KuppingerCole Product Research Note. Virtual Forge CodeProfiler. by Prof. Dr. Sachar Paulus March 2012

Transcription

1 KuppingerCole Product Research Note by Prof. Dr. Sachar Paulus March 2012 Virtual Forge CodeProfiler KuppingerCole Product Research Note Virtual Forge CodeProfiler

2 KuppingerCole Product Research Note Virtual Forge CodeProfiler by Prof. Dr. Sachar Paulus March 2012 Content 1. Executive Summary 3 2. Highlights 4 3. Customer Challenges and Industry Status Customer Challenges Industry Status Mapping of Challenges/Status 6 4. Product Evaluation 7 5. Success factors 9 6. Roadmap Vendor and Ecosystem Summary and Recommendation Glossary 13 Page 2 of 14

3 1. Executive Summary Code security analysis has become one of the most important business segments servicing the secure development of software. Products are pretty mature for every mainstream programming language, and large IT companies have acquired the major technology innovators in that segment. There is, though, an area of software development that receives little attention, although being quite important for businesses: the so-called customizing of SAP applications. Customization in SAP applications typically means that new application pieces will be added to the SAP standard offering. In many cases existing modules and functionalities will be rewritten at the customer site to optimize their usage for the customer specific business processes. As such, the customization is actually more a development activity and thus may greatly benefit from code security analysis, specifically for compliance purposes. Most SAP customization projects, though, will take place in SAP s ERP application suite, and this is mostly written in SAP s proprietary language called ABAP. There are only a few companies that offer code analysis for ABAP programs, let alone analysis of the security of the developed code. Virtual Forge fills this niche with its flagship product CodeProfiler that analyzes SAP ABAP code for vulnerabilities and, optionally, also for other code quality aspects. CodeProfiler has reached a mature status, and is currently in the phase of feature enrichment, so beyond the capabilities presented today (excellent performance, easy configuration, predefined content, full integration into SAP development activities) there will be more beneficial functionalities available soon. The ecosystem has reached a good level of maturity with worldwide sales and consulting through SAP and IBM and specific mid-market solution OEM packages. Security for SAP applications is hard to mandate in real life due to its relatively central but isolated position in most organizations, and even then most IT specialists understand SAP security to be limited to good authorization management. Nevertheless, the modification of SAP software poses a high business risk and should therefore be treated with equal care. It is therefore important to establish (business) stakeholders for SAP security before being able to fully leverage the value of CodeProfiler. Overall, Virtual Forge CodeProfiler is an excellent solution for a small but important niche, and SAP customers that are taking the risk of code vulnerabilities seriously shall consider the product for an evaluation. Page 3 of 14

4 2. Highlights Unique offering with highly specialized SAP ABAP know how Automatic fixing of issues available on project basis Also covers non-security related domains such as compliance and code quality Requirements engineering version of vulnerabilities for mandating secure outsourced development Integrated into SAP s development processes and practices (transport management, development workbench, analytics) Compelling technical roadmap Ecosystem sales through IBM & mid market partners Business risk interpretation of every identified vulnerability with predefined content Report interfaces to all major code quality management tools Workflow integration for risk acceptance processes In-memory architecture for high performance analysis Security researcher program in place Only ABAP based SAP products and systems are covered Configuration on each SAP system required The organizational prerequisites to successfully use the product with its full potential are demanding Fast setup and initial configuration for first analysis results Page 4 of 14

5 3. Customer Challenges and Industry Status 3.1 Customer Challenges SAP software is widely used in almost every industry segment, for a variety of application areas, such as accounting, production planning or supplier management, to name a few. A major success factor for SAP software is its excellent flexibility and extensibility. Many customers apply so-called customizing to modify and/or complement the shipped standard with individual modifications. From this perspective, SAP software cannot only be seen as standard software, but also as a development environment with pre-existing templates and business structures. Although SAP has a very good reputation in terms of software security a recent benchmarking among members of the SAFECODE initiative reported an excellent status with respect to the maturity of secure development processes, being 2nd just after Microsoft and software quality in general, there is a customer need for checking and validating the security and quality of code used by customers in SAP systems. In the classical software development business, this is the area of code analyzers. Code analyzers try to address the problem that, during the development process, software engineers rarely take security into account. Since 2002, the industry has developed a number of good security development practices, for example, threat modeling as part of a secure design process, or secure deployment to ensure a secure configuration of software when in use. Code analyzers help automating the test process during development, and perform an analysis of the source code to try and detect potential vulnerabilities. Code analyzers may be static or dynamic, depending on whether they can take run-time information into account when performing their analysis work. Now one might argue that there is no real need for a code analyzer, since one might think that SAP systems typically are used internally at customer sites, and so no hacker can get access to SAP systems. This is no longer true, SAP systems are in most cases well connected to the Internet through a number of external-facing business process applications. Moreover, SAP systems are no longer considered to be esoteric by the hacker community, there is a fast growing interest in SAP systems and how to break into them. A major driver for scanning SAP code is for Compliance reasons. Since more and more SAP custom development is outsourced to offshore locations, it is important to check especially that security-related aspects have been addressed well such as, e.g., the correct usage of authorization check statements. Code security analysis seen this way turns into a supplier control tool. Page 5 of 14

6 3.2 Industry Status Products in this area have only recently covered code scanning for SAP. Of course, SAP in the meantime uses all kinds of development languages, notably JAVA and C#/.NET, which can be covered by mature code scanning solutions. But SAP has used for decades a self-developed specific application interpreter language called ABAP, that is similar to COBOL with extensions to support object-oriented programming, which has not been addressed by code analyzers until only recently. The code analyzer market is divided into a number of different areas, that all have some overlap to each other, specifically in the SAP environment. A major divide is the separation into security (and Compliance) focused code scanners, and standard qualityoriented code scanners. In the area of security code analyzers, there has recently been a market restructuring, with some of the major IT players, notably HP and IBM, having acquired specialized code scanning companies, such as Fortify, Ounce Labs and SPI Dynamics. As such, there is no large independent security code scanning company available any more. This shows the great interest of the market in gaining experience in code scanning for improving the security and quality of software. 3.3 Mapping of Challenges/Status Fortify, formerly the largest independent vendor of code analyzers, now an HP company, also has an ABAP scanner. But since the focus of Fortify is to offer scanning engines for all important software languages, and to allow an integrated view on those, there is generic support for ABAP scanning, but the focus on integration and interoperability with SAP specifics such as SAP Transport or SAP BI Analytics is rather limited. Specifically for SAP, one needs in addition to consider the services offered by SAP as part of their remote support offering. There is a code analysis engine called Code Inspector available with SAP software that is used by SAP-internal development teams, which also performs a number of security checks, moreover this offering is free of use for SAP customers. This solution has two major disadvantages: it does not scan standard code developed by SAP although customers actually might modify this as well and it does produce a large number of potentially false positives. Another product area that needs to be considered is the one of standard quality application code scanners, such as e.g. CAST software. These vendors target a holistic view of software quality management and work with KPIs and dashboards. There are a number of vendors with specifics for SAP, but there is little focus on security and compliance until now. Consequently, there are relatively few alternatives for SAP customers who wish to use a code analyzer for SAP ABAP code, and there is currently only one vendor, Virtual Forge, that is both experienced in scanning code for vulnerabilities as well as used to the specifics of running SAP applications. As such, Virtual Forge CodeProfiler presents a strong USP, since it can be used to perform code security analysis in SAP environments the way that ABAP developers are used to. Page 6 of 14

7 4. Product Evaluation The CodeProfiler product uses data and control flow analysis in combination with a comprehensive rule set that covers many data sources and dangerous ABAP statements to identify potential issues. Data flow analysis is a technique that first identifies data sources, i.e. code snippets where (external / untrusted) data is read into variables. It then analyzes whether there are any connections between a data source and a potentially dangerous statement. Any identified connection (data flow) indicates that the dangerous statement is most likely exploitable. The implementation of the data flow analysis is done using the definition and comparison to a grammar, specifically for the ABAP language. Data flow is modeled using relations, and can be scanned in both directions, from dangerous statements to input fields and vice versa. In addition to data and control flow analysis, the product applies further sanity tests like type checks, authority checks, usage of regular expresses etc. As a result the product can prioritize the findings so that the mitigation process can be made more efficient. An important differentiator of the product is that it does not only identify security vulnerabilities, but does moreover recognize other types of issues related to different domains, such as compliance, maintainability, robustness and performance. As such, CodeProfiler already covers a large set of non-functional aspects and can therefore not be considered as being a pure security tool. It is rather a more generic code analysis tool that enables organizations to produce code of good quality. The CodeProfiler product offers the full set of functionality that enables organizations that develop SAP ABAP code not only to discover vulnerabilities, but also to fix them and stay in control of the corrected software during the development lifecycle. To achieve this goal, CodeProfiler is completely developed in a way to make use of and thus integrate into the standard maintenance tools offered by SAP, such as the transport management system, the development workbench or the analytics framework. In SAP landscapes, software is transported from development systems to test systems, and from test systems to production systems. To achieve control over the code, CodeProfiler comes with an extension to the standard transport management system, which needs explicit approval to transport code with identified findings. Thus, potentially dangerous code can still be used (e.g. because of risk acceptance criteria), but the approval will be documented for compliance reasons. In this way CodeProfiler acts like an application level firewall scanning for vulnerabilities or bad programming content between the different deployment instances of an SAP system. The major development environment for ABAP applications, the development workbench, is extended to contain CodeProfiler scanning functionality, so that developers can check the sanity and code quality of their modules on the fly. It is also possible (e.g. in case CodeProfiler is used by an auditor) to use CodeProfiler in batch mode; in this case it is very easy to configure CodeProfiler operations with SAP standard tools. Page 7 of 14

8 CodeProfiler moreover allows displaying the results in a dashboard fashion. This is important to enable managers to rapidly grasp the situation, and be alerted to focus on the real critical aspects of a scanning report. To achieve this, CodeProfiler makes use of the standard SAP BI analytics functionality coming with SAP systems. These can be displayed within the SAP system, with drill down functionality, or automatically sent in office or PDF formats to specific users. Besides the integration into the standard SAP tools and frameworks, both the configuration as well as the results can also be used with specialized, external tools, such as IBM Rational, Basis Technologies Transport Express, REALTECH s theguard!, and of course with the standard SAP maintenance tool SAP Solution Manager. The initial configuration of the CodeProfiler product for one target SAP system is pretty fast. There is no need for configuring rule sets, since these come with the product. Within a few hours, a CodeProfiler installation can be up and running in productive mode. A drawback though is that the product must be configured separately on each SAP system. Thankfully, the configuration information can be transported automatically from one system to another, yet needs to be adapted to system specific needs. The separate configuration is a consequence of the technical architecture of CodeProfiler. The architecture is optimized for maximum speed and flexibility and separates configuration and report elements from the pure scanning engine. The scanning engine is running on a separate system (standalone JAVA based, no complex JAVA server needed) and has no user interface. Multiple instances on the same or different machines can be used to parallelize the scanning process using Round-Robin scheduling. All input/output management and configuration is kept on the SAP system to be analyzed. The communication between the SAP systems and the scanning engines is realized using RFC with pre-defined users with dedicated authorizations. The scanning engine uses an in-memory architecture to boost the scanning process which allows it to scan up to several thousand code lines per second, with up to 200 Million code lines in a scanning block in-memory. As a reference, a large multinational organization scans all SAP ABAP code in all its systems (several hundred) once a week. The major benefit of using CodeProfiler is, though, that the results can be correlated to business risk. In comparison to many other code scanning tools that identify potential security weaknesses, CodeProfiler allows associating a business risk to each finding; this is in part due to the nature of the ABAP language, and in part to the research work of Virtual Forge that associates a business risk to every identified finding. Furthermore, to reduce the number of false positives, CodeProfiler extends the standard presentation means in terms of probability and impact by separating the issues in different categories, namely those which are definitively a flaw (the probability is > 95%) and two subtypes of findings with lower probability. The prioritization within these separate groups of findings is then only done according to the (business) impact. An additional feature that is currently only available on request in a project type of work is the ability to automatically fix issues. According to first real life analyses, up to 70% (mostly commonly made errors such as forgotten authorization checks or insecure direct object references) can be easily fixed automatically. This also works perfectly for findings in the non-security domains. Page 8 of 14

9 5. Success factors To use the product successfully, a number of conditions need to be met. First of all, one needs a recipient of the scanning reports, i.e. someone who is interested in the results of the scanning process and who will take and/or initiate action to fix the issues identified. This is by no means trivial. In many organizations taking care of SAP operations, there is no one responsible for security or even quality. On the other hand, most Information Security Officers, while often being responsible for overall Information Security, do not have a handle on the security of SAP systems. In such cases, first CodeProfiler results may create some awareness about the problem, but to sustainably improve the situation a corresponding responsibility is necessary to be established first. Second, the SAP operations team needs to support the installation and operation of CodeProfiler. Due to its restrictive nature, specifically regarding the compliance approval step in the transport management, in many cases it might get rejected by developers or even system administrators in the first place. So either there is support from the operations team that is convinced about the value of the tool, or senior IT management needs simply to mandate it. Last, and this is specifically important to the usage of CodeProfiler with outsourced SAP development, it is literally of no value to check for security issues or findings from other non-functional domains if there is no corresponding requirement communicated to the outsourcing partner. Correspondingly, Virtual Forge offers customers a version of their rule set in a requirements version that can be added to outsourcing contracts. Page 9 of 14

10 6. Roadmap The current roadmap of the CodeProfiler product can be divided into three development directions: extension of the non-security aspects, integration of dynamic code analysis elements and automatic correction. The existing capabilities of the product in terms of non-functional requirements other than security will be further extended. Among others, compliance-related aspects specifically will be improved, such as EuroSOX or Basel II testing patterns. Since the primary technology used is data flow analysis, there is an inherent risk of having many false positives. An important approach for further reducing the number of false positives is to use run-time information to reflect the identified potential flaws against the actual usage context. In SAP systems, using the so-called Data Dictionary (DDIC) can primarily do this. This furthermore allows to perform coverage analysis and so to enrich the risk quantifiers for a better risk ranking of the findings. An existing feature that is currently only available on a project-per-project basis is auto-correction. For vulnerabilities or other findings that may allow for some automatic code correction (such as, e.g., adding an authorization check depending on the calling module), corresponding code is inserted automatically. There is ongoing research to extend this capability to a substantial number of detected vulnerabilities. Overall, the roadmap is compelling technology-wise and, since customers have initiated most of these developments, this shows the great interest of the market in advancing the corresponding capabilities. The company Virtual Forge is in a typical feature enrichment phase, and as long as customers mandate these incremental innovations, there is room for growth. One might, though, be a bit skeptical about the absence of non-abap code analysis technology, since the SAP portfolio grows year over year, and the fraction of ABAP code is, although huge in size, shrinking slowly. Page 10 of 14

11 7. Vendor and Ecosystem Virtual Forge was founded in 2001 in Mannheim, Germany, and started as a SAP security code analysis consulting company. Over time, Virtual Forge has developed itself into a product vendor, by productizing its experience in scanning ABAP programs. Recently, Virtual Forge was named Cool Vendor by one of the leading analyst firms, for the reason that the company fills a niche that even the software vendor SAP does not address. Virtual Forge s financial success is based on organic growth with a turnover of 3 Mil EUR in The company strategy is to offer a complete solution for SAP ABAP specific code scanning. The company is privately owned, and the operating margin is invested year-after-year into growth. The internal structure is optimized for short product cycles, including agile development processes to integrate customer requirements early in the process. A customer community management is in preparation. The sales strategy of Virtual Forge is a mixed model between direct sales (primarily Germany and central Europe, soon U.S.) and indirect sales. The product is available through IBM s global software business and as an OEM version specifically tuned for the mid-market via REALTECH. The solution sold by IBM fits the other offerings in that area well (specifically IBM Rational AppScan, formerly Ounce Labs) and the results are displayed in the IBM Rational dashboard tools. For international customers, the first level support is available through IBM on a worldwide basis. Existing customers are ranging from large SMEs to multinational corporations. The main application area is to scan ABAP code developed by SAP customers during the socalled customization of SAP systems. Scanning code of third party software and modified code of the SAP standard are fast growth areas. SAP itself uses CodeProfiler, both for SAP-internal applications as well as for SAP product development. The predefined content that comes with CodeProfiler is the result of joint research activities with the SAP security researcher community. A specific research department within Virtual Forge actively searches for SAP/ABAP vulnerabilities, performs analysis and identifies potential countermeasures. This content is fed into the product; these descriptions are updated twice per year. In parallel, vulnerabilities are published according to a responsible disclosure strategy to inform SAP customers in general. An interesting service is that customers, to mandate secure coding from coding subcontractors, can also use this content in a version to be added to their contracts. To get CodeProfiler up and running some configuration is needed. To cover this consulting demand, Virtual Forge has a small consulting group, but also works with companies like akquinet, REALTECH, Adventier (USA) or via the international software sales IBM. Virtual Forge s ecosystem has become well developed over the last few years. The switch from a consulting to a product company, although typical for European startups to assure organic growth, has its pitfalls specifically with regards to the partner landscape. But ultimately, the move to partner with IBM for a worldwide sales and consulting offering shows a strong maturity in that respect. Page 11 of 14

12 8. Summary and Recommendation To sum up, CodeProfiler from Virtual Forge is a unique product, covering a niche market that has been left over by SAP. One might argue that other programming languages are not supported, but the value of CodeProfiler is exactly the high level of adjustment to SAP ABAP specific risks. The in-memory architecture is optimized for high industrial usage, indicating professional software development. The breadth of options for operating the product shows the interest of customers, specifically running it integrated into their standard maintenance and development processes. Finally, with the reselling agreement with IBM, CodeProfiler shows strong market maturity. Consequently and since there is no real alternative to the product companies interested in scanning newly developed or modified SAP code should definitively have a look at CodeProfiler or at its mid-market OEM version shipped with REALTECH theguard!. Page 12 of 14

13 9. Glossary Code Security Analysis: The process of analyzing source code of software in order to identify potential security weaknesses. SAP Customizing: The process of adapting standard SAP software to the specific requirements of a customer. Often includes modification of original coda and addition of new code. Software Transport: The process of moving code from one development stage to the next, e.g. from test to production. Security Researcher Program: A program of a software manufacturer to keep in touch with security researchers that try to identify vulnerabilities in code. Quoting information and data from Kuppinger Cole Ltd.: Individual sentences and sections may be used in internal documents and presentations exclusively for internal communication within the company without the explicit permission of Kuppinger Cole Ltd. Use of large sections or the complete document requires previous written permission from Kuppinger Cole Ltd. and may include the payment of royalties. External publication of documents and information by Kuppinger Cole Ltd. in advertisements, press reports or other marketing material generally requires previous written permission from Kuppinger Cole. A draft of the relevant documents should be provided. Kuppinger Cole Ltd. reserves the right to refuse external use for any reason. Kuppinger Cole Ltd Reproduction forbidden unless authorized. For additional copies, please contact service@kuppingercole.com Page 13 of 14

14 The Future of Information Security Today. KuppingerCole supports IT professionals with outstanding expertise in defining IT strategies and in relevant decision making processes. As a leading analyst company KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business. Kuppinger Cole Ltd. Headquarters Arnheimer Str. 46 D Düsseldorf Germany Phone +49 (211) Fax +49 (211) KuppingerCole, founded in 2004, is a leading Europe-based analyst company for identity focused information security, both in classical and in cloud environments. KuppingerCole stands for expertise, thought leadership, and a vendor-neutral view on these information security market segments, covering all relevant aspects like Identity and Access Management (IAM), Governance, Risk Management and Compliance (GRC), IT Risk Management, Authentication and Authoriza- tion, Single Sign-On, Federation, User Centric Identity Management, eid cards, Cloud Security and Management, and Virtualization. For further information, please contact clients@kuppingercole.com