run your business safer

HANA Code Scanning – Developing Secure Applications For SAP HANA

Patrick Boch

© 2015, Virtual Forge GmbH. All rights reserved.

SAP HANA: new technology

Introduction

Why is HANA important to SAP

  Strategic solution

  S/4 HANA „biggest innovation since R/3“

  Transition of all new and existing customers to HANA in the mid- to long-term

3

HANA deployment scenarios

  HANA as a data mart

Similar to „classic“ BW architecture, HANA gathers data from (several) source systems

  HANA in a classic 3-tier architecture

  HANA replaces regular relational database

  HANA as a technical infrastructure for native applications

  New business application platform (S/4 HANA)

4

Understanding HANA security

Introduction

Why is HANA important to Hackers

Content Considerations

Contains business critical data à espionage target

  Central to business processes à sabotage target

Technology Considerations

Fraud possibilities

  IT / Security has little experience with HANA

6

SAP HANA architecture

7

Risks in SAP HANA

Weaknesses include XSS, SQL injection, ABAP code injection

Web Applications

SAP HANA systems can easily be found on the Internet

Unauthorized access possible

Services can be misused

SAP HANA is still vulnerable to typical web weaknesses

9

Privileged functions are enabled, incl. OS command execution

R-Serve

R is used for statistical and advanced data analysis

SAP HANA connects to R-Serve to utilize R functions

R-serve is a separate host, remote functions enabled

10

Programming needs to be validated for weaknesses

Custom Development

SAP HANA applications are accessible through browsers

New programming languages = increased development complexity

Web applications need to be secured at all levels

11

Developing applications for SAP HANA

Challenges in HANA development

New programming languages for ABAP developers

JavaScript (XSJS)

SQLScript

R

Complex role model

JavaScript developers lack (enterprise) security know how

13

Solutions for SAP HANA

Virtual Forge HANA Security Suite

Optimizing ABAP-Code for HANA Usage (CodeProfiler)

  HANA Test Cases (HANA Readiness & Optimization)

Automated Correction („Quick Fix“ and Bulk)

Securing HANA configuration (SystemProfiler´)

  Additional platform for SystemProfiler

  Test Cases, e.g. communication security, authorization, others

CodeProfiler for HANA

Eclipse and WebIDE Integration

  First HANA Code Scanner

15

Virtual Forge CodeProfiler for HANA (CP4H)

  Supports SQLScript and XSJS

Direct integration into Eclipse and WebIDE

  Incl. documentation and solution approach

Comprehensive Test Case list (currently 22 on XSJS, 17 on SQLScript)

  Coming soon: UI5 and R support

  Further integration scenarios (HANA projects, CTS+, Finding Management, Cockpit)

16

Take action: We evaluate the current state of your SAP environment for free

Take an instant test Visit www.virtualforge.com

ü  Summary of

findings

ü  Priorization and

classification of

vulnerabilities

ü  Specific examples

of findings

ü  Code and system

metrics Quality

Compliance

Security Secure SAP®- systems

Risk Assessment / Penetration Test

•  SAP configuration •  Custom code

17

Patrick Boch www.virtualforge.com

@Virtual_Forge

Thank you! Feel free to write or call for any questions and requests

18