Security Think beyond! Patrick Hildenbrand, SAP HANA Platform Extensions June 17, 2014

Transcription

1 Security Think beyond! Patrick Hildenbrand, SAP HANA Platform Extensions June 17, 2014

2 Disclaimer This presentation outlines our general product direction and should not be relied on in making a purchase decision. This presentation is not subject to your license agreement or any other agreement with SAP. SAP has no obligation to pursue any course of business outlined in this presentation or to develop or release any functionality mentioned in this presentation. This presentation and SAP's strategy and possible future developments are subject to change and may be changed by SAP at any time for any reason without notice. This document is provided without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. SAP assumes no responsibility for errors or omissions in this document, except if such damages were caused by SAP intentionally or grossly negligent SAP (Schweiz) AG. All rights reserved. 2

3 Security What is the problem realm? SAP GRC Security Management SAP NetWeaver Identity Management SAP NetWeaver Single Sign-On SSL/TLS Mobile Security SAP ID Service SNC SCIM HANA SIEM Kerberos Cloud Security Data Privacy Security, Logging, Monitoring Read Access Logging Social identities LDAP Open ID Connect Digital Signature/e-Signature Web Services Security IT Security Lower cost Budget restrictions Raise Efficiency Enterprise Thread Detection Security Optimization Self Service Vulnerability Analysis and Testing Secure Programming Secure Software Development Lifecycle Security Services Secure by Default Confidentiality Authorization Non-repudiation Integrity Authentication 2014 SAP (Schweiz) AG. All rights reserved. 3

4 Source Code The Source of the Risk

5 Business Applications do have a History Today's business applications are often Grown over the years Complex Built on changing requirements Created based on different development paradigms Optimized for Performance Extended but not reinvented And often security was only an afterthought SAP (Schweiz) AG. All rights reserved. 5

6 Application Security Testing Find vulnerabilities in the running application Manual Application Penetration Testing Automated Application Vulnerability Scanning Find vulnerabilities analyzing the sources Manual Source Code Review Automated Source Code Analysis DAST SAST SAP NetWeaver Application Server add-on for code vulnerability analysis Finding security issues at design time is easier and less expensive! 2014 SAP (Schweiz) AG. All rights reserved. 6

7 SAP NetWeaver AS, add-on for code vulnerability analysis Key trends and customer needs The more applications using the ABAP programming language are exposed via interconnected systems and mobile and cloud-based applications, the more vulnerable they are to attacks. Proactively preventing security breaches by static source code analysis is a standard precaution for many application development environments and languages. It helps to save costs by discovering issues early in the development cycle and helps to estimate the risk of an application. The tools used to evaluate the code however need to be deeply integrated into the developers toolset, easy consumable showing a high usability to foster acceptance by the development teams SAP (Schweiz) AG. All rights reserved. 7

8 Does application security pay? In a 2013 study by Kaspersky Labs, 85% of the companies interviewed have reported internal IT security incidents, and software vulnerabilities were the single biggest cause. Source: In a 2013 security workforce study from (ISC)², Application vulnerabilities were ranked highest in security concern by 69% of the respondents. Source: In a 2010 white paper from independent consulting firm Mainstay, reports software security programs not only enhance security, they can generate as much as $37M annually in economic benefits. Source: SAP (Schweiz) AG. All rights reserved. 8

9 SAP NetWeaver AS, add-on for code vulnerability analysis Product description In order to break an application, only one flaw in any of its components/functions or the infrastructure may be enough. SAP NetWeaver AS, add-on for code vulnerability analysis helps you to identify potential weaknesses in your application early in the development process to avoid this risk. Scan efficiently Reduced false-positive rate by dataflow analysis Scanning directly from within the ABAP development environment Developer guidance Detailed help and explanations to all errors Assistance to find the right location for the fix Approval workflows for false positives included Integration Integrated into standard ABAP check frameworks, SAP transport system and ABAP Test Cockpit (ATC) 2014 SAP (Schweiz) AG. All rights reserved. 9

10 SAP NetWeaver AS, add-on for code vulnerability analysis Checks Broad range of predefined checks SQL injection Code injection OS command injection Directory traversal Backdoors Prioritization of checks By the ability to control the priority of every single check, you are able to take into account your own risk and security requirements SAP (Schweiz) AG. All rights reserved. 12

11 Summary

12 Summary: Code Vulnerability Analyzer Developed by the team creating the ABAP language Tightly integrated into standard testing infrastructure Already tested and in use by SAP internally for several years Successfully piloted by customers SAP SAP NetWeaver AS, add-on for code vulnerability analysis is available as of: SAP NetWeaver AS ABAP 7.0 EhP2 Support Package 14 SAP NetWeaver AS ABAP 7.0 EhP3 Support Package 09 SAP NetWeaver AS ABAP 7.3 EhP1 Support Package 09 SAP NetWeaver AS ABAP 7.4 Support Package 05 and later releases 2014 SAP (Schweiz) AG. All rights reserved. 14

13 SAP NetWeaver AS, add-on for code vulnerability analysis Produktplanung im Überblick Integration and flexibility Integration into development landscape Flexible checks Low false positive ratio Checks & Reporting Reporting capabilities with SAP Solution Manager 7.1 SP12 Support for new ABAP 7.40 language features New Checks Detection of Cross Site Scripting in BSP pages Detection of direct access to sensitive database tables Usability Context based documentation Direct navigation to dataflow Flexibility & Performance Customer defined sanitizations Public API to access scan results in ATC Optimizations in dataflow engine Reporting Improved reporting functions based on solution manager integration Ability to define a security baseline Checks Broad range of checks Prioritization of checks Today (Release 7.40 SP05) Configuration Improved administration Planned Innovations Landscape Tighter integration of old systems into check infrastructure Future Direction This is the current state of planning and may be changed by SAP at any time 2014 SAP (Schweiz) AG. All rights reserved. 15

14 Further Information SAP NetWeaver Application Server, add-on for code vulnerability analysis Roadmap presentation: ABAP Test and Analysis Tools ABAP Test Cockpit (ATC) SAP Community SAP (Schweiz) AG. All rights reserved. 16

15 SAP NetWeaver AS, add-on for code vulnerability analysis Key Takeaways Software development more efficient than ever by proactive code security checks Well accepted by developers because of tight integration into standard development environment Integrated into standard code quality checks by using existing frameworks Extends your standard checks 2014 SAP (Schweiz) AG. All rights reserved. 17

16 Thank you Contact information: Patrick Hildenbrand Product Manager SAP AG, Walldorf 2014 SAP (Schweiz) AG. All rights reserved.