navigation in the Finding Manager) contains detailed information about each finding, grouped by test cases. Each test case starts with general information about the respective issue: Introduction Business Risk Detailed Explanation Example Vulnerability Solution in General Solution Example In addition to the general information, the report lists details for all discovered d issues.
29 Working with Scan Results Finding Manager, Forward-Navigation to SE80
30 CodeProfiler finds and prioritizes Security Issues and other Findings
31 4. PPT Technology Masterfolie Integration
32 Integration in Development Process The integration into the SAP Transport Management System (TMS) enables you to check transports with CodeProfiler automatically before the actual release on task level as well as transport level (or both). You can then release them or, if required, re-route them to a defined exception handling process. The automated check before importing code into an existing system (development, consolidation, production) can be carried out in the same way as the check during the release phase. From a technology point of view, it does not make a difference whether one or more SAP Systems are connected. CodeProfiler supports the common transport and release mechanisms, such as Transport Management System (TMS), Change Request Management (ChaRM), Change und Transport System (CTS), as well as CTS plus. Integration with additional tools such as theguard! TransportManager by REALTECH, Transport Express by Basis Technologies, or other products is possible. The Virtual Forge CodeProfiler standard shipment includes a preconfigured SAP workflow (notification and approval workflow) for release, QA and exception processes.
33 TMS/ChaRM Integration Requirements Paper Development CodeProfiler Test/QA Production TMS gatekeeper D60 EhP4 Q60 EhP4 P60 EhP4 Exception via QA
34 Approval Workflow Governance & Compliance in Development Process Reject QA / PL Review Developer Develop Release Review Reque est Change Approve CodeProfiler Parse False TMS kay O Transp.
35 Options of TMS/ChaRM Integration A. PPT Workflow Masterfolie Process: zur Erstellung CodeProfiler allows von to transport Präsentationen CodeProfiler declines to transport Developer ask QA instance via approval workflow for exception Yes, transport will be released (compliance: document exceptions) No, back to development B. Simplified Process: Developer may decide on his own discretion to release transport although CodeProfiler reported issues Appropriate approach depends on your requirements - Organization (small, large) Compliance (4 eyes principle) - Reliability / Stability Speed (fixes, development)
36 Enforcement of ABAP TM Guidelines Flexible Definition of Gatekeeper Functionality
37 TMS/ChaRM Integration (SE10)
38 High Availability CodeProfiler is often used in large system landscapes in order to monitor the entire code base (legacy and new ABAP code) Making this more effective, several CodeProfiler instances can now be flexibly assigned to several SAP systems (m x n) That way, scans can be easily parallelized and the high availability of the code audit infrastructure can be achieved The implementation of a large scale CodeProfiler infrastructure is now simpler and built-in
39 High Availability n x m relations between CodeProfiler and SAP system SAP D01 SAP Q01 SAP D02 SAP Q02 CodeProfiler CPSERVER1 CPSERVER2 CPTMSSERV1 CodeProfiler CPSERVER3 CPSERVER4 CPTMSSERV2
40 Dashboard in SAP BI
41 Dashboard in SAP BI
42 CodeProfiler is Ready for Rational zur Scans Erstellung of Java von applications Präsentationen Technical integration
43 Integration IBM AppScan Source Edition Triage of findings in your ABAP TM Code
44 Integration IBM AppScan Source Edition Drill-Down by Vulnerabilities only (all impact levels)
45 Integration IBM AppScan Source Edition Drill-Down by Vulnerabilities (High Impact only)
46 Integration IBM AppScan Source Edition ABAP TM analysis with data flow, code details and description
47 5. PPT CodeProfiler Masterfolie Certification and References
48 CodeProfiler protects SAP Aiming to expand the quality assurance of SAP software enhancements, SAP has licensed the testing software CodeProfiler, developed by the ABAP programming language security specialist, Virtual Forge. This is the first solution on the market that is designed for static analysis of ABAP applications with a specific focus on security and compliance tests. CodeProfiler offers SAP customers that have developed their own ABAP code, extensive quality assurance. Security is important to us and to our customers. It s good to see that our trusted partner Virtual Forge provides a tool for security test automation. Now all our customers can establish a baseline security level in their ABAP code. SAP Executive Board Member Gerhard Oswald (2009)
49 CodeProfiler is SAP Certified CodeProfiler has successfully completed SAP s integration certification program. This proves that CodeProfiler is an extremely reliable solution for your SAP environments. In addition, Virtual Forge is now listed as an official SAP Software Partner.
50 Linde Gases Division Linde Group Gases Division: It s very important for us to maintain full control over our coding. To increase the effectiveness and efficiency of our system development at Linde, we mainly work with external ABAP developers. Ever since we ve been using CodeProfiler, the developers have become more aware and are delivering better code quality. Stephan Sachs, Manager Application Security. CodeProfiler Benefits for Linde Efficiency: CodeProfiler allows for an automated ABAP analysis that effectively fulfills the quality requirements of Linde and its customers. Control: With the help of CodeProfiler, Linde can ensure highest quality standards when cooperating with external ABAP developers. Governance: CodeProfiler provides automated compliance checks that meet the company s requirements and process standards. Quality is integrated into the development process and not the result of arbitrary actions. Cost Savings: CodeProfiler reduces the risk related to malicious code and minimizes the time needed for code inspection and debugging. A quality investment that pays: Today, CodeProfiler is an established quality assurance tool at Linde.
51 Other selected References Linde Group Gases Division: It s very important for us to maintain full control over our coding. To increase the effectiveness and efficiency of our system development at Linde, we mainly work with external ABAP developers. Ever since we ve been using CodeProfiler, the developers have become more aware and are delivering better code quality. Stephan Sachs, Manager Application Security. Mölnlycke Healthcare (Schweden): The use of Virtual Forge s CodeProfiler software for verifying all code has revolutionized our way of working, without t any significant ifi effort or cost. We now have gained control over the coding quality and relating security risks. Roderik Mooren, IT Director. SIEMENS AG uses Virtual Forge CodeProfiler.
52 SAP Custom Code Security Service Powered by Virtual Forge CodeProfiler
53 6. PPT Professional Masterfolie Services
54 Virtual Forge Service Portfolio Services: Virtual Forge supports customers as a Trusted Advisor and delivers high quality Professional Application Audits with the Virtual Forge CodeProfiler Review and Changes of the development lifecyclel Implementation of the Virtual Forge Development Guidelines into your development process ClassroomTraining Secure ABAP TM Coding Project driven Audits Penetrationtests Fixing of Vulnerabilities Coordination of Consulting Partners Set Up of a transparent t Security and Compliance Environment With Virtual Forge as your Partner for Security and Compliance in ABAP Developments in small and huge system landscapes and projects you will get value out of a lot of experiences and expert know how.
55 6. PPT Summary Masterfolie & Discussion Feedback is always welcome!
56 Why should you use CodeProfiler?! CodeProfiler is the tool of choice for in-depth ABAP TM analyses Security, Compliance, Performance, Maintainability, Robustness Prioritization helps you to define the mitigation plan Governance and Compliance in your Development Process No single line of code enters your SAP -System without a thorough check ( Code Firewall ) Enforcement of Security and Quality standards for ABAP development Controlled roll-out: tighten scan profile over time in a grace period Accountability and compliance: exceptions are documents via four-eyes principle in approval workflow Possible to integrate CodeProfiler in popular transport management systems (SAP TMS, Solution Manager ChaRM, Realtech theguard!, Basis Technologies Transport Express, etc.)
57 Value Proposition Cost PPT effectiveness: Masterfolie running safe business processes Be prepared for cyber attacks and industrial espionage: prevent security weaknesses and backdoors Value for money: control externally supplied ABAP TM code (offshore/nearshore/vendor) No invest in own content needed, no maintenance of content State-of-the art security content in the standard release Always up-to-date content with new releases (active research & continuous updates) Ease of use: check your ABAP while you write it Run CodeProfiler as developer while you write code (like spell checker ) Run CodeProfiler as QA manager (like lector of a book ) Fully integrated in SAP standard environment: SE80, TMS/ChaRM
58 Value Proposition Being in control: governance & compliance at the process level Central control for new ABAP TM code - gatekeeper for code in the development process ) - governance at the process level (TMS-Integration) Approval workflow - compliance regarding coding standards Use the standard: CodeProfiler is industry ready Auditors (internal / external) use CodeProfiler in company audits Customers worldwide use CodeProfiler for QA & Compliance including SAP, Siemens, Linde, Munich Re, and many more Scan your ABAP anytime in one run: unparalleled analysis speed: up to Lines of Code per Second, results available instantly Gartner selected Virtual Forge as Cool Vendor for the SAP Ecosystem 2011
59 Your questions? VIRTUAL FORGE Dr. Markus Schumacher Speyerer Straße Heidelberg Deutschland Telefon: + 49 (0) Fax: + 49 (0) VIRTUAL FORGE Distributor in Scandinavia ADSOTECH Scandinavia Oy Ilmakuja 4 a ESPOO Finland Telefon: Fax: