ABAP Custom Code Security

Similar documents
TM111. ERP Integration for Order Management (Shipper Specific) COURSE OUTLINE. Course Version: 15 Course Duration: 2 Day(s)

SAP Master Data Governance- Hiding fields in the change request User Interface

Budget Control by Cost Center

Application Lifecycle Management

USDL XG WP3 SAP use case. Kay Kadner

SAPFIN. Overview of SAP ERP Financials COURSE OUTLINE. Course Version: 15 Course Duration: 2 Day(s)

NetWeaver Business Client (NWBC) for Incentives and Commissions Management (ICM)

Business One in Action - How can we post bank fees and charges while posting Incoming or Outgoing Payment transactions?

User Experience in Custom Apps

HR400 SAP ERP HCM Payroll Configuration

Maintaining Different Addresses and Ids for a Business Partner via CRM Web UI

Alert Notification in SAP Supply Network Collaboration. SNC Extension Guide

Enterprise Software - Applications, Technologies and Programming

AC200. Basics of Customizing for Financial Accounting: General Ledger, Accounts Receivable, Accounts Payable COURSE OUTLINE

Run SAP like a Factory

Table of Contents. How to Find Database Index usage per ABAP Report and Creating an Index

Finding the Leak Access Logging for Sensitive Data. SAP Product Management Security

Data Archiving in CRM: a Brief Overview

Integrating Easy Document Management System in SAP DMS

Fixed Asset in SAP Business One 9.0

Accounts Receivable. SAP Best Practices

BICS Connectivity for Web Intelligence in SAP BI 4.0. John Mrozek / AGS December 01, 2011

How to Configure Access Control for Exchange using PowerShell Cmdlets A Step-by-Step guide

Sending Additional Files from SAP Netweaver PI to third Party System

Intelligent Business Operations Chapter 1: Overview & Strategy

Understanding HR Schema and PCR with an Example

UI Framework Simple Search in CRM WebClient based on NetWeaver Enterprise Search (ABAP) SAP Enhancement Package 1 for SAP CRM 7.0

SAP Business ByDesign Reference Systems. Scenario Outline. SAP ERP Integration Scenarios

Data Source Enhancement Using User Exit

OData in a Nutshell. August 2011 INTERNAL

SAP Service Tools for Performance Analysis

SAP Best Practices for Subsidiary Integration in One Client Production with Intercompany Replenishment

Process Archiving using NetWeaver Business Process Management

Unified Service Description Language Enabling the Internet of Services

Ariba Network Integration to SAP ECC

Certificate SAP INTEGRATION CERTIFICATION

RUN BETTER Become a Best-Run Business with Remote Support Platform for SAP Business One

Introducing the SAP Business One starter package. A Great Start to help you to Streamline Your Small Business

Log Analysis Tool for SAP NetWeaver AS Java

Third Party Digital Asset Management Integration

Production Subcontracting (External Processing) SAP Best Practices

UI Framework Logo exchange without skin copy. SAP Enhancement Package 1 for SAP CRM 7.0

K in Identify the differences between the universe design tool and the information design tool

SOP through Long Term Planning Transfer to LIS/PIS/Capacity. SAP Best Practices

UI Framework Task Based User Interface. SAP Enhancement Package 1 for SAP CRM 7.0

SAP Central Process Scheduling (CPS) 8.0 by Redwood

Integrated Release Management Maximize IT s business value. Swen Conrad, PMP Senior Director Solution Marketing IT Business Management

Single Sign-On between SAP Portal and SuccessFactors

Variable Exit in Sap BI How to Start

Consume an External Web Service in a Nutshell with good old ABAP

How to Create a Support Message in SAP Service Marketplace

Business Requirements... 3 Analytics... 3 Typical Use Cases... 8 Related Content... 9 Copyright... 10

Integration of SAP Netweaver User Management with LDAP

Business Process Change Analyzer in SAP Solution Manager 7.1

R/3 and J2EE Setup for Digital Signature on Form 16 in HR Systems

Matthias Steiner SAP. SAP HANA Cloud Platform A guided tour

Compliant, Business-Driven Identity Management using. SAP NetWeaver Identity Management and SBOP Access Control. February 2010

BW362. SAP BW powered by SAP HANA COURSE OUTLINE. Course Version: 10 Course Duration: 5 Day(s)

Sample Universe on Microsoft OLAP Cube

SAP DSM/BRFPlus System Architecture Considerations

How to Add an Attribute to a Case, Record and a Document in NW Folder Management (ex-records Management)

SAP NetWeaver BRM 7.3

Secure MobiLink Synchronization using Microsoft IIS and the MobiLink Redirector

Portfolio and Project Management 5.0: Excel Integration for Financial and Capacity Planning

Next Generation Digital Banking with SAP

HANA Operations for Outsourcing Providers. SAP Ecosystem & Channels, SAP Hosting Certifications November 7, 2013

How To Use the BPC Mass User Management Tool in BPC 10.0 NW

Xcelsius Dashboards on SAP NetWaver BW Implementation Best Practices

AC 10.0 Centralized Emergency Access

BW Workspaces Use Cases

SAP Portfolio and Project Management

Using User Exit for Variables in BEx Reporting

ERP Quotation and Sales Order in CRM WebClient UI Detailed View. SAP Enhancement Package 1 for SAP CRM 7.0 CRM Sales - SFA

SAP Sustainability Solutions: Achieving Customer Strategies

Mass Maintenance of Procurement Data in SAP

How to Schedule Report Execution and Mailing

SAP on Oracle. Development Update June Development Manager DB Platforms Oracle & Informix OS Platform Solaris SAP AG.

Integration of Universal Worklist into Microsoft Office SharePoint

How To Improve Your Business Process With Sap

LO Extraction Part 1: SD Application Short Overview

How-to-Guide: Middleware Settings for Download of IPC Configuration (KB) Data from R/3 to CRM System

SAP Cloud Strategy - Timeless Software. Frank Stienhans on behalf of Kaj van de Loo SAP

Duet Enterprise Add SAP ERP Reports and SAP BI Queries/Workbooks to Duet Enterprise Configuration

Configuring Single Sign-on for SAP HANA

Test Automation with SAP Solution Manager 7.1 and HP QTP. ALM Solution Management, AGS, SAP AG September 2012

AC 10.0 Customizing Workflows for Access Management

How To Use the ESR Eclipse Tool with the Enterprise Service Repository

SAP How-To Guide: Develop a Custom Master Data Object in SAP MDG (Master Data Governance)

An Overview of the SAP Business One Cloud Landscape. SAP Business One Cloud Landscape Workshop

Sales Planning Detailed View. SAP Enhancement Package 1 for SAP CRM 7.0 CRM Sales - SFA

SAP Business One for iphone and ipad. Version 1.5.x January 2012

Getting Started with Scope and Effort Analyzer (SEA) ALM Solution Management, AGS, SAP AG

ALM204 Change Impact Analysis with Business Process Change Analyzer. Rajeev Gollapudi, SAP Labs India September, 2011

Supporting SAP POS Best Practices Setting Log File Sizes and Retention

How To... Migrate Custom Portal Applications to SAP NetWeaver 7.3

Supplier Master Data Governance

GRC 10.0 Pre-Installation

Installation Guide Customized Installation of SQL Server 2008 for an SAP System with SQL4SAP.VBS

Transcription:

ABAP Custom Code Security A collaboration of: SAP Global IT & SAP Product Management for Security, IDM & SSO November, 2012 Public

SAP Global IT - ABAP custom code security 1. Introduction / Motivation 2. Custom Code Scanning Project 3. Code Scanning Tools at SAP Global IT 2012 SAP AG. All rights reserved. Public 2

Code-Security for ABAP-based applications Tasks and Responsibilities Phase 1: Identify Security Issues Task: SAP s Responsibility review codebase of approx. 280 million lines of code Solution: Tool based approach with an ABAP security scanner Global IT Responsibility Task: review custom specific ABAP code Solution: Tool based approach with a specialized ABAP security scanner (Virtual Forge CodeProfiler) Phase 2: Fixing Security Issues Task: Process issues in SAP standard code Solution: SAP Security Notes: currently approx.. 2400 notes released (up to 10/2012) Introduction of SAP Security Patch day New Secure Programming Guidelines Task: Implementation of published Security Notes Remediate potential security gaps in ABAP custom code Regularly search and implement relevant security notes SAP Security Patch day ABAP Source Code Project 2012 SAP AG. All rights reserved. Public 3

Entry points for security questions concerning custom developed ABAP-applications Are compliance guidelines adhered within the custom applications? Are data protection rules and guidelines violated through security flaws? Get a general overview of the code quality concerning the security aspects Are business critical applications and processes sufficiently protected within custom application? Custom Source Code Security Are there Backdoors or malicious coding in the customer specific developments? Key Message Ensuring Security and Compliancy of custom developed code is key To ensure custom developed ABAP code a highly atomized solution is required The solution must also support the developers requirements in his daily work in a convenient way 2012 SAP AG. All rights reserved. Public 4

SAP Global IT - ABAP custom code security 1. Introduction / Motivation 2. Custom Code Scanning Project 3. Code Scanning Tools at SAP Global IT 2012 SAP AG. All rights reserved. Public 5

ABAP Custom Code Project Functionality / Characteristics of static code profiling approach - Key Message Virtual Forge CodeProfiler (VF CP)* uses static ABAP patterns to scan ABAP source code for potential weaknesses and issues. Allows prioritizing countermeasures by categorizing all findings regarding impact and probability High number of constantly updated test cases for security checks In conducted scans at Global IT the VF CP* showed a low number of false-positives Proceeding: Analyze and Document TC 33 Missing AUTHORITY-CHECK in Reports [#46] TID=80, FID=5A66D9C5271AE8E7360B61F5F167B49D5 D890A40 Package: Z_BW_CORE, Program: YBW_BW_CALL_STATISTICS Extract via RFC Output Core SAP Business Systems VF CodeProfiler* * CodeProfiler is an add-on product from Virtual Forge (www.virtualforge.com) 2012 SAP AG. All rights reserved. Public 6

CodeProfiler Test case Examples Test Group Missing Authority Checks Dangerous ABAP commands Backdoors Hard-coded user credentials Generic Operations Command execution SQL Injection Potential Impact ABAP can execute business transactions without privileges. Therefore, whenever ABAP programs call functionality that requires certain privileges to run, an authority check should be made programmatically. Otherwise users might get access to restricted functionality These test patterns check if there are any commands used in an ABAP program that could pose a security threat. Examples are access to files and low-level system commands There are several ways to include backdoors in ABAP programs. They allow malicious developers to secretly access extra-functionality by feeding certain triggers to the program These test patterns check if there are any hard-coded user credentials in the code Sometimes developers write code in a way that it can be used for a number of different use cases. This flexibility often results in vulnerabilities when malicious users discover unforeseen use cases nobody expected In some instances, ABAP code can be generated and executed at runtime. These test patterns check, if such risky practices are used and if they are exploitable This coding defect allows malicious users to manipulate OSQL statements. This can result in information disclosure and manipulation of arbitrary data in the SAP database 2012 SAP AG. All rights reserved. Public 7

Custom Code Security at SAP Global IT Get secure Stay secure Get Secure Stay Secure Implementation of Virtual Forge CodeProfiler* and conduction of regular code scans Creation of agreed procedures and guidance how to fix potential security gaps Analysis and remediation of security related issues identified by the Virtual Forge CodeProfiler* for the four core SAP Global IT Business Systems Analysis and remediation of security related issues identified by the Virtual Forge CodeProfiler* for all SAP Global IT Business Systems SAP Global IT Secure Development Framework rules and standards for the development of ABAP code Secure ABAP development training for developers at Global IT teaching how to develop secure ABAP code Full integration of security checks into the ABAP development workbench with high usability for developers and quality experts using the ABAP Test Cockpit (ATC) Perform security checks during transport release (Q-Gate) to avoid new security related issues in production * CodeProfiler is an add-on product from Virtual Forge (www.virtualforge.com) 2012 SAP AG. All rights reserved. Public 8

SAP Global IT - ABAP Source Code Security Approach Project Level Holistic Custom Source Code Scans Secure Programming Training Scanning Structural Level Monitoring of Remediation Automat. Monitoring Custom Source Code Security Automat. Periodization Analysis and Prioritization of Issues Remediation Secure Programming Guide Daily Operational Level Remediation of Source Code Issues 2012 SAP AG. All rights reserved. Public 9

SAP Global IT - ABAP Custom Code Security 1. Introduction / Motivation 2. Custom Code Scanning Project 3. Code Scanning Tools at SAP Global IT 2012 SAP AG. All rights reserved. Public 10

Motivation for ABAP Test Cockpit Different Tools, Different UIs, Different Results Different checks, messages, priorities Different code checks before release of transports No common base for QM and developer perspective No central point to overview the quality of custom code 2012 SAP AG. All rights reserved. Public 11

ABAP Test Cockpit (ATC) What is it? ATC is an ABAP check framework which allows running static checks and unit tests for ABAP programs ATC is designed to help meeting the production standard Functional Correctness in the ABAP world ATC is fully integrated into development environment and transport tools, along with instant navigation, documentation and fix recommendation What are the benefits? ATC is the single point of entry for all static code check tools ATC comprises a 4-eye principle exception process to handle false/ positive findings effectively ATC is fully integrated in the ABAP development workbench with a high usability for developers and quality experts ATC is not only a check tool but supports essential QA techniques like Q-Gates or regression testing in a consolidation system 2012 SAP AG. All rights reserved. Public 12

ABAP Test Cockpit (ATC) Code Scanning Tools at Global IT Virtual Forge CodeProfiler (CP)* Test Domains: Security & Compliance Allows prioritizing countermeasures by categorizing all findings Establishes a baseline security level for all ABAP-based business applications Integration into ABAP Test Cockpit and Transport Management System High number of test domains and test cases SAP Code Inspector (SCI) Additional checks for example adherence to naming conventions or performance optimization Extended Program Check (SLIN) Performs extended checks e.g. searching for obsolete ABAP statements Syntax Check (Check, SE 80) checks the syntax and internal semantics of a program. * CodeProfiler is an add-on product from Virtual Forge (www.virtualforge.com) 2012 SAP AG. All rights reserved. Public 13

Thank You! A collaboration of: SAP Global IT SAP Product Management for Security, Identity Management and Single Sign-On

Backup

ABAP Test Cockpit Configuration of five-system landscape DEV QAS Developers run static / unit / scenario tests on their objects Q-experts run mass checks and distribute the results Periodic check runs to validate code of a development team PSS FQA PRD Scanning of tasks / transports perform full system scan i Use ONE quality standard for Q-Gates 2012 SAP AG. All rights reserved. Public 16

ABAP Test Cockpit Availability The ABAP Test Cockpit (ATC) is a tool for doing static and dynamic quality checks of ABAP code and associated repository objects The ATC is now available with EhP2 for SAP NetWeaver 7.0 with support package stack 12. Additionally, the ATC is planned for SAP NetWeaver AS ABAP 7.03 support package stack 5. The ATC is introduced with the following releases: SAP NetWeaver 7.0 EHP2 Support Package 12 SAP NetWeaver 7.31 Support Package 5 (planned) SAP NetWeaver 7.32 initial release 2012 SAP AG. All rights reserved. Public 17

2012 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iseries, pseries, xseries, zseries, eserver, z/vm, z/os, i5/os, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. Oracle and Java are registered trademarks of Oracle and/or its affiliates. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium, Massachusetts Institute of Technology. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company. Sybase and Adaptive Server, ianywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP company. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP AG. 2012 SAP AG. All rights reserved. Public 18

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information