SAP Security Recommendations December 2011. Secure Software Development at SAP Embedding Security in the Product Innovation Lifecycle Version 1.



Similar documents
SAP BW on HANA & HANA Smart Data Access Setup

SAP BusinessObjects Business Intelligence 4 Innovation and Implementation

SAP PartnerEdge Program: Opportunities for SAP-Authorized Resellers

LHI Leasing Simplifying and Automating the IT Landscape with SAP Software. SAP Customer Success Story Financial Services Provider LHI Leasing

SAP Landscape Transformation (SLT) Replication Server User Guide

Active Quality Management

How-to guide: Monitoring of standalone Hosts. This guide explains how you can enable monitoring for standalone hosts in SAP Solution Manager

Nine Reasons Why SAP Rapid Deployment Solutions Can Make Your Life Easier Get Where You Want to Be, One Step at a Time

Sybase ASE Linux Installation Guide Installation and getting started guide for SAP Sybase ASE on Linux

SAP BusinessObjects Dashboarding Strategy and Statement of Direction

SAP Business One OnDemand. SAP Business One OnDemand Solution Overview

Create and run apps on HANA Cloud in SAP Web IDE

Open Items Analytics Dashboard System Configuration

Set Up Hortonworks Hadoop with SQL Anywhere

Memory Management simplifications in ABAP Kernel 7.4*

Implementing an Enterprise Information Management Strategy An Approach That Mitigates Risk and Drives Down Costs

LVS Troubleshooting Common issues and solutions

How to Implement a SAP HANA Database Procedure and consume it from an ABAP Program Step-by-Step Tutorial

SAP PartnerEdge Program Guide for Language Services Partners

Creating a Fiori Starter Application for sales order tracking

Streamlined Planning and Consolidation for Finance Teams in Any Organization

The Security Development Lifecycle at SAP How SAP Builds Security into Software Products

Agentry and SMP Metadata Performance Testing Guidelines for executing performance testing with Agentry and SAP Mobile Platform Metadata based

Cloud Single Sign-On and On-Premise Identity Federation with SAP NetWeaver Cloud White Paper

SAP White Paper Enterprise Information Management

Data Governance. Data Governance, Data Architecture, and Metadata Essentials Enabling Data Reuse Across the Enterprise

SAP Thought Leadership Paper Engineering, Construction, and Operations. Beyond Enterprise Resource Planning Construction in the ipad Age

How to Extend a Fiori Application: Purchase Order Approval

SAP White Paper Enterprise Mobility. Best Practices for a Mobility Center of Excellence Keeping Pace with Mobile Technology

Consumption of OData Services of Open Items Analytics Dashboard using SAP Predictive Analysis

Configuring Java IDoc Adapter (IDoc_AAE) in Process Integration. : SAP Labs India Pvt.Ltd

Document and Data Retention Compliance Understanding and Addressing the Costs, Risks, and Legal Pitfalls

Reducing Operational Risk with SAP Management of Change

Within Budget and on Time

Extend the SAP FIORI app HCM Timesheet Approval

How To Make Your Software More Secure

Compare & Adjust How to Guide for Compare & Adjust in SAP Solution Manager Application Lifecycle Management

Certification Guide Network Connectivity for SAP on Premise and Cloud Solutions Integration

SAP Archiving and SAP Document Access

BUSINESS-DRIVEN, COMPLIANT IDENTITY MANAGEMENT USING SAP NetWeaver IDENTITY MANAGEMENT

Five Strategies Small and Medium Enterprises Can Use to Successfully Implement High Value Business Mobility

SAP BUSINESS PLANNING AND CONSOLIDATION 10.0, VERSION FOR SAP NETWEAVER, POWERED BY SAP HANA STARTER KIT FOR USGAAP

Using SAP Crystal Reports with SAP Sybase SQL Anywhere

Design Thinking for. Requirements Analysis

Business-Driven, Compliant Identity Management

SAP BusinessObjects Edge BI, Preferred Business Intelligence. SAP BusinessObjects Portfolio SAP Solutions for Small Businesses and Midsize Companies

Made to Fit Your Needs. SAP Solution Overview SAP Solutions for Small Businesses and Midsize Companies

BW Source System: Troubleshooting Guide

SAP CRM Service Manager 3.1 Mobile App Extended Feature List An extended list of all the features included in the default delivery of the SAP CRM

Installing and Configuring the HANA Cloud Connector for On-premise OData Access

SAP BusinessObjects Edge BI, Standard Package Preferred Business Intelligence Choice for Growing Companies

What's New in SAP BusinessObjects XI 3.1 Service Pack 5

SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis

ForFarmers: SAP Business Communications Management for Call Center Workload Distribution

SAP Sybase Adaptive Server Enterprise Shrinking a Database for Storage Optimization 2013

Setting up Single Sign-On (SSO) with SAP HANA and SAP BusinessObjects XI 4.0

SAP Customer Relationship Management. SAP CRM Rapid-Deployment Solution An Essential CRM Solution,

Using Database Performance Warehouse to Monitor Microsoft SQL Server Report Content

SAP BusinessObjects SOLUTIONS FOR ORACLE ENVIRONMENTS

Guide to the SAP Extended Business Program

How To Use Sap Business Objects For Microsoft (For Microsoft) For Microsoft (For Pax) For Pax (For Sap) For Spera) For A Business Intelligence (Bio) Solution

SAP ERP FINANCIALS ENABLING FINANCIAL EXCELLENCE. SAP Solution Overview SAP Business Suite

Minimize Access Risk and Prevent Fraud With SAP Access Control

Meeting the Challenges of

Additional Guide to Implementing the SAP CRM Service Management rapiddeployment

SAP HANA. SAP HANA Performance Efficient Speed and Scale-Out for Real-Time Business Intelligence

Operational Risk Management A Clear Path to Proactively Managing Risk and Ensuring Operational Continuity

How To... Master Data Governance for Material: Create Custom Print forms. Applicable Releases: MDG 7

SAP Solution Manager - Content Transfer This document provides information on architectural and design questions, such as which SAP Solution Manager

Optimized Shift Planning and Scheduling Creating Shifts and Aligning Resources to Match the Forecasted Workload

SAP Thought Leadership SAP Customer Relationship Management. Strengthen the Brand and Improve

Transform HR into a Best-Run Business Best People and Talent: Gain a Trusted Partner in the Business Transformation Services Group

How To Install The Sap Business Explorer 7.X 2.X (Sap) On A Windows 7.30 Computer (Windows 7)

Quick Guide to the SAP Customer Relationship Management Rapid- Deployment Solution (based on EhP1) Demo/Evaluation Appliance

SAP Work Manager 6.0 Mobile App Extended Feature List

UI Framework Simple Search in CRM WebClient based on NetWeaver Enterprise Search (ABAP) SAP Enhancement Package 1 for SAP CRM 7.0

SAP Sourcing OnDemand Wave 8 Solution Guide

AC200. Basics of Customizing for Financial Accounting: General Ledger, Accounts Receivable, Accounts Payable COURSE OUTLINE

SAPFIN. Overview of SAP ERP Financials COURSE OUTLINE. Course Version: 15 Course Duration: 2 Day(s)

HR400 SAP ERP HCM Payroll Configuration

SAP S/4HANA Embedded Analytics

SAP Thought Leadership Business Intelligence IMPLEMENTING BUSINESS INTELLIGENCE STANDARDS SAVE MONEY AND IMPROVE BUSINESS INSIGHT

SAP BusinessObjects Edge BI, Preferred Business Intelligence. SAP Solutions for Small Business and Midsize Companies

Arteria Technologies: Building Enterprise Mobile Apps That Extend SAP Business Suite

Setting up Single Sign-On (SSO) with SAP HANA and SAP BusinessObjects XI 4.0

SAP BusinessObjects Business Intelligence 4.1 One Strategy for Enterprise BI. May 2013

The Clear Path to Business

Add Value and Enable Student Success with Online Training on SAP Software

Ecosystem. SAP Partner Guide

SAP Business ByDesign and SAP ERP. SAP Business ByDesign for Subsidiaries Overview of Functional and Technical Integration with Headquarters SAP ERP

TM111. ERP Integration for Order Management (Shipper Specific) COURSE OUTLINE. Course Version: 15 Course Duration: 2 Day(s)

SAP Document Center. May Public

Setting up the Environment for Creating or Extending SAP Fiori Apps

SAP ERP EMPLOYEE INTERACTION CENTER

Procurement. Procurement Solutions from SAP Enabling Excellence for Procurement Organizations

Finding the Leak Access Logging for Sensitive Data. SAP Product Management Security

SAP NetWeaver BRM 7.3

Secure MobiLink Synchronization using Microsoft IIS and the MobiLink Redirector

Driving Excellence in Implementation and Beyond The Underlying Quality Principles

Enterprise Software - Applications, Technologies and Programming

Transcription:

SAP Security Recommendations December 2011 Secure Software Development at SAP Embedding Security in the Product Innovation Lifecycle Version 1.0

Secure Software Development at SAP Table of Contents 4 SAP Software Security: More Than Skin Deep 5 Four Decades of Assessing Security Developers with Security Awareness 6 Wide Network of Security Experts Development Framework That Automates Security Testing with Special Tools 7 Validation That Includes External Checks Certification That Validates Software Security

Businesses today must ensure their digital integrity. SAP recognizes that, as a leading provider of enterprise software and the SAP NetWeaver technology platform, it must act as a role model and demonstrate a high engagement in providing secure software to its customers. SAP works toward this objective through a rigorous development process that embeds security throughout the product innovation lifecycle. SAP Software Security: More Than Skin Deep Classic security functions like logon, user administration, authorization checks, encryption, digital signatures, and connection to virus scanners are, of course, fundamental aspects in the modern software environment. SAP provides these needed functions, but where it really helps to ensure software security is at the development level. At each step of the process, from early planning through customer rollout, SAP embeds stringent security standards and subjects them to rigorous pass or fail checkpoints until its software is ready for use as the business solutions that enterprises depend upon worldwide. A software product must be built for security at the outset and strength-tested at each stage of the development cycle. That s why the SAP development framework the product innovation lifecycle elevates security to a prominent position. The framework consists of a core set of rules, product and process standards, and support for best practices that cover the entire software creation lifecycle invent, define, develop, deploy, and optimize. The framework also governs the organizational stages, from SAP s initial product portfolio decision through to the investment program, development project, and project execution. At each step in the lifecycle, SAP software security is checked at quality gates (Q-gates). Q-gates are the internal controls of SAP software development. They are mandatory milestones, evaluated at formal meetings, to establish each product s maturity, quality, and security, to determine if it can move to the next lifecycle phase. (See the figure.) No software progresses to a subsequent stage until it has cleared its Q-gates and decision points, which include planning to development, development to production, and production to ramp-up and general customer availability. These Q-gates not only verify the functional correctness and completeness of a product, along with its performance and usability, but they also focus on security. Figure: Quality Gates in the Product Innovation Lifecycle Q-Gate Q-Gate Q-Gate Invent Define Development Validation Deploy Optimize

From early planning through customer rollout, SAP embeds stringent security standards and subjects them to rigorous pass or fail checkpoints until its software is ready for use as the business solution enterprises depend upon worldwide. Four Decades of Assessing Security SAP security standards have been assembled from around four decades of experience serving more than 100,000 customers. The standards reside in a central, adaptive repository of knowledge that is continuously passed on to individual development projects. SAP constantly checks with individual customers and organized customer groups for new security requirements. It analyzes feedback from SAP Consulting, the SAP sales organization, and SAP Research. Requirements also come from analyses by independent security experts and from projects like the Open Web Application Security Project (OWASP) an open community dedicated to enabling organizations to develop applications that can be trusted. These security requirements are translated into SAP secure software standards to help avoid vulnerabilities like buffer overflows, where a program tries to put more data in the buffer than it can hold and an attacker can exploit the situation to transfer control to malicious code. Another example is the prevention of cross-site scripting, where an application takes untrusted data and sends it to a Web browser without proper handling allowing attackers to execute scripts in the browser that hijack user sessions or redirect the user to malicious sites. Security solutions also address weaknesses like application authorization based on least-needed privileges. And they reduce the software s attack surface, the areas exposed to attacks. Other security provisions help lower the total cost of ownership (TCO) by simplifying integration with security functionality. SAP security standards also help reduce TCO by avoiding the reinvention of existing security solutions which can not only increase development and maintenance costs but also heighten the risk that problems are not identified quickly, if at all. Developers with Security Awareness SAP considers security during both the planning and development stages of the product lifecycle. At the conclusion of the planning and architecture phase, development teams must deliver a security plan for the planning-to-development Q-gate, outlining how the security standard will be implemented. SAP invests heavily in the security awareness of developers and conducts mandatory security training. Developers also learn about SAP security initiatives via regular presentations that increase their security understanding. Overview and further information on security topics is available via the SAP corporate portal. A comprehensive security training offering aims to raise developers awareness and multiply their security knowledge. Secure Software Development at SAP 5

Wide Network of Security Experts But security has many layers, and the details are very complex. Since planners and developers naturally focus on core software functions, SAP has an extensive network of personnel dedicated to optimizing software security. Everything related to secure programming, specifications, solutions, and testing is overseen by the owner of the SAP product security standard. The product security standard owner works closely with SAP security experts and an advisory and review board with representatives from development, support, and validation. The board counsels the standard owner and advances the wishes of the development teams. Changes to the product security standard require approval of a majority of the board. If particularly difficult security questions arise, developers call on specialists from the SAP product security standard owner team. These experts serve as consultants within a security competence center. They are knowledgeable about SAP security functions and solutions and have many years of experience with attack and protection techniques. Learnings from the SAP security response process are also regularly incorporated into new security provisions. Development Framework That Automates Security The SAP development framework also lets developers fulfill many security requirements without taking additional action. For example, the Web Dynpro development environment provides certain protections against cross-site scripting. A user administration tool provides secure password storage; SAP runtime environments for the ABAP and Java programming languages provide certain protections against buffer overflow vulnerabilities. SAP also provides central libraries that have functions to satisfy security requirements. Developers can use functions for connecting virus scanners or for leveraging output escaping in user interfaces such as JavaServer Pages (JSPs). Instructions are available on how to implement security requirements in general and specific situations, including security-related settings for configuring and operating applications and authorization concepts and recommendations. Testing with Special Tools Testing is crucial for secure software development. For ABAP, SAP primarily uses the extended program check with the ABAP test cockpit as the framework; and for other languages, SAP uses different third-party tools. Test results are automatically consolidated for further analysis and tracking. SAP also subjects products under development to a series of manual and semiautomatic tests. SAP has built test-case templates for the most important security requirements, so essentials are not omitted. Internal test services performed by SAP security experts are available to development groups. The security code scan team continuously works at optimizing the scan tools and evaluating other scan tools in the market.

Validation That Includes External Checks After the development-to-production Q-gate has been passed, validation begins. Validation is a larger, stand-alone project during which all aspects of the product are checked. This includes installation on different platform combinations of databases and operating systems that SAP supports. The validation team performs a range of security tests, and issues are reported to the development group. The development team then formulates a plan for resolving the issues before the next Q-gate. This plan must be approved by the product security standard owner. SAP also hires external security specialists to thoroughly vet SAP applications. This allows SAP to leverage the most up-to-date industry experiences, tools, and knowledge of attack techniques when developing its applications. The SAP NetWeaver technology platform, which provides many central security functions, regularly undergoes these external security checks. Certification That Validates Software Security SAP product development is certified to ISO 9001:2008 standards. SAP IT security management is certified to ISO 27001:2005 standards, confirming that SAP IT infrastructure and processes have a high level of security. Various customer groups have audited SAP processes for compliance with legal requirements, such as those of the U.S. Food and Drug Administration and other bodies. SAP has also obtained Common Criteria for Information Technology Security Evaluation certification ISO/IEC 15408. This certification enables consistent evaluations of security products and systems, ensuring comparability between independent security assessments. ISO/IEC 15408 provides a common set of requirements for security functionality in IT products and for assurance measures applied to these products during a security appraisal. These certifications further establish a level of confidence that SAP software is up to meeting today s security challenges through secure software development. Security has many layers, and the details are very complex. Since planners and developers naturally focus on core software functions, SAP has an extensive network of personnel dedicated to optimizing software security. Secure Software Development at SAP 7

www.sap.com/contactsap CMP16703 (12/01) 2012 SAP AG. All rights reserved. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, SAP HANA, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trade marks of Business Objects Software Ltd. Business Objects is an SAP company. Sybase and Adaptive Server, ianywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc. Sybase is an SAP company. Crossgate, m@gic EDDY, B2B 360, and B2B 360 Services are registered trademarks of Crossgate AG in Germany and other countries. Crossgate is an SAP company. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ( SAP Group ) for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information