Best Practices for Ensuring ABAP Code Quality and Security

Transcription

1 Best Practices for Ensuring ABAP Code Quality and Security David Chapman - Vice President of Sales it Services 2 Stephen Lamy Managing Director Virtual Forge

2 2 nd Generation SAP Consulting Firm Focused on SAP since 1996 Senior, principal and platinum level expertise Virtual Forge Sales and Services Business partner since 2012 We ve partnered with Virtual Forge because we value their commitment to excellence and their deep SAP expertise. Virtual Forge mirrors it2 values and culture. Lynne McGrew CEO, it Services 2

3 Experts in the field of SAP application security and quality Founded in 2001 CodeProfiler released 2008 Patented Data and Control Flow Static Analysis for ABAP Heidelberg, Weimar and Philadelphia

4 1. Drivers for Change: ABAP Application Landscape 2. Today s Practices? 3. BEST Practices 4. Benefits Summary

5 1. Drivers for Change: ABAP Application Landscape 2. Today s Practices? 3. BEST Practices 4. Benefits Summary

6 The Evolution of the SAP Landscape In the past Today Future Isolated systems Long release cycles Few attack vectors Security using firewalls Open systems Frequent release cycles Network boundaries disappearing Cloud-based applications Hacker attacks Open systems High frequency releases Interconnected networks IT espionage Cyber attacks & espionage

7 The Attack Surface of ABAP

8 The Attack Surface of ABAP

9 Since The Attack Surface of ABAP

10 Source of Defects Little/no technical specifications Manual/Basic code reviews Testing focused on functional aspects External/3 rd Party development Limited/no code change monitoring

11 Business Risks Cyberattacks Data theft/fraud Industrial espionage Loss of image System failures

12 Cost to Business $100 $1,000 $10,000 $$$$$ to correct defect during development to correct defect found in QA testing to correct defect in production Cost of attack or system down

13 1. Drivers for Change: ABAP Application Landscape 2. Today s Practices? 3. BEST Practices 4. Benefits Summary

14 Important Rules to Remember 1. Companies are responsible for their own custom code. 2. If you can t enforce code quality and security standards consistently, it won t work.

15 Who is responsible for the code? [ One solution, ] many capabilities Developers Test ABAP code for defects fast and reliably by performing on-line scanning as needed during development Development and Project Managers Ensures that internally and externally developed applications and third-party solutions meet pre-defined security and quality criteria IT and Security Responsibles Tests applications for full transparency of the ABAP code quality in their SAP systems

16 Who is checking? [ One solution, ] many capabilities Software Companies and SAP Partners Ensure and document the code quality of their solutions Purchasers Check Deliverables pre-defined quality criteria within the scope of tenders with a click of a button Auditors and Controllers Provided full transparency of security and compliance risks in SAP systems

17 Today s Practices? How ABAP code reviews are often done today: Manual code reviews Using top programming resources for reviews Using basic tools with limited testing and lot of falsepositive findings No effective technical code testing at all!

18 Today s Practices? Manual Code Reviews: Use valuable development resources Delay project release (or accept lower quality) Limited effectiveness due to program complexity Feedback too late in development cycle Performance/Failures in production Higher cost of mediation Few/No defined security & quality standards Styles and techniques vary by reviewer/developer

19 Today s Practices? Basic ABAP Testing Tools: Limited (and weak) testing, e.g. pattern recognition Not comprehensive for Security and Quality Not integrated with ABAP Development Workbench No on-line scanning during development Higher TCO for manual corrections No documentation/navigation for efficient mediation Inaccurate results (High false-positive rate) Loss of time spent evaluating Loss of credibility for tool Slow / Batch / Offline

20 1. Drivers for Change: ABAP Application Landscape 2. Today s Practices? 3. BEST Practices 4. Benefits Summary

21 Quelle: Success Story with Linde, Best Practices Best Practices for Ensuring ABAP code for Quality and Security 1. Online Scanning and Correction during Development 2. Testing of all Outsourced Deliverables (you are responsible!) 3. Automatic Scanning and Correction of SAP ABAP Changes 4. Static Code Analysis for ABAP

22 Best Practices : In-house Development Online Scanning and Correction during Development Define clear code standards, train, and test results! Enable online scanning during development Developers scan during unit testing for immediate feedback Fast mediation Automatic code correction Provide detailed documentation for developer training and instructions for mediation since we ve been using Virtual Forge CodeProfiler, developers have become more aware and are delivering better quality code. Stephan Sachs Manager for Application Security

23 Best Practices: Data and Control Flow Analysis METHOD read METHOD read. Input DATA: request DATA: s_html DATA: event TYPE REF TO if_http_request. TYPE string. TYPE string. request->get_form_field() Stored in variable s_html = request->get_form_field( 'mydata' ). CALL METHOD me->process EXPORTING s_data = s_html. RETURN. s_html ENDMETHOD. Passed on to another method and variable METHOD process METHOD process. DATA: s_out DATA: out TYPE string. TYPE REF TO if_bsp_writer. s_data CONCATENATE `<b>` s_data `</b>` INTO s_out. Modifed and copied to another variable out = me->get_previous_out( ). s_out out->print_string( s_out ). ENDMETHOD. Output out->print_string() Passed on to dangerous function

24 Best Practices : Outsourced Development Testing of all Outsourced Deliverables Communicate and enforce SLA s Let them know that you will be testing Test all deliverables before beginning functional testing Don t waste time functionally testing inferior code Recommend 2-4 weeks prior (at least) Test immediately? is this code safe enough for your DEV? Decide who will be responsible for corrections beforehand Plan for mediation activities who is responsible for corrections using CodeProfiler software for verifying all 3rd party code has revolutionized our way of working We now have gained control over the coding quality and security risks" Roderik Mooren, IT DirectorServices

25 Best Practice : Comprehensive Testing Security ABAP Command Injection OS Command Execution SQL Injection Broken Authority Checks Hard-Coded Usernames... Performance Usage of WAIT Command Usage of SELECT* Nested Loop Incomplete Index... s Security Tests CodeProfiler PATENTED all rights reserved QA Tests Data Loss Prevention Disclosure of Critical Data Disclosure of Source Code Maintenance of sensitive data Maintainability & Robustness Naming Conventions Nested Macro Calls Hard-coded Org Units Insufficient Error Handling... Security Performance Quality

26 Best Practices: Automatic Code Scanning ABAP Firewall: Automatic Scanning of all SAP ABAP Changes Scan all Transport Requests upon release Stop Transport Requests with defects do not allow release Compliance testing and audit trail PCI, PII, SOX, FDA, Basil II, etc. Ready for emergency corrections Bypass Firewall with approval Track flaws for mediation later Using CodeProfiler we can ensure transparency with regard to the quality of our ABAP development. Kai-Uwe Beifuß, SAP Applications

27 Best Practices: Automatic Code Scanning ABAP Firewall: Automatic Scanning of all SAP ABAP Changes

28 1. Drivers for Change: ABAP Application Landscape 2. Today s Practices? 3. BEST Practices 4. Benefits Summary

29 Benefits of Best Practices Lower Risk Detect and support mediation of vulnerabilities Cyberattacks/Espionage Performance/System failures Data Theft/Fraud/Loss Test in-/out-sourced development and 3rd party add-ons. Enforces standards for all development deliverables Clear and enforceable definition of programming standards Ensure all ABAP code changes meet Compliance and Audit requirements

30 Benefits of Best Practices Lower TCO Find problems earlier in SDLC = Lower cost to mediate defect better quality code (maintainability, performance, robustness) = Lower test and maintenance costs Reduce review & testing times = Faster delivery of new applications Automate scanning and review = Less use of (expensive) development resources Online scanning & mediation support for faster resolution = Less time for corrections and repair Better quality code = Less SAP production system issues

31 Getting Started Complimentary Scan Take the Test! see Your ABAP code Security & Compliance Performance Robustness & Maintainability Data Loss Prevention Complimentary Scan Virtual Forge CodeProfiler Summary of findings Prioritization of found vulnerabilities Specific examples of findings from your own code Code metrics Benchmark (on request)

32 Thank You! David Chapman Telephone: Stephen Lamy Telephone:

33 Disclaimer 2012 Virtual Forge Inc. All rights reserved. SAP, R/3, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG. All other product and service names mentioned are the trademarks of their respective companies. Information contained in this publication is subject to change without prior notice. It is provided by Virtual Forge and serves informational purposes only. Virtual Forge is not liable for errors or incomplete information in this publication. Information contained in this publication does not imply any further liability. Virtual Forge Terms and Conditions apply. See for details. Excellence 2012 in SAP Virtual Consulting Forge Inc All rights reserved.

34 THANK YOU FOR PARTICIPATING Please provide feedback on this session by completing a short survey via the event mobile application. SESSION CODE: 0814 For ongoing education on this area of focus, visit