Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
A collaboration of: SAP Global IT & SAP Product Management for Security, IDM & SSO November, 2012
Public
1. 2. 3.
Introduction / Motivation Custom Code Scanning Project Code Scanning Tools at SAP Global IT
Public
Global IT Responsibility
Task: review custom specific ABAP code Solution: Tool based approach with a specialized ABAP security scanner (Virtual Forge CodeProfiler)
Solution: SAP Security Notes: currently approx.. 2400 notes released (up to 10/2012) Introduction of SAP Security Patch day New Secure Programming Guidelines
Task: Implementation of published Security Notes Remediate potential security gaps in ABAP custom code Regularly search and implement relevant security notes
Get a general overview of the code quality concerning the security aspects
Are business critical applications and processes sufficiently protected within custom application?
Key Message
Ensuring Security and Compliancy of custom developed code is key To ensure custom developed ABAP code a highly atomized solution is required The solution must also support the developers requirements in his daily work in a convenient way
Public
4
1. 2. 3.
Introduction / Motivation Custom Code Scanning Project Code Scanning Tools at SAP Global IT
Public
Key Message
Proceeding:
Analyze and Document
TC 33 Missing AUTHORITY-CHECK in Reports [#46] TID=80, FID=5A66D9C5271AE8E7360B61F5F167B49D5 D890A40 Package: Z_BW_CORE, Program: YBW_BW_CALL_STATISTICS
Output
VF CodeProfiler*
Public
Potential Impact
ABAP can execute business transactions without privileges. Therefore, whenever ABAP programs call functionality that requires certain privileges to run, an authority check should be made programmatically. Otherwise users might get access to restricted functionality These test patterns check if there are any commands used in an ABAP program that could pose a security threat. Examples are access to files and low-level system commands There are several ways to include backdoors in ABAP programs. They allow malicious developers to secretly access extra-functionality by feeding certain triggers to the program These test patterns check if there are any hard-coded user credentials in the code Sometimes developers write code in a way that it can be used for a number of different use cases. This flexibility often results in vulnerabilities when malicious users discover unforeseen use cases nobody expected In some instances, ABAP code can be generated and executed at runtime. These test patterns check, if such risky practices are used and if they are exploitable This coding defect allows malicious users to manipulate OSQL statements. This can result in information disclosure and manipulation of arbitrary data in the SAP database
Public
Get Secure
Implementation of Virtual Forge CodeProfiler* and conduction of regular code scans Creation of agreed procedures and guidance how to fix potential security gaps Analysis and remediation of security related issues identified by the Virtual Forge CodeProfiler* for the four core SAP Global IT Business Systems Analysis and remediation of security related issues identified by the Virtual Forge CodeProfiler* for all SAP Global IT Business Systems
Stay Secure
SAP Global IT Secure Development Framework rules and standards for the development of ABAP code Secure ABAP development training for developers at Global IT teaching how to develop secure ABAP code Full integration of security checks into the ABAP development workbench with high usability for developers and quality experts using the ABAP Test Cockpit (ATC) Perform security checks during transport release (Q-Gate) to avoid new security related issues in production
Public
Project Level
Structural Level
Automat. Monitoring
Automat. Periodization
1. 2. 3.
Introduction / Motivation Custom Code Scanning Project Code Scanning Tools at SAP Global IT
Public
10
Different checks, messages, priorities Different code checks before release of transports No common base for QM and developer perspective No central point to overview the quality of custom code
2012 SAP AG. All rights reserved.
Public
11
Test Domains: Security & Compliance Allows prioritizing countermeasures by categorizing all findings Establishes a baseline security level for all ABAP-based business applications Integration into ABAP Test Cockpit and Transport Management System High number of test domains and test cases
Public
13
Thank You!
A collaboration of:
SAP Global IT SAP Product Management for Security, Identity Management and Single Sign-On
Backup
DEV
QAS
PSS
FQA
PRD
The ABAP Test Cockpit (ATC) is a tool for doing static and dynamic quality checks of ABAP code and associated repository objects
The ATC is now available with EhP2 for SAP NetWeaver 7.0 with support package stack 12. Additionally, the ATC is planned for SAP NetWeaver AS ABAP 7.03 support package stack 5.
SAP NetWeaver 7.31 Support Package 5 (planned) SAP NetWeaver 7.32 initial release
Public
17
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.
SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company. Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP company. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP AG.
Oracle and Java are registered trademarks of Oracle and/or its affiliates.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C , World Wide Web Consortium, Massachusetts Institute of Technology.
Public
18