SAP Security Recommendations December 2011 Secure Software Development at SAP Embedding Security in the Product Innovation Lifecycle Version 1.0
Secure Software Development at SAP Table of Contents 4 SAP Software Security: More Than Skin Deep 5 Four Decades of Assessing Security Developers with Security Awareness 6 Wide Network of Security Experts Development Framework That Automates Security Testing with Special Tools 7 Validation That Includes External Checks Certification That Validates Software Security
Businesses today must ensure their digital integrity. SAP recognizes that, as a leading provider of enterprise software and the SAP NetWeaver technology platform, it must act as a role model and demonstrate a high engagement in providing secure software to its customers. SAP works toward this objective through a rigorous development process that embeds security throughout the product innovation lifecycle. SAP Software Security: More Than Skin Deep Classic security functions like logon, user administration, authorization checks, encryption, digital signatures, and connection to virus scanners are, of course, fundamental aspects in the modern software environment. SAP provides these needed functions, but where it really helps to ensure software security is at the development level. At each step of the process, from early planning through customer rollout, SAP embeds stringent security standards and subjects them to rigorous pass or fail checkpoints until its software is ready for use as the business solutions that enterprises depend upon worldwide. A software product must be built for security at the outset and strength-tested at each stage of the development cycle. That s why the SAP development framework the product innovation lifecycle elevates security to a prominent position. The framework consists of a core set of rules, product and process standards, and support for best practices that cover the entire software creation lifecycle invent, define, develop, deploy, and optimize. The framework also governs the organizational stages, from SAP s initial product portfolio decision through to the investment program, development project, and project execution. At each step in the lifecycle, SAP software security is checked at quality gates (Q-gates). Q-gates are the internal controls of SAP software development. They are mandatory milestones, evaluated at formal meetings, to establish each product s maturity, quality, and security, to determine if it can move to the next lifecycle phase. (See the figure.) No software progresses to a subsequent stage until it has cleared its Q-gates and decision points, which include planning to development, development to production, and production to ramp-up and general customer availability. These Q-gates not only verify the functional correctness and completeness of a product, along with its performance and usability, but they also focus on security. Figure: Quality Gates in the Product Innovation Lifecycle Q-Gate Q-Gate Q-Gate Invent Define Development Validation Deploy Optimize
From early planning through customer rollout, SAP embeds stringent security standards and subjects them to rigorous pass or fail checkpoints until its software is ready for use as the business solution enterprises depend upon worldwide. Four Decades of Assessing Security SAP security standards have been assembled from around four decades of experience serving more than 100,000 customers. The standards reside in a central, adaptive repository of knowledge that is continuously passed on to individual development projects. SAP constantly checks with individual customers and organized customer groups for new security requirements. It analyzes feedback from SAP Consulting, the SAP sales organization, and SAP Research. Requirements also come from analyses by independent security experts and from projects like the Open Web Application Security Project (OWASP) an open community dedicated to enabling organizations to develop applications that can be trusted. These security requirements are translated into SAP secure software standards to help avoid vulnerabilities like buffer overflows, where a program tries to put more data in the buffer than it can hold and an attacker can exploit the situation to transfer control to malicious code. Another example is the prevention of cross-site scripting, where an application takes untrusted data and sends it to a Web browser without proper handling allowing attackers to execute scripts in the browser that hijack user sessions or redirect the user to malicious sites. Security solutions also address weaknesses like application authorization based on least-needed privileges. And they reduce the software s attack surface, the areas exposed to attacks. Other security provisions help lower the total cost of ownership (TCO) by simplifying integration with security functionality. SAP security standards also help reduce TCO by avoiding the reinvention of existing security solutions which can not only increase development and maintenance costs but also heighten the risk that problems are not identified quickly, if at all. Developers with Security Awareness SAP considers security during both the planning and development stages of the product lifecycle. At the conclusion of the planning and architecture phase, development teams must deliver a security plan for the planning-to-development Q-gate, outlining how the security standard will be implemented. SAP invests heavily in the security awareness of developers and conducts mandatory security training. Developers also learn about SAP security initiatives via regular presentations that increase their security understanding. Overview and further information on security topics is available via the SAP corporate portal. A comprehensive security training offering aims to raise developers awareness and multiply their security knowledge. Secure Software Development at SAP 5
Wide Network of Security Experts But security has many layers, and the details are very complex. Since planners and developers naturally focus on core software functions, SAP has an extensive network of personnel dedicated to optimizing software security. Everything related to secure programming, specifications, solutions, and testing is overseen by the owner of the SAP product security standard. The product security standard owner works closely with SAP security experts and an advisory and review board with representatives from development, support, and validation. The board counsels the standard owner and advances the wishes of the development teams. Changes to the product security standard require approval of a majority of the board. If particularly difficult security questions arise, developers call on specialists from the SAP product security standard owner team. These experts serve as consultants within a security competence center. They are knowledgeable about SAP security functions and solutions and have many years of experience with attack and protection techniques. Learnings from the SAP security response process are also regularly incorporated into new security provisions. Development Framework That Automates Security The SAP development framework also lets developers fulfill many security requirements without taking additional action. For example, the Web Dynpro development environment provides certain protections against cross-site scripting. A user administration tool provides secure password storage; SAP runtime environments for the ABAP and Java programming languages provide certain protections against buffer overflow vulnerabilities. SAP also provides central libraries that have functions to satisfy security requirements. Developers can use functions for connecting virus scanners or for leveraging output escaping in user interfaces such as JavaServer Pages (JSPs). Instructions are available on how to implement security requirements in general and specific situations, including security-related settings for configuring and operating applications and authorization concepts and recommendations. Testing with Special Tools Testing is crucial for secure software development. For ABAP, SAP primarily uses the extended program check with the ABAP test cockpit as the framework; and for other languages, SAP uses different third-party tools. Test results are automatically consolidated for further analysis and tracking. SAP also subjects products under development to a series of manual and semiautomatic tests. SAP has built test-case templates for the most important security requirements, so essentials are not omitted. Internal test services performed by SAP security experts are available to development groups. The security code scan team continuously works at optimizing the scan tools and evaluating other scan tools in the market.
Validation That Includes External Checks After the development-to-production Q-gate has been passed, validation begins. Validation is a larger, stand-alone project during which all aspects of the product are checked. This includes installation on different platform combinations of databases and operating systems that SAP supports. The validation team performs a range of security tests, and issues are reported to the development group. The development team then formulates a plan for resolving the issues before the next Q-gate. This plan must be approved by the product security standard owner. SAP also hires external security specialists to thoroughly vet SAP applications. This allows SAP to leverage the most up-to-date industry experiences, tools, and knowledge of attack techniques when developing its applications. The SAP NetWeaver technology platform, which provides many central security functions, regularly undergoes these external security checks. Certification That Validates Software Security SAP product development is certified to ISO 9001:2008 standards. SAP IT security management is certified to ISO 27001:2005 standards, confirming that SAP IT infrastructure and processes have a high level of security. Various customer groups have audited SAP processes for compliance with legal requirements, such as those of the U.S. Food and Drug Administration and other bodies. SAP has also obtained Common Criteria for Information Technology Security Evaluation certification ISO/IEC 15408. This certification enables consistent evaluations of security products and systems, ensuring comparability between independent security assessments. ISO/IEC 15408 provides a common set of requirements for security functionality in IT products and for assurance measures applied to these products during a security appraisal. These certifications further establish a level of confidence that SAP software is up to meeting today s security challenges through secure software development. Security has many layers, and the details are very complex. Since planners and developers naturally focus on core software functions, SAP has an extensive network of personnel dedicated to optimizing software security. Secure Software Development at SAP 7
www.sap.com/contactsap CMP16703 (12/01) 2012 SAP AG. All rights reserved. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, SAP HANA, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trade marks of Business Objects Software Ltd. Business Objects is an SAP company. Sybase and Adaptive Server, ianywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc. Sybase is an SAP company. Crossgate, m@gic EDDY, B2B 360, and B2B 360 Services are registered trademarks of Crossgate AG in Germany and other countries. Crossgate is an SAP company. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ( SAP Group ) for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.