Case Study: Automating Code Reviews for Custom SAP ABAP Applications with Virtual Forge Code Profiler

GM: Automating Code Reviews for Custom ABAP Applications to Reduce Risk and Lower TCO

Markus Seibel, GM Dr. Markus Schumacher, Virtual Forge

Who we are

Markus Seibel

SAP Security Lead, Adam Opel AG / GM

Rüsselsheim, Germany

Dr. Markus Schumacher

CEO of Virtual Forge

Heidelberg | Weimar | Philadelphia

Twitter: @virtual_forge | Questions: #safercode

• SAP CCOE @ GM EMEA

• CPR - Automated Change Management at GM

• Potential Risks from Bad ABAP Code

• ABAP Firewall: Automatic Code Scanning

• Summary

Agenda

SAP CCOE @ GM EMEA

• Strengthen SAP CCoE within Business Functions to drive efficiency and optimization

• Run in-flight programs

• Contribute to GM Global SAP Initiatives

LOCATIONS and SCOPE MANAGED

EMEA SAP CCOE plays Global

Engagement within the GM Global SAP Program

Portfolio

Template

Plan / Build / Run convergence

Bill ofIT

Bill of Process

SharedGovernance

Bill ofIT

Bill of Process

SharedGovernance





• Summary

Agenda

Conflicting Project Goals

Goals of project / implementation teams: Project budget and go-live date Delivered product must work at point of hand-over Satisfy the “direct customers“ (e.g. new site) Minimize coordination effort where ever possible

(with the customer as well as team-/supplier internally) Minimize regression tests Scope reductions (classic “not part of our job / contract” discussions) Low cost / offshore

Goals of customer / system owner / CCoE: Long term maintainability Harmonized processes and “templates” Avoiding redundancies Low operating costs Secure environment Quality, Sustainability & no surprises in coding

Conflicting Project Goals

Goals of project / implementation teams: Project budget and go-live date Delivered product must work at point of hand-over Satisfy the “direct customers“ (e.g. new site) Minimize coordination effort where ever possible

(with the customer as well as team-/supplier internally) Minimize regression tests Scope reductions (classic “not part of our job / contract” discussions) Low cost / offshore

Goals of customer / system owner / CCoE: Long term maintainability Harmonized processes and “templates” Avoiding redundancies Low operating costs Secure environment Quality, Sustainability & no surprises in coding

Approaches • Clone existing ABAP code instead of extending or reusing

existing functionality • Ignore template, rather clone legacy system where ever

possible • Quick & dirty, hard-coded • Cheap resources instead of experienced staff • Delay progress in order to force customer to accept

unsatisfactory solutions to keep time line • … Have you ever wondered, where all the vulnerabilities are coming from?

An SAP CCoE has to combine two contradicting goals to make a project really successful: • Support and manage the project • “Defend” the system against the project team (!)

Automated Change Management

CPR – GM’s Global SAP Change Management

• Custom GM solution for managing SAP Changes

• Similar functionality to ChaRM

• Manages entire change process from ticket creation to Prod

• Tight integration with SAP

• Tracks changes, approvals, create/release transports, etc.

• Ensures compliance (SOX, ITIL, internal, etc.)

• ‘ABAP Firewall’ - static code analysis of ABAP application code and changes

ABAP Firewall

• Tightly integrated with CPR and SAP

• Tests all domains: Security, Compliance, Performance, and Quality

• Very low False Positive rate (<5%)

• Online scanning for development

• Fast scan rate for high volume scanning (>10k loc/sec)

• Complete reporting and audit detail

• Integrated ABAP WB, Eclipse, SAP TMS, Solution Manager, etc.

Virtual Forge CodeProfiler





• Summary

Agenda

Increased Complexity and Risk

The Attack Surface of ABAP 1 9 9 7

The Attack Surface of ABAP 2 0 0 2


The Attack Surface of ABAP Since 2 0 0 7


More sophisticated Attackers – Script Kiddies

Minor knowledge

Works with „copy & paste“ and uses public information, programs,

tools, etc. in order to attack / damage computer systems

Random targets

Motivation: usually reputation

More sophisticated Attackers - Professional Attackers

Highly skilled

Almost unlimited time and money resources

Targeted attacks (e.g. Stuxnet)

Often internal attackers

Motivation: Industrial espionage, sabotage, …

ABAPTM Quality Benchmark

Average number of findings per scan

Security 7,438 1,571

Compliance 2,404 221

Performance 18,277 1,384

Maintainability 12,954 -

Robustness 9,286 710

Total Findings Critical Findings

– 62.5 % probability of an ABAP Command Injection vulnerability

– 100 % probability of defective authorization checks

– 95.83% probability of a Directory Traversal vulnerability

Anonymized data from 60 ABAP code analysis projects / Ø 1.65 Mio. Lines of Code per scan (status: May 2012)

~ 1 critical

security defect

every 1,000 lines

of ABAP code

TOTAL 50,359 3,886

Regulatory Compliance

PCI-DSS (Payment Card Industry Data Security Standard) CodeProfiler provides more than 30 test cases in order to test for PCI DSS compliance (PCI DSS Requirements and Security Assessment Procedures, Version 2.0)

PII (Personally Identifiable Information) To protect the PII, CodeProfiler has test cases related to the disclosure of critical data ("assets"). Exit points for this domain exist in the following classifications: SAP GUI, HTTP/HTML, FTP, GUI Download, Files, Return values of RFC enabled function modules. Main purpose of this test domain is to identify data leaks.

SOX CodeProfiler provides more than 30 test cases in order to test for SOX /SOX-EUR compliance (Sarbanes-Oxley Act). SOX audits rely on IT General Controls (ITGC) to provide a sound technical basis for the reliability and accountability of business processes. Custom development is relevant for Change Management, which is in turn relevant for ITGC. Therefore, any changes to program logic are SOX relevant, if they introduce a potential security issue. ABAP coding practices and standards must ensure that ITGC are not bypassed by insecure coding. SOX audits must check that appropriate controls are in place that make sure no relevant security defects exist in ABAP code.





• Summary

Agenda

Code Governance & Control Built into the Process

1. Release transport

CodeProfiler

SAP

2. Automatic analysis of all transports by CodeProfiler (TMS / ChaRM) Gatekeeper

QualityOK?

SAP

Test / QA

SAP

Development

NO: Reject approval

YES: Allow transport

YES: Allow transport3. [Optional] Ask QA for exception (peer review)

QualityOK?

NO: Reject transport

Data and Control Flow Analysis (Patented) Show only findings that matter

Input (SAP GUI, BSP, RFC, ...)

Dangerous Statement

Software

CodeProfiler: Comprehensive Test Scope

s

Security Tests

QA Tests

Security

ABAP™ Command Injection

OS Command Execution

SQL Injection

Broken Authority Checks

Hard-Coded Usernames

...

Performance

Usage of WAIT Command

Usage of SELECT*

Nested Loop

Incomplete Index

...

Data Loss Prevention

Disclosure of Critical Data

Disclosure of Source Code

Maintenance of sensitive data

…

Maintainability & Robustness

Naming Conventions

Nested Macro Calls

Hard-coded Org Units

Insufficient Error Handling

...

CodeProfiler PATENTED

all rights reserved

Security Performance Quality

Custom Development: Cost of Defects

Custom ABAP Development Facts Cost of Defects

Cost of attack or system down $$$$$

to correct defect in production $10,000

to correct defect found in QA testing $1,000

to correct defect during development $100

ABAP Code Scanning - Benefits

Lower Risk

– Detects and support mediation of vulnerabilities

• Cyberattacks

• System Failures

• Data theft/Fraud

• Industrial Espionage

– Tests in-/out-sourced development and 3rd party add-ons.

• Enforces standards for all development deliverables

• Clear and enforceable definition of programming standards

– Ensures all ABAP code changes meet Compliance and Audit requirements

Lower TCO • Problems are found earlier in SDLC

= Lower cost to mediate defect • better quality code (maintainability, performance, robustness)

= Lower test and maintenance costs • Reduced review & testing times

= Faster delivery of new applications • Automated scanning

= Less use of (expensive) development resources • Online scan & mediation support for faster resolution

= Less time for corrections and repair • Better quality code

= Less SAP production system issues

ABAP Code Scanning - Benefits





• Summary

Agenda

Internal Control Systems -Structure in the ERP Environment

ABAP Security in Context

IT General Controls (ITGC)

Change Management

ABAP Application Code

Business Rules Enforcement Authentication, Encryption, Authorization, Logging, Interfaces, Audit…

Custom Development: Source of Defects

Custom ABAP Development Facts Source of Defects

Little/no technical specifications

Manual/Basic code reviews

Testing focused on functional aspects

External/3rd Party development

Limited/no code change monitoring

Custom Development: Business Risks

Business Risks Due to Security Defects

Cyberattacks

Data theft/Fraud

Industrial espionage

Loss of image

System failures

ABAP Static Code Scanning

Security and compliance of SAP® applications

Performance

System stability

Quality standards of internal and external software development

Benefits of Static Code Scanning

Business risks

Maintenance efforts

Test and correction efforts

Operating costs

Increase Decrease

About BIZEC

Meet Markus at the Virtual Forge Booth 2227B Follow @virtual_forge and ask about #safercode

THANK YOU FOR PARTICIPATING

Please provide feedback on this session by completing a short survey via the event mobile

application.

SESSION CODE: 0610

For ongoing education on this area of focus, visit www.ASUG.com

Meet Markus at the Virtual Forge Booth 2227B

Technology

Case Study: Automating Code Reviews for Custom SAP ABAP Applications with Virtual Forge Code Profiler