SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis. Patrick Hildenbrand, Product Management Security, SAP AG September 2014

Transcription

1 SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis Patrick Hildenbrand, Product Management Security, SAP AG September 2014

2 Disclaimer This presentation outlines our general product direction and should not be relied on in making a purchase decision. This presentation is not subject to your license agreement or any other agreement with SAP. SAP has no obligation to pursue any course of business outlined in this presentation or to develop or release any functionality mentioned in this presentation. This presentation and SAP's strategy and possible future developments are subject to change and may be changed by SAP at any time for any reason without notice. This document is provided without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. SAP assumes no responsibility for errors or omissions in this document, except if such damages were caused by SAP intentionally or grossly negligent SAP AG. All rights reserved. 2

3 Source Code The Source of the Risk

4 Current software security vulnerability situation Your software is everywhere How can you be sure that these highly accessible applications are also highly secure? Today's business applications have a history Grown over the years Complex Built on changing requirements Created based on different development paradigms Optimized for Performance Extended but not reinvented 2012 SAP AG. All rights reserved. 4

5 Application Security Testing Security Testing in terms of dynamic application security testing (DAST) and static application security testing (SAST) are measures to improve code quality and security Neither DAST nor SAST are a guarantee to find all security issues in an application DAST find vulnerabilities in the running application find vulnerabilities analyzing the sources SAST Manual Application Penetration Testing Manual Source Code Review Automated Application Vulnerability Scanning Automated Source Code Analysis 2012 SAP AG. All rights reserved. 5

6 Does application security pay? In a 2013 study by Kaspersky Labs, 85% of the companies interviewed have reported internal IT security incidents, and software vulnerabilities were the single biggest cause. A hack not only costs a company money, but also its reputation and the trust of its customers. It can take years and millions of dollars to repair the damage that a single computer hack inflicts. Examples of costs related to attacks exploiting software vulnerabilities: Retailer (2007): $ 250 million Electronics manufacturer (2011): $ 170 million Payment Systems company (2009): $ 41 million 2012 SAP AG. All rights reserved. 6

7 Automated Detection of Weaknesses in ABAP Sources

8 SAP NetWeaver Code Vulnerability Analyzer Feature Set Reduced False-Positive rate by data flow analysis Supports exemption workflows to ease handling of false positives Integrated into standard ABAP development infrastructure to enable easy consumption by developers Increased Security for your Applications Supports automation requirements by Quality Assurance Teams Priority of each check can be adjusted to match the requirements Extensive Documentation to support developers in fixing issues found 2012 SAP AG. All rights reserved. 8

9 Introductory Example: SQL Injection Input for street: xyz' salary = '1500 set_expr: STREET = 'xyz' salary = '1500'... SET STREET = 'xyz' salary = '1500' 2012 SAP AG. All rights reserved. 9

10 How Code Vulnerability Analysis will work 1. There is an input field 3. There is a data flow between the input field and the dangerous statement 2. There is a potentially dangerous statement The Code Analyzer is searching for potentially vulnerable statements, where the input comes from untrusted sources. Only such occurrences will be reported! 2012 SAP AG. All rights reserved. 10

11 Integrated into standard developer tools Based on the integration into the ABAP Test Cockpit, the code checks can easily be launched from most developer tools like SE80, SE38 and more. You can not only launch checks for single objects but also for groups of objects 2012 SAP AG. All rights reserved. 11

12 Supporting the Developer in fixing his code Detailed documentation of detected issues including explanation on the nature of the weakness and information on how to avoid it makes it easy for the developer to understand and fix the issue. The tool supports direct navigation to - the location in his sources - the related documentation - the workflow to create an exemption to allow efficient handling of findings SAP AG. All rights reserved. 12

13 Corrected Program This method adds ' ' around the value of street and escapes every ' within the value. Note: phone is an integer type and does not need to be escaped SAP AG. All rights reserved. 13

14 Fine Granular Control of Priorities By the ability to control the priority of every single finding, you are able to take into account your own risk and security requirements. This possibility also allows for a phased approach, enabling security checks over time only for better acceptance by developers SAP AG. All rights reserved. 15

15 Integrated into the ABAP Test Cockpit (ATC) ATC is an ABAP check framework which allows running static checks and unit tests for ABAP programs. ATC is fully integrated into the development environment and transport tools, along with instant navigation, documentation and fix recommendation and more. What are the benefits? ATC is the single point of entry for all static code check tools ATC comprises a 4-eye principle exemption process to handle findings effectively ATC is fully integrated in the ABAP development workbench with a high usability for developers and quality experts ATC is not only a check tool but supports essential QA techniques like Q-Gates or regression testing in a consolidation system ABAP Test Cockpit (ATC) Syntax Check (Check, SE80) Extended Program Check (SLIN) SAP Code Vulnerability Analyzer (SLIN_SEC) SAP Code Inspector (SCI) 2012 SAP AG. All rights reserved. 16

16 Architecture Overview ABAP Developer Quality Expert R R ABAP Workbench ABAP Editors R ABAP Test Cockpit (ATC) Check Exemptions Results R Transport Management R ABAP Source Code Code Inspector Checks R R SLIN Security Checks 2012 SAP AG. All rights reserved. 17

17 Testing ABAP everywhere with the ABAP Test Cockpit (ATC)

18 ABAP Test Cockpit (ATC) What is it? ATC is an ABAP check framework which allows running static checks and unit tests for ABAP programs ATC is fully integrated into the development environment and transport tools, along with instant navigation, documentation and fix recommendation What are the benefits? ATC is the single point of entry for all static code check tools ATC comprises a 4-eye principle exemption process to handle findings effectively ATC is fully integrated in the ABAP development workbench with a high usability for developers and quality experts ATC is not only a check tool but supports essential QA techniques like Q-Gates or regression testing in a consolidation system 2012 SAP AG. All rights reserved. 19

19 ATC Configuration Using ATC Configuration, you can define The ATC master system The checks to be used as a default Enable or disable exemptions Configure the behavior of the transport subsystem in case of failing ATC checks of transports SAP AG. All rights reserved. 20

20 ABAP Test Cockpit integrated into the ABAP IDE 2012 SAP AG. All rights reserved. 21

21 Example for a Development Landscape Development System 1 Quality-Gate: Check during transport release Q-experts run mass checks and distribute the results Developers run static/unit/scenario tests on their objects Periodic check runs to validate the code of a development team Consolidation System Quality-Gate: Development System 2 Quality-Gate: Check during transport release i Mass check run and consolidation test Use ONE quality standard for Q-Gates 2012 SAP AG. All rights reserved. 22

22 Developing Landscapes: Scaling and Reporting Development System 1 Development System 2 Consolidation System 1 Development System 5 Development System 6 Consolidation System 3 Development System 3 Development System 4 Consolidation System 2 Solution Manager BI system for reporting: Aggregates all mass test runs Q-Governance: Monitors the quality of development areas and defines the quality standard 2012 SAP AG. All rights reserved. 28

23 Security Checks in Detail Overview of available checks

24 Overview of available checks SQL Injection (Open SQL) Web Exploitability SQL Injection (ADBC) Backdoors & Authorizations Security Checks Code Injection (ABAP) Directory Traversal OS Command Injection Call Injection 2012 SAP AG. All rights reserved. 30

25 Overview of the available checks - SQL Injection (Open SQL) - Manipulation of dynamic Open SQL Potential manipulation of the dynamic WHERE condition (1101) Potential manipulation of a dynamic WHERE condition using the parameter I_FILTER of the object services method CREATE_QUERY (1122) Potential manipulation of the SET clause in the statement UPDATE (1112) Potential read performed on an illegal database table in a SELECT statement (1118) Potential read performed on an illegal database table in a modifying OpenSQL statement (1120) Potential read performed on invalid table columns (1114) Potential use of illegal columns in a dynamic GROUP BY clause (1116) Potential use of illegal columns in a dynamic HAVING clause (1117) 2012 SAP AG. All rights reserved. 31

26 Overview of the available checks - SQL Injection (ADBC) - Manipulation of SQL statements Potential injection of harmful SQL statements of clauses in execution of DDL statements in ADBC (1128) Potential injection of harmful SQL statements of clauses in execution of DML statements in ADBC (1130) 2012 SAP AG. All rights reserved. 32

27 Overview of the available checks - Code Injection (ABAP) - Manipulation of ABAP code created dynamically Potential injection of harmful code in the statements INSERT REPORT and GENERATE SUBROUTINE POOL (1108) Potential manipulation of the dynamic WHERE condition in an internal table (1190) 2012 SAP AG. All rights reserved. 33

28 Overview of the available checks - Call Injection - Manipulation in dynamic calls Potential call of an illegal transaction using the statement CALL TRANSACTION (1142) Potential call of an unwanted transaction using the statement LEAVE TO TRANSACTION (1143) Potential call of an illegal program using the statement SUBMIT (1141) Potential call of invalid function module using RFC (1140) 2012 SAP AG. All rights reserved. 34

29 Overview of the available checks - OS Command Injection - Injections of operating system commands Statement CALL 'SYSTEM' used (1170) Potential manipulation in the FILTER addition of the statement OPEN DATASET (1106) 2012 SAP AG. All rights reserved. 35

30 Overview of the available checks - Directory Traversal - Access to illegal directories and files Potential manipulation of the file name in the statement OPEN DATASET or DELETE DATASET (1104) Potential manipulation of the file name in the method CREATE_UTF8_FILE_WITH_BOM of the class CL_ABAP_FILE_UTILITIES (1124) 2012 SAP AG. All rights reserved. 36

31 Overview of the available checks - Backdoors & Authorizations - Weak authorization checks or user administration bypassed Hard-coded user name, possibly from undeleted test code or an indication of a back door (0821) SY-SUBRC not evaluated after the statement AUTHORITY-CHECK (1160) AUTHORITY-CHECK with explicit user name (1180) AUTHORITY-CHECK with explicitly specified user name sy-uname (1181) 2012 SAP AG. All rights reserved. 37

32 Overview of the available checks - Web Exploitability - Possible attacks using Web technologies Obsolete escape method used (1150) 2012 SAP AG. All rights reserved. 38

33 Summary

34 Your Way to Secure ABAP Code - Summary - One weakness is enough to put your business at a risk! Regularly check your source code and ensure that code fits to state of the art security programming best practices Train the developers to ensure they know the common weakness Don t expect that security is a once in a lifetime project security improvements are part of your daily work! 2012 SAP AG. All rights reserved. 40

35 Summary: Code Vulnerability Analyzer Developed by the team creating the ABAP language Tightly integrated into standard testing infrastructure Already tested and in use by SAP internally for several years Successfully piloted by customers SAP NetWeaver AS, add-on for code vulnerability analysis is available as of: SAP NetWeaver AS ABAP 7.0 EhP2 Support Package 14 SAP NetWeaver AS ABAP 7.0 EhP3 Support Package 09 SAP NetWeaver AS ABAP 7.3 EhP1 Support Package 09 SAP NetWeaver AS ABAP 7.4 Support Package 05 and later releases 2012 SAP AG. All rights reserved. 43

36 Summary: ABAP Test Cockpit ATC is the standard ABAP check frame work at SAP The ABAP Test Cockpit (ATC) is a tool for doing static and dynamic quality checks of ABAP code and associated repository objects ATC is based on Code Inspector Very easy migration: Just re-use your current global Code Inspector check variant ATC is available as part of: SAP NetWeaver AS ABAP 7.0 EhP2 Support Package 12 SAP NetWeaver AS ABAP 7.0 EhP3 Support Package 05 SAP NetWeaver AS ABAP 7.3 EhP1 Support Package 05 SAP NetWeaver AS ABAP 7.3 EhP2 and later releases 2012 SAP AG. All rights reserved. 44

37 Further Information SAP NetWeaver Application Server, add-on for code vulnerability analysis Roadmap presentation: ABAP Test and Analysis Tools ABAP Test Cockpit (ATC) SAP Community SAP AG. All rights reserved. 45

38 Thank you Contact information: Patrick Hildenbrand SAP NetWeaver Product Management Security

39 Customer References

40 2012 SAP AG. All rights reserved. 48