ABAP Custom Code Security

A collaboration of: SAP Global IT & SAP Product Management for Security, IDM & SSO November, 2012

Public

SAP Global IT - ABAP custom code security

1. 2. 3.

Introduction / Motivation Custom Code Scanning Project Code Scanning Tools at SAP Global IT

2012 SAP AG. All rights reserved.

Public

Code-Security for ABAP-based applications Tasks and Responsibilities

SAPs Responsibility
Task: review codebase of approx. 280 million lines of code Solution: Tool based approach with an ABAP security scanner

Global IT Responsibility
Task: review custom specific ABAP code Solution: Tool based approach with a specialized ABAP security scanner (Virtual Forge CodeProfiler)

Phase 1: Identify Security Issues

Task: Process issues in SAP standard code

Phase 2: Fixing Security Issues

Solution: SAP Security Notes: currently approx.. 2400 notes released (up to 10/2012) Introduction of SAP Security Patch day New Secure Programming Guidelines

Task: Implementation of published Security Notes Remediate potential security gaps in ABAP custom code Regularly search and implement relevant security notes

SAP Security Patch day

2012 SAP AG. All rights reserved.

ABAP Source Code Project

Public
3

Entry points for security questions concerning custom developed ABAP-applications

Are data protection rules and guidelines violated through security flaws?

Are compliance guidelines adhered within the custom applications?

Get a general overview of the code quality concerning the security aspects

Are business critical applications and processes sufficiently protected within custom application?

Custom Source Code Security

Are there Backdoors or malicious coding in the customer specific developments?

Key Message

Ensuring Security and Compliancy of custom developed code is key To ensure custom developed ABAP code a highly atomized solution is required The solution must also support the developers requirements in his daily work in a convenient way
Public
4

2012 SAP AG. All rights reserved.

SAP Global IT - ABAP custom code security

1. 2. 3.

Introduction / Motivation Custom Code Scanning Project Code Scanning Tools at SAP Global IT

2012 SAP AG. All rights reserved.

Public

ABAP Custom Code Project

Functionality / Characteristics of static code profiling approach Virtual Forge CodeProfiler (VF CP)* uses static ABAP patterns to scan ABAP source code for potential weaknesses and issues. Allows prioritizing countermeasures by categorizing all findings regarding impact and probability High number of constantly updated test cases for security checks In conducted scans at Global IT the VF CP* showed a low number of false-positives

Key Message

Proceeding:
Analyze and Document
TC 33 Missing AUTHORITY-CHECK in Reports [#46] TID=80, FID=5A66D9C5271AE8E7360B61F5F167B49D5 D890A40 Package: Z_BW_CORE, Program: YBW_BW_CALL_STATISTICS

Extract via RFC

Output

Core SAP Business Systems

VF CodeProfiler*

* CodeProfiler is an add-on product from Virtual Forge (www.VirtualForge.com)

2012 SAP AG. All rights reserved.

Public

CodeProfiler Test case Examples

Test Group
Missing Authority Checks

Potential Impact
ABAP can execute business transactions without privileges. Therefore, whenever ABAP programs call functionality that requires certain privileges to run, an authority check should be made programmatically. Otherwise users might get access to restricted functionality These test patterns check if there are any commands used in an ABAP program that could pose a security threat. Examples are access to files and low-level system commands There are several ways to include backdoors in ABAP programs. They allow malicious developers to secretly access extra-functionality by feeding certain triggers to the program These test patterns check if there are any hard-coded user credentials in the code Sometimes developers write code in a way that it can be used for a number of different use cases. This flexibility often results in vulnerabilities when malicious users discover unforeseen use cases nobody expected In some instances, ABAP code can be generated and executed at runtime. These test patterns check, if such risky practices are used and if they are exploitable This coding defect allows malicious users to manipulate OSQL statements. This can result in information disclosure and manipulation of arbitrary data in the SAP database

Dangerous ABAP commands Backdoors

Hard-coded user credentials Generic Operations

Command execution SQL Injection

2012 SAP AG. All rights reserved.

Public

Custom Code Security at SAP Global IT

Get secure Stay secure

Get Secure
Implementation of Virtual Forge CodeProfiler* and conduction of regular code scans Creation of agreed procedures and guidance how to fix potential security gaps Analysis and remediation of security related issues identified by the Virtual Forge CodeProfiler* for the four core SAP Global IT Business Systems Analysis and remediation of security related issues identified by the Virtual Forge CodeProfiler* for all SAP Global IT Business Systems

Stay Secure
SAP Global IT Secure Development Framework rules and standards for the development of ABAP code Secure ABAP development training for developers at Global IT teaching how to develop secure ABAP code Full integration of security checks into the ABAP development workbench with high usability for developers and quality experts using the ABAP Test Cockpit (ATC) Perform security checks during transport release (Q-Gate) to avoid new security related issues in production

* CodeProfiler is an add-on product from Virtual Forge (www.VirtualForge.com)

2012 SAP AG. All rights reserved.

Public

SAP Global IT - ABAP Source Code Security Approach

Holistic Custom Source Code Scans Secure Programming Training Scanning
Monitoring of Remediation

Project Level

Structural Level

Automat. Monitoring

Custom Source Code Security Remediation Secure Programming Guide

Automat. Periodization

Analysis and Prioritization of Issues

Daily Operational Level

2012 SAP AG. All rights reserved.

Remediation of Source Code Issues

Public
9

SAP Global IT - ABAP Custom Code Security

1. 2. 3.

Introduction / Motivation Custom Code Scanning Project Code Scanning Tools at SAP Global IT

2012 SAP AG. All rights reserved.

Public

10

Motivation for ABAP Test Cockpit

Different Tools, Different UIs, Different Results

Different checks, messages, priorities Different code checks before release of transports No common base for QM and developer perspective No central point to overview the quality of custom code
2012 SAP AG. All rights reserved.

Public

11

ABAP Test Cockpit (ATC)

What is it?
ATC is an ABAP check framework which allows running static checks and unit tests for ABAP programs ATC is designed to help meeting the production standard Functional Correctness in the ABAP world ATC is fully integrated into development environment and transport tools, along with instant navigation, documentation and fix recommendation

What are the benefits?

ATC is the single point of entry for all static code check tools ATC comprises a 4-eye principle exception process to handle false/ positive findings effectively ATC is fully integrated in the ABAP development workbench with a high usability for developers and quality experts ATC is not only a check tool but supports essential QA techniques like Q-Gates or regression testing in a consolidation system
Public
12

2012 SAP AG. All rights reserved.

Code Scanning Tools at Global IT

Test Domains: Security & Compliance Allows prioritizing countermeasures by categorizing all findings Establishes a baseline security level for all ABAP-based business applications Integration into ABAP Test Cockpit and Transport Management System High number of test domains and test cases

Virtual Forge CodeProfiler (CP)*

ABAP Test Cockpit (ATC)

SAP Code Inspector (SCI)

Additional checks for example adherence to naming conventions or performance optimization

Extended Program Check (SLIN)

Performs extended checks e.g. searching for obsolete ABAP statements

Syntax Check (Check, SE 80)

* CodeProfiler is an add-on product from Virtual Forge (www.VirtualForge.com)
2012 SAP AG. All rights reserved.

checks the syntax and internal semantics of a program.

Public

13

Thank You!
A collaboration of:
SAP Global IT SAP Product Management for Security, Identity Management and Single Sign-On

Backup

ABAP Test Cockpit

Configuration of five-system landscape

DEV

QAS

Developers run static / unit / scenario tests on their objects

Q-experts run mass checks and distribute the results

Periodic check runs to validate code of a development team

PSS

FQA

PRD

Scanning of tasks / transports

2012 SAP AG. All rights reserved.

perform full system scan

Use ONE quality standard for Q-Gates

Public
16

ABAP Test Cockpit

Availability

The ABAP Test Cockpit (ATC) is a tool for doing static and dynamic quality checks of ABAP code and associated repository objects

The ATC is now available with EhP2 for SAP NetWeaver 7.0 with support package stack 12. Additionally, the ATC is planned for SAP NetWeaver AS ABAP 7.03 support package stack 5.

The ATC is introduced with the following releases:

SAP NetWeaver 7.0 EHP2 Support Package 12

SAP NetWeaver 7.31 Support Package 5 (planned) SAP NetWeaver 7.32 initial release

2012 SAP AG. All rights reserved.

Public

17

 2012 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company. Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP company. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP AG.

Oracle and Java are registered trademarks of Oracle and/or its affiliates.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C , World Wide Web Consortium, Massachusetts Institute of Technology.

2012 SAP AG. All rights reserved.

Public

18