1 / 57

Reliable SAP ® Applications

Reliable SAP ® Applications. We protect your ABAP TM Code: Security, Compliance, Performance, Maintainability & Robustness. About Virtual Forge CodeProfiler – Protecting your ABAP TM Code CodeProfiler – Approach and Test Domains

tale
Download Presentation

Reliable SAP ® Applications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Reliable SAP®Applications Weprotectyour ABAP TM Code: Security, Compliance, Performance, Maintainability & Robustness

  2. About Virtual Forge • CodeProfiler – Protectingyour ABAPTM Code • CodeProfiler – Approach and Test Domains • Technology Integration (SAP TMS/ChaRM, SAP BI, IBM) • CodeProfiler – Certificationand References • Professional Services • Summary & Discussion

  3. 1. About Virtual Forge

  4. History & Facts • Founded in 2001, headquarters in Heidelberg, Germany • Privately held • Long-term development & consultancy expertise in the area of • SAP®security audits • SAP design and code reviews • SAP penetration testing • SAP Trusted Technology Partner • Unique solution Virtual Forge CodeProfiler (1.0 in 2008) • Data and Control Flow Analysis • Automated testing of ABAPTM, ABAP Objects, BSP, WebDynpro ABAP • Security, Compliance, Performance, Maintainability, Robustness • Book “Sichere ABAP-Programmierung”, SAP Press 2009 • Leading Industry Guideline for ABAP Development and Maintenance • Virtual Forge GmbH

  5. Vision andPromise • Virtual Forge is the leading provider for code security and quality solutions in SAP® environments. • We help our clients as trusted advisor to • identify code security & quality gaps. • prioritize these gaps for mitigation and resolve them. • significantly improve their SAP environment. • We are able to offer our clients latest and market leading expertise through a clear focus on first-class research in SAP code security & quality. • SAP’s internal ABAPTM development uses Virtual Forge CodeProfiler in their security and quality processes. Thus, our clients benefit from first-hand experience from the world’s largest SAP development projects. • Virtual Forge GmbH

  6. 2. CodeProfiler – Protectingyour ABAPTM Code

  7. Identify, prioritize, andmitigateissues in your ABAPTM Code Worldwide more than 176.000 organizations of all sizes and industries are depending on SAP solutions and services to run their business, making SAP solutions highly critical. • More than 90% of SAP applicationsarewritten in ABAP. • Custom developmentaddsspecificfunctionality to applications • Oftennorequirements fornon-functionalaspects • Notestingbeyondfunctionaltesting • Consequence: unknownrisks in ABAP applications • Protectingyour SAP® applications

  8. CodeProfiler – delivering a Business Case in keyareas • Howwehelpour Clients

  9. Securing high riskareas in SAP ®infrastructures • Protection by CodeProfiler

  10. Asset Flow Analysis • CodeProfilerdetermines,whethercriticaldataleavestheboundariesof a trustedenvironment(assetflowanalysis). • Three simple steps • Youdefinecriticaldata (HR data, creditcardnumbers, etc.). • Conduct CodeProfiler scanagainsttargetapplication: resultsshowwherecriticaldataisaccessedandwrittentoexternalcontext • Review findings, assessrisk, andmitigate potential backdoors • Data Loss Prevention

  11. 3. CodeProfiler – Approach & Test Domains

  12. Data andControl Flow Analysis CodeProfiler uses data and control flow analysis in combination with a comprehensive rule set that covers many data sources and dangerous ABAPTMstatements. Data flow analysis is a technique that first identifies data source, i.e. points in the code where (external) data is read into variables. It then analyzes whether there are any connections between a data source and a potentially dangerous statement. Any identified connection (data flow) indicates that the dangerous statement is most likely exploitable. In addition to data and control flow analysis CodeProfiler applies further sanity tests like type checks, authority checks, usage of regular expresses etc. As a result we can prioritize the findings and improve the efficiency of the mitigation process. • CodeProfiler Engine

  13. 1 3 4 2 Data andControl Flow Analysis • CodeProfiler Engine

  14. Security This domain covers test cases related to classical security defects, i.e. code with hidden side effects that can be misused by an attacker. Visit http://www.bizec.org for application security risks related to business applications. Testcases – Examples: ABAP Command Injection Directory Traversal Cross-Site Scripting Missing AUTHORITY-CHECK Pishing SQL Injection • Testdomain – Security

  15. Code Sample • BIZEC APP/11 APP-01 (http://www.bizec.org)ABAP Command Injection: codingthat dynamically creates and executes arbitrary ABAP programs based on user input on a productive system. • Protection by CodeProfiler

  16. Compliance This domain introduces test cases related to compliance defects, i.e. coding practices that bypass an important security mechanism in the SAP ®standard. Testcases – Examples: Hard-codedUser Name (sy-uname) Cross-Client Access to Business Data Hidden ABAP Code • Testdomain – Compliance

  17. Performance This domain includes test cases that identify coding practices that have adverse effects on the performance of an SAP ®system. Testcases – Examples: Usageof WAIT Command Database Modifications in a Loop SELECT Statement in a Loop Usageof LIKE Clause Missing WHERE Restriction in SELECT Statement Nested SELECT Statement • Testdomain – Performance

  18. Maintainability This domain contains test cases that analyze the ABAPTMcoding for issues that make the code difficult tomaintain. Factors that reduce maintainability include • Coding that is difficult to understand for a developer new to the project. • Coding with a complex structure. • Poor documentation. TestcasesExamples: Empty Block Empty Module Overlong Module • Testdomain – Quality (Maintainability)

  19. Robustness This domain provides test cases that check for ABAPTMcoding practices which jeopardize the reliable execution of a business application. An important benefit of having robust code is business continuity: Robust code reacts to error conditions in a controlled, reliable and predefined way. Testcases – Examples: Insufficient Error Handling (TRY/CATCH) Incomplete CASE Statement Recursion (Immediate) • Testdomains – Quality (Robustness)

  20. Beyond “Maintainability” and “Robustness”, the test group „Code Quality“ now also covers the frequently requested check for “Naming Conventions” • Application specific rules • different naming conventions per package • Validity timeframe (from / to)  Check of legacy and new code without conflicts with the applicable rules • The naming conventions can be seamlessly integrated into the automated TMS/ChaRM “code firewall”. • Naming Conventions

  21. NamingConventions

  22. CodeProfiler 3.1 • Status Quo: Getting Secure- As developer or auditor- Analysis of transports- Batch scheduling (SM37/SM36) • TMS/ChaRM Integration: Staying Secure- Automatic scan of transports (SE10)- Approval Workflow (enforcement of requirements) • Work with Findings: Mitigation- Finding Manager (review, qualification and correction in SE80)

  23. PredefinedRoles, Menus and Authorization Objects

  24. Configuration: Test Group Definition

  25. Packages, individual ABAPTMObjectTypes, or Transports • CodeProfiler Analysis

  26. Batch Scheduling (SM36/SM37)

  27. The executive summary report (PDF) contains a prioritized list of all discovered issues. This list provides immediate feedback on current business risks at code level. Following the executive summary, the full PDF report (or result navigation in the Finding Manager) contains detailed information about each finding, grouped by test cases. Each test case starts with general information about the respective issue: • Introduction • Business Risk • DetailedExplanation • ExampleVulnerability • Solution in General • Solution Example In addition to the general information, the report lists details for all discovered issues. • Result Navigation

  28. Finding Manager, Forward-Navigation to SE80 • Working with Scan Results

  29. CodeProfiler findsandprioritizesSecurity Issuesandother Findings

  30. 4. Technology Integration

  31. The integration into the SAP Transport Management System (TMS) enables you to check transports with CodeProfiler automatically before the actual release on task level as well as transport level (or both). You can then release them or, if required, re-route them to a defined exception handling process. The automated check before importing code into an existing system (development, consolidation, production) can be carried out in the same way as the check during the release phase. From a technology point of view, it does not make a difference whether one or more SAP Systems are connected. CodeProfiler supports the common transport and release mechanisms, such as Transport Management System (TMS), Change Request Management (ChaRM), Change und Transport System (CTS), as well as CTS plus. Integration with additional tools such as theGuard! TransportManager by REALTECH, Transport Express by Basis Technologies, or other products is possible. The Virtual Forge CodeProfiler standard shipment includes a preconfigured SAP workflow (notification and approval workflow) for release, QA and exception processes. • Integration in Development Process

  32. D60EhP4 P60EhP4 Q60EhP4 • TMS/ChaRM Integration Requirements-Paper CodeProfilerTMS-gatekeeper Test/QA Production Development Exception via QA

  33. Governance & Compliance in Development Process • Approval Workflow Reject QA / PL Review Request Approve Developer Develop Release Review Change False CodeProfiler Parse Okay TMS Transp.

  34. Workflow Process: • CodeProfiler allows to transport • CodeProfiler declines to transport • Developer ask QA instance via approval workflow for exception • Yes, transport will bereleased(compliance: documentexceptions) • No, back to development • Simplified Process: • Developer maydecide on hisowndiscretiontoreleasetransportalthough CodeProfiler reportedissues • Appropriateapproachdepends on yourrequirements • Organization (small, large) Compliance (4 eyes principle) • Reliability / Stability Speed (fixes, development) • Options of TMS/ChaRM Integration

  35. Flexible Definition of Gatekeeper Functionality • Enforcementof ABAPTM Guidelines

  36. TMS/ChaRMIntegration (SE10)

  37. CodeProfiler is often used in large system landscapes in order to monitor the entire code base (legacy and new ABAP code) • Making this more effective, several CodeProfiler instances can now be flexibly assigned to several SAP systems (m x n) • That way, scans can be easily parallelized and the high availability of the code audit infrastructure can be achieved • The implementation of a large scale CodeProfiler infrastructure is now simpler and “built-in” • High Availability

  38. n x m relationsbetween CodeProfiler and SAP®system • High Availability SAPQ01 SAPD01 SAPD02 SAPQ02 CodeProfiler CodeProfiler CPSERVER3 CPSERVER1 CPSERVER4 CPSERVER2 CPTMSSERV2 CPTMSSERV1

  39. Dashboard in SAP BI

  40. Dashboard in SAP BI

  41. Scans of Java applications • Technical integration • CodeProfiler is „Readyfor Rational“

  42. Triage offindings in your ABAPTM Code • Integration IBM AppScan Source Edition

  43. Drill-Down byVulnerabilitiesonly (all impactlevels) • Integration IBM AppScan Source Edition

  44. Drill-Down byVulnerabilities(High Impact only) • Integration IBM AppScan Source Edition

  45. ABAPTM analysis withdataflow, codedetailsanddescription • Integration IBM AppScan Source Edition

  46. 5. CodeProfiler – Certificationand References

  47. Aiming to expand the quality assurance of SAP® software enhancements, SAP® has licensed the testing software CodeProfiler, developed by the ABAP™ programming language security specialist, Virtual Forge. This is the first solution on the market that is designed for static analysis of ABAP™ applications with a specific focus on security and compliance tests. CodeProfiler offers SAP® customers that have developed their own ABAP™ code, extensive qualityassurance. “Security is important to us and to our customers. It’s good to see that our trusted partner Virtual Forge provides a tool for security test automation. Now all our customers can establish a baseline security level in their ABAP™ code.” SAP® Executive Board Member Gerhard Oswald (2009) • CodeProfiler protects SAP®

  48. CodeProfiler has successfully completed SAP‘s integration certification program. • This proves that CodeProfiler is an extremely reliable solution for your SAP environments. • In addition, Virtual Forge is now listed as an official SAP Software Partner. • CodeProfiler is SAP®Certified

  49. Linde – Gases Division

  50. Poweredby Virtual Forge CodeProfiler • SAP® Custom Code Security Service

More Related