Upload
rupesh
View
97
Download
5
Tags:
Embed Size (px)
DESCRIPTION
SAP ABAP, Custom Code
Citation preview
ABAP Custom Code Security
A collaboration of:
SAP Global IT & SAP Product Management for Security, IDM & SSO
November, 2012 Public
2012 SAP AG. All rights reserved. 2 Public
SAP Global IT - ABAP custom code security
1. Introduction / Motivation
2. Custom Code Scanning Project
3. Code Scanning Tools at SAP Global IT
2012 SAP AG. All rights reserved. 3 Public
Code-Security for ABAP-based applications
Tasks and Responsibilities
Phase 1:
Identify Security Issues
Phase 2:
Fixing Security Issues
Global IT Responsibility
Task:
review custom specific ABAP code
Solution:
Tool based approach with a specialized ABAP security scanner
(Virtual Forge CodeProfiler)
SAPs Responsibility
Task: review codebase of approx. 280
million lines of code
Solution:
Tool based approach with an ABAP security scanner
Task:
Implementation of published Security Notes
Remediate potential security gaps in ABAP custom code
Regularly search and implement relevant security notes
Task:
Process issues in SAP standard code
Solution:
SAP Security Notes: currently approx.. 2400 notes released (up to
10/2012)
Introduction of SAP Security Patch day
New Secure Programming Guidelines
SAP Security Patch day ABAP Source Code Project
2012 SAP AG. All rights reserved. 4 Public
Entry points for security questions concerning custom
developed ABAP-applications
Are business critical applications and
processes sufficiently protected within
custom application?
Are compliance guidelines adhered within the custom
applications?
Are data protection rules and guidelines
violated through security flaws?
Get a general overview of the
code quality concerning the
security aspects
Are there Backdoors or
malicious coding in the customer
specific developments?
Custom Source Code
Security
Key
Message
Ensuring Security and Compliancy of custom developed code is key
To ensure custom developed ABAP code a highly atomized solution is required
The solution must also support the developers requirements in his daily work in a convenient way
2012 SAP AG. All rights reserved. 5 Public
SAP Global IT - ABAP custom code security
1. Introduction / Motivation
2. Custom Code Scanning Project
3. Code Scanning Tools at SAP Global IT
2012 SAP AG. All rights reserved. 6 Public
ABAP Custom Code Project Functionality / Characteristics of static code profiling approach -
Proceeding:
Key
Message
Virtual Forge CodeProfiler (VF CP)* uses static ABAP patterns to scan ABAP source code for potential weaknesses and issues.
Allows prioritizing countermeasures by categorizing all findings regarding impact and probability
High number of constantly updated test cases for security checks
In conducted scans at Global IT the VF CP* showed a low number of false-positives
Core SAP Business
Systems
VF CodeProfiler*
TC 33 Missing AUTHORITY-CHECK in Reports
[#46] TID=80,
FID=5A66D9C5271AE8E7360B61F5F167B49D5
D890A40
Package: Z_BW_CORE, Program:
YBW_BW_CALL_STATISTICS
Extract via RFC
Analyze and Document
Output
* CodeProfiler is an add-on product from Virtual Forge (www.VirtualForge.com)
2012 SAP AG. All rights reserved. 7 Public
CodeProfiler Test case Examples
Test Group Potential Impact
Missing Authority Checks ABAP can execute business transactions without privileges. Therefore, whenever ABAP programs call functionality that requires certain privileges to run, an authority
check should be made programmatically. Otherwise users might get access to
restricted functionality
Dangerous ABAP
commands
These test patterns check if there are any commands used in an ABAP program that
could pose a security threat. Examples are access to files and low-level system
commands
Backdoors There are several ways to include backdoors in ABAP programs. They allow malicious developers to secretly access extra-functionality by feeding certain triggers
to the program
Hard-coded user credentials These test patterns check if there are any hard-coded user credentials in the code
Generic Operations Sometimes developers write code in a way that it can be used for a number of different use cases. This flexibility often results in vulnerabilities when malicious
users discover unforeseen use cases nobody expected
Command execution In some instances, ABAP code can be generated and executed at runtime. These test patterns check, if such risky practices are used and if they are exploitable
SQL Injection This coding defect allows malicious users to manipulate OSQL statements. This can result in information disclosure and
manipulation of arbitrary data in the SAP database
2012 SAP AG. All rights reserved. 8 Public
Custom Code Security at SAP Global IT Get secure Stay secure
Implementation of Virtual Forge CodeProfiler* and conduction of regular
code scans
Creation of agreed procedures and guidance how to fix potential security gaps
Analysis and remediation of security related issues identified by the Virtual
Forge CodeProfiler* for the four core SAP
Global IT Business Systems
Analysis and remediation of security related issues identified by the Virtual
Forge CodeProfiler* for all SAP Global IT
Business Systems
Get Secure
SAP Global IT Secure Development Framework rules and standards for the development of ABAP code
Secure ABAP development training for developers at Global IT teaching how to
develop secure ABAP code
Full integration of security checks into the ABAP development workbench with high
usability for developers and quality experts
using the ABAP Test Cockpit (ATC)
Perform security checks during transport release (Q-Gate) to avoid new security
related issues in production
Stay Secure
* CodeProfiler is an add-on product from Virtual Forge (www.VirtualForge.com)
2012 SAP AG. All rights reserved. 9 Public
SAP Global IT - ABAP Source Code Security Approach
Analysis and
Prioritization
of Issues
Monitoring
of
Remediation
Custom Source Code
Security
Holistic Custom Source
Code Scans
Remediation of
Source Code Issues
Secure
Programming Training
Secure Programming
Guide
Remediation
Scanning
Automat.
Periodization
Automat.
Monitoring
Project Level
Daily Operational Level
Structural Level
2012 SAP AG. All rights reserved. 10 Public
SAP Global IT - ABAP Custom Code Security
1. Introduction / Motivation
2. Custom Code Scanning Project
3. Code Scanning Tools at SAP Global IT
2012 SAP AG. All rights reserved. 11 Public
Motivation for ABAP Test Cockpit Different Tools, Different UIs, Different Results
Different checks, messages, priorities
Different code checks before release of transports
No common base for QM and developer perspective
No central point to overview the quality of custom code
2012 SAP AG. All rights reserved. 12 Public
What is it?
ATC is an ABAP check framework which allows running static checks and unit tests for ABAP programs
ATC is designed to help meeting the production standard Functional Correctness in the ABAP world
ATC is fully integrated into development environment and transport tools, along with instant navigation, documentation and fix recommendation
What are the benefits?
ATC is the single point of entry for all static code check tools
ATC comprises a 4-eye principle exception process to handle false/ positive findings effectively
ATC is fully integrated in the ABAP development workbench with a high usability for developers and quality experts
ATC is not only a check tool but supports essential QA techniques like Q-Gates or regression testing in a consolidation system
ABAP Test Cockpit (ATC)
2012 SAP AG. All rights reserved. 13 Public
Code Scanning Tools at Global IT
Syntax Check (Check, SE 80)
Extended Program Check (SLIN)
checks the syntax and internal semantics of a program.
SAP Code Inspector (SCI)
Performs extended checks e.g. searching for obsolete ABAP statements
Additional checks for example adherence to naming conventions or performance
optimization
Virtual Forge CodeProfiler (CP)*
Test Domains: Security & Compliance
Allows prioritizing countermeasures by categorizing all findings
Establishes a baseline security level for all ABAP-based business applications
Integration into ABAP Test Cockpit and Transport Management System
High number of test domains and test cases
AB
AP
Test
Co
ckp
it (
AT
C)
* CodeProfiler is an add-on product from Virtual Forge (www.VirtualForge.com)
Thank You!
A collaboration of:
SAP Global IT SAP Product Management for Security, Identity
Management and Single Sign-On
Backup
2012 SAP AG. All rights reserved. 16 Public
ABAP Test Cockpit Configuration of five-system landscape
DEV
PSS
QAS
FQA PRD
Scanning of tasks / transports perform full system scan
Developers run static / unit / scenario tests on their objects
Periodic check runs to validate code of a development team
Q-experts run mass checks and distribute the results
i Use ONE quality standard for Q-Gates
2012 SAP AG. All rights reserved. 17 Public
ABAP Test Cockpit Availability
The ABAP Test Cockpit (ATC) is a tool for doing static and dynamic quality checks
of ABAP code and associated repository objects
The ATC is now available with EhP2 for SAP NetWeaver 7.0 with support package
stack 12. Additionally, the ATC is planned for SAP NetWeaver AS ABAP 7.03
support package stack 5.
The ATC is introduced with the following releases:
SAP NetWeaver 7.0 EHP2 Support Package 12
SAP NetWeaver 7.31 Support Package 5 (planned)
SAP NetWeaver 7.32 initial release
2012 SAP AG. All rights reserved. 18 Public
No part of this publication may be reproduced or transmitted in any form or for any
purpose without the express permission of SAP AG. The information contained
herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain
proprietary software components of other software vendors.
Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of
Microsoft Corporation.
IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5,
System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries,
zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390
Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6,
POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes,
BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF,
Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere,
Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM
Corporation.
Linux is the registered trademark of Linus Torvalds in the U.S. and other
countries.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or
registered trademarks of Adobe Systems Incorporated in the United States and/or
other countries.
Oracle and Java are registered trademarks of Oracle and/or its affiliates.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and
MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C,
World Wide Web Consortium, Massachusetts Institute of Technology.
2012 SAP AG. All rights reserved.
SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects
Explorer, StreamWork, and other SAP products and services mentioned herein as
well as their respective logos are trademarks or registered trademarks of SAP AG
in Germany and other countries.
Business Objects and the Business Objects logo, BusinessObjects, Crystal
Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business
Objects products and services mentioned herein as well as their respective logos
are trademarks or registered trademarks of Business Objects Software Ltd.
Business Objects is an
SAP company.
Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other
Sybase products and services mentioned herein as well as their respective logos
are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP
company.
All other product and service names mentioned are the trademarks of their
respective companies. Data contained in this document serves informational
purposes only. National product specifications may vary.
The information in this document is proprietary to SAP. No part of this document
may be reproduced, copied, or transmitted in any form or for any purpose without
the express prior written permission of SAP AG.