SAP NetWeaver Application Server, add-on for code vulnerability analysis Jürgen Adolf, Product Management Security SAP SE, July 2016
SAP NetWeaver Application Server,
add-on for code vulnerability analysis
Jürgen Adolf, Product Management Security SAP SE, July 2016
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 2 Customer
The information in this presentation is confidential and proprietary to SAP and may not be disclosed without the
permission of SAP. This presentation is not subject to your license agreement or any other service or subscription
agreement with SAP. SAP has no obligation to pursue any course of business outlined in this document or any related
presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation
and SAP's strategy and possible future developments, products and or platforms directions and functionality are all
subject to change and may be changed by SAP at any time for any reason without notice. The information in this
document is not a commitment, promise or legal obligation to deliver any material, code or functionality. This
document is provided without a warranty of any kind, either express or implied, including but not limited to, the implied
warranties of merchantability, fitness for a particular purpose, or non-infringement. This document is for informational
purposes and may not be incorporated into a contract. SAP assumes no responsibility for errors or omissions in this
document, except if such damages were caused by SAP´s willful misconduct or gross negligence.
All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements,
which speak only as of their dates, and they should not be relied upon in making purchasing decisions.
Legal disclaimer
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 3 Customer
Software security vulnerability situation today
Your software is everywhere
How can you be sure that these highly accessible applications are also highly
secure?
Grown over the years
Complex
Built on changing requirements
Created based on different development
paradigms
Optimized for performance
Extended but not reinvented
Today's business applications have a history
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 4 Customer
The challenge of security
In order to secure an application, all of its components, functions, infrastructure and
the related threats must be understood.
In order to break an application, only one flaw in any of its components/functions or
the infrastructure may be enough.
Problem
• Each new technology adds the risk of new vulnerabilities.
• Firewalls, intrusion detection systems, signatures and encryption are not sufficient
to make applications secure.
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 5 Customer
Security failures create big problems
Security failures can result in:
• Negative publicity
• Brand damage
• Lost revenue
• Legal consequences
• Penalties
http://www.informationisbeautiful.net/v
isualizations/worlds-biggest-data-
breaches-hacks/
A significant number of application security breaches
are occurring each month around the globe.
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 6 Customer
$ We convince and pay
developers to fix it
4 $ $
Approach today: expensive + reactive
Breach or pen
test proves our
code is bad
3
Somebody builds
insecure software 1
In-house Outsourced Commercial Open source
IT deploys the
insecure software
2
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 7 Customer
Application security testing solutions at SAP
Manual Source
Code Review
DAST Dynamic Application Security Testing
Find vulnerabilities in the
running application
Find vulnerabilities analyzing
the sources
SAP NetWeaver Application Server, add-on
for code vulnerability analysis
&
SAP Fortify by HPE
Manual Application
Penetration Testing
Automated Application
Vulnerability Scanning
Automated Source
Code Analysis
SAST Static Application Security Testing
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 8 Customer
Enterprise application security best practice from SAP
SAP Development runs security tests on
all SAP applications and code
delivered by SAP.
SAP performs analysis on approximately
178 million lines of non-ABAP code
using SAP Fortify by HPE.
SAP Development uses SAP CVA to
scan more than 500 million lines of
ABAP code before delivery to our
customers.
SAP cloud
development
systems ~500
SAP internal
business
systems ~40 SAP SE
SAP on-premise
software
development
systems ~8,500
SAP ABAP test framework ABAP Test Cockpit
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 10 Customer
ABAP Test Cockpit
ABAP Test Cockpit
(ATC)
SA
P C
od
e V
uln
era
bility
An
aly
ze
r
(SLIN
_S
EC
)
SA
P C
od
e In
sp
ecto
r (SC
I)
Exte
nd
ed
Pro
gra
m C
he
ck
(SL
IN)
Syn
tax C
he
ck (C
he
ck , S
E8
0)
Benefits
• Single point of entry for all static code check tools
• Integration in ABAP development workbench with high usability for
developers and quality experts
• Support essential QA techniques like Q-Gates and regression testing
in a consolidation system
• Transport control via check-runs before transport
• Exemption process to handle findings effectively
• Prioritization of automated test-cases
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 11 Customer
ATC configuration
Using ATC Configuration, you can
define
• The ATC master system
• The checks to be used as a default
• Enable or disable exemptions
• Configure the behavior of the
transport subsystem in case of
failing ATC checks of transports.
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 12 Customer
ABAP Test Cockpit integrated into the ABAP IDE
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 13 Customer
Example for a development landscape
Development System 1
Consolidation System
Development System 2
Q-experts run mass checks and distribute the results
i Use ONE quality
standard for Q-Gates
Developers run static/unit/scenario tests on their objects
Periodic check runs to validate the code of a development team
Quality-Gate:
Check during
transport release
Quality-Gate:
Check during
transport release
Quality-Gate:
Mass check run and
consolidation test
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 14 Customer
Features for developers
ATC features
Start ATC within different ABAP workbench tools: SE80, SE24, SE38, SE11…
ATC automatically runs during release of transport requests
Easy access to central ATC results in the development systems
User-centric display of ATC results - incl. powerful filter, navigation, re-check…
Checks code during development and transport release
Corrects bugs
Requests exemptions for false-positives
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 15 Customer
Features for quality experts
ATC features
Exemption approval process
E-mail ATC result to “responsible” contact person
Statistics showing aggregation of ATC findings using different criteria
Execution of ABAP Unit tests
Defines commonly used check variant
Monitors quality of the whole code base
Approves exemptions
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 16 Customer
ATC administration
ATC features
Powerful parallelization engine to run mass tests very effectively
Restart capability in case of a canceled/crashed ATC run
Possibility to schedule regular ATC runs
Powerful monitoring tool and flexible logging
Distribute ATC results to multiple target systems (e.g. from consolidation to dev. systems)
Configures ATC in development and consolidation systems
Monitors execution of ATC check runs and regular jobs
Application security testing SAP NetWeaver AS, add-on for code vulnerability analysis
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 18 Customer
SAP NetWeaver AS, add-on for code vulnerability analysis features
Increased
security for your
applications
Integrated into standard ABAP development infrastructure
Extensive documentation to
support developers in fixing issues
found
Priority of each check can be
adjusted to match the requirements
Exemption workflows to ease handling of false
positives Reduced false-positive rate by
data flow analysis
Remote scans with SAP NW AS ABAP
7.50
Integration with other scanning
tools
Supports automation
requirements of quality assurance
teams
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 19 Customer
SAP NetWeaver AS, add-on for code vulnerability analysis features
Increased
security for your
applications
Integrated into standard ABAP development infrastructure
Extensive documentation to
support developers in fixing issues
found
Priority of each check can be
adjusted to match the requirements
Exemption workflows to ease handling of false
positives Reduced false-positive rate by
data flow analysis
Remote scans with SAP NW AS ABAP
7.50
Integration with other scanning
tools
Supports automation
requirements of quality assurance
teams
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 20 Customer
Integrated into standard developer tools
• Based on the integration into the ABAP
Test Cockpit, the code checks can
easily be launched from most
developer tools like SE80, SE38 and
more.
• You can not only launch checks for
single objects but also for groups of
objects
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 21 Customer
SAP NetWeaver AS, add-on for code vulnerability analysis features
Increased
security for your
applications
Integrated into standard ABAP development infrastructure
Extensive documentation to
support developers in fixing issues
found
Priority of each check can be
adjusted to match the requirements
Exemption workflows to ease handling of false
positives Reduced false-positive rate by
data flow analysis
Remote scans with SAP NW AS ABAP
7.50
Integration with other scanning
tools
Supports requirements of
quality assurance teams
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 22 Customer
Requirements of quality assurance teams
• Scheduled runs of automated tests
• Automated test runs on transport requests
• Automatic notifications sent on test failure
• Aggregated check results including trend analysis
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 23 Customer
SAP NetWeaver AS, add-on for code vulnerability analysis features
Increased
security for your
applications
Integrated into standard ABAP development infrastructure
Extensive documentation to
support developers in fixing issues
found
Priority of each check can be
adjusted to match the requirements
Exemption workflows to ease handling of false
positives Reduced false-positive rate by
data flow analysis
Remote scans with SAP NW AS ABAP
7.50
Integration with other scanning
tools
Supports automation
requirements of quality assurance
teams
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 24 Customer
Priority of each check can be adjusted to match the requirements
• Ability to control the priority of every single
finding
• Take into account your own risk and
security requirements.
• Possibility of a phased approach, enabling
security checks over time to have a higher
acceptance by developers.
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 25 Customer
SAP NetWeaver AS, add-on for code vulnerability analysis features
Increased
security for your
applications
Integrated into standard ABAP development infrastructure
Extensive documentation to
support developers in fixing issues
found
Priority of each check can be
adjusted to match the requirements
Exemption workflows to ease handling of false
positives Reduced false-positive rate by
data flow analysis
Remote scans with SAP NW AS ABAP
7.50
Integration with other scanning
tools
Supports automation
requirements of quality assurance
teams
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 26 Customer
Supporting the developer in fixing his code
• Detailed documentation of detected
issues
• Explaination on the nature of the
weakness
• Information on how to avoid and fix
the findings
• Support direct navigation to
the location in the sources
the related documentation
the workflow to create an
exemption
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 27 Customer
SAP NetWeaver AS, add-on for code vulnerability analysis features
Increased
security for your
applications
Integrated into standard ABAP development infrastructure
Extensive documentation to
support developers in fixing issues
found
Priority of each check can be
adjusted to match the requirements
Exemption workflows to ease handling of false
positives Reduced false-positive rate by
data flow analysis
Remote scans with SAP NW AS ABAP
7.50
Integration with other scanning
tools
Supports automation
requirements of quality assurance
teams
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 28 Customer
Reduced false-positive rate by data flow analysis
• Are there input parameters available?
• Analysis on the level of a compilation unit
Global class
Function group
Program
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 29 Customer
SAP NetWeaver AS, add-on for code vulnerability analysis features
Increased
security for your
applications
Integrated into standard ABAP development infrastructure
Extensive documentation to
support developers in fixing issues
found
Priority of each check can be
adjusted to match the requirements
Exemption workflows to ease handling of false
positives Reduced false-positive rate by
data flow analysis
Remote scans with SAP NW AS ABAP
7.50
Integration with other scanning
tools
Supports automation
requirements of quality assurance
teams
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 30 Customer
Exemption workflows to ease handling of false positives
1357345
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 31 Customer
SAP NetWeaver AS, add-on for code vulnerability analysis features
Increased
security for your
applications
Integrated into standard ABAP development infrastructure
Extensive documentation to
support developers in fixing issues
found
Priority of each check can be
adjusted to match the requirements
Exemption workflows to ease handling of false
positives Reduced false-positive rate by
data flow analysis
Remote scans with SAP NW AS ABAP
7.50
Integration with other scanning
tools
Supports automation
requirements of quality assurance
teams
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 32 Customer
Remote security checks
Central Check System
(SAP_BASIS ≥ 7.50)
CVA
ATC
Analyzed System
(planned:
SAP_BASIS ≥ 7.00)
Stub ABAP
Repository
• Configuration of checks and administration of check runs takes place in the central check system
• The stub can be installed through SAP note. No upgrade, no SP prerequisite in analyzed systems
• Recommendation: Use the central check system for CVA only
No dependencies to other software components
You can easily implement support packages and upgrades
Easy consumption of new or enhanced security checks
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 33 Customer
SAP NetWeaver AS, add-on for code vulnerability analysis features
Increased
security for your
applications
Integrated into standard ABAP development infrastructure
Extensive documentation to
support developers in fixing issues
found
Priority of each check can be
adjusted to match the requirements
Exemption workflows to ease handling of false
positives Reduced false-positive rate by
data flow analysis
Remote scans with SAP NW AS ABAP
7.50
Integration with other scanning
tools
Supports automation
requirements of quality assurance
teams
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 34 Customer
Integration with other code scanning tools
• Interface to export findings to reporting tools
• Integration with SAP Fortify by HPE
Complements and extends SAP NetWeaver Application Server, add-on for code vulnerability
analysis
Works with other SAP Quality Assurance Solutions to optimize your current investment
Supports various programming languages
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 35 Customer
Architecture overview
ABAP Workbench
ABAP Developer
R
ABAP Workbench
ABAP Editors
ABAP Developer
ABAP Source
Code
R
ABAP Workbench
ABAP Editors
ABAP Developer
ABAP Test Cockpit (ATC)
ABAP Source
Code
R
R
ABAP Workbench
ABAP Editors
Code Inspector
Checks
ABAP Developer
ABAP Test Cockpit (ATC)
ABAP Source
Code
R
R
R
ABAP Workbench
ABAP Editors
Code Inspector
Checks
SLIN Security
Checks
ABAP Developer
ABAP Test Cockpit (ATC)
ABAP Source
Code
R
R
R
R
ABAP Workbench
ABAP Editors
Code Inspector
Checks
SLIN Security
Checks
ABAP Developer
ABAP Test Cockpit (ATC)
Check
ResultsExemptions
ABAP Source
Code
R
R
R
R
ABAP Workbench
ABAP Editors
Code Inspector
Checks
SLIN Security
Checks
Transport Management
ABAP Developer
ABAP Test Cockpit (ATC)
Check
ResultsExemptions
ABAP Source
Code
R R
R
R
R
ABAP Workbench
ABAP Editors
Code Inspector
Checks
SLIN Security
Checks
Transport Management
ABAP Developer Quality Expert
ABAP Test Cockpit (ATC)
Check
ResultsExemptions
ABAP Source
Code
R R
R
R
R R
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 37 Customer
Introductory example: SQL Injection
...
SET STREET = 'xyz'
salary = '1500'
Input for street:
xyz' salary = '1500
set_expr:
STREET = 'xyz'
salary = '1500'
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 38 Customer
How the code analysis works
2. There is a potentially
dangerous statement
3. There is a data flow between
the input field and the
dangerous statement
1. There is an input field
The Code Analyzer is searching for potentially vulnerable statements, where the input comes from
untrusted sources. Only such occurrences are reported!
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 39 Customer
Corrected program
This method adds ' ' around
the value of street and
escapes every ' within the
value.
Note: phone is an integer
type and does not need to
be escaped.
Security checks in detail Overview of available checks
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 41 Customer
OWASP top 10 coverage
• A1 Injection
• A2 Broken Authentication and Session Management
• A3 Cross Site Scripting
• A4 Insecure Direct Object References
• A5 Security Misconfiguration
• A6 Sensitive Data Exposure
• A7 Missing Functional Level Access
• A8 Cross Site Request Forgery ( CSRF)
• A9 Using Known Vulnerable Component
• A10 Invalidated Redirects and Forwards
Yes
Handled by applications
Yes
Yes
Handled by configuration validation
Yes
Yes
Yes
Yes
Yes
Link: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 42 Customer
BIZEC APP11 coverage
• APP-01 ABAP command Injection
• APP-02 OS command Injection
• APP-03 Native SQL Injection
• APP-04 Improper Authorizations
• APP-05 Directory Traversal
• APP-06 Direct Database Modifications
• APP-07 Cross-Client Database Access
• APP-08 Open SQL Injection
• APP-09 Generic Module Execution
• APP-10 Cross-Site Scripting
• APP-11 Obscure ABAP Code
Link: http://www.bizec.org/wiki/BIZEC_APP11
Yes
Yes
Yes
Yes
Yes
Yes
Yes, Code Inspector check
Yes
Yes
Yes
Yes
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 43 Customer
Overview of available checks
Security Checks
SQL Injection
(Open SQL)
Call Injection
Code Injection
(ABAP)
Directory
Traversal
OS Command
Injection
Backdoors &
Authorizations
Web
Exploitability
SQL Injection
(ADBC)
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 44 Customer
Overview of the available checks
- SQL Injection (Open SQL) -
Manipulation of dynamic Open SQL
• Potential manipulation of the dynamic WHERE condition (1101)
• Potential manipulation of a dynamic WHERE condition using the parameter I_FILTER of the object
services method CREATE_QUERY (1122)
• Potential manipulation of the SET clause in the statement UPDATE (1112)
• Potential read performed on an illegal database table in a SELECT statement (1118)
• Potential read performed on an illegal database table in a modifying OpenSQL statement (1120)
• Potential read performed using an invalid secondary database connection in an Open SQL
statement (1121)
• Potential read performed on invalid table columns (1114)
• Potential use of illegal columns in a dynamic GROUP BY clause (1116)
• Potential use of illegal columns in a dynamic HAVING clause (1117)
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 45 Customer
Overview of the available checks
- SQL Injection (ADBC) -
Manipulation of SQL statements
• Potential injection of harmful SQL statements of clauses in execution of DDL statements in ADBC
(1128)
• Potential injection of harmful SQL statements of clauses in execution of DML statements in ADBC
(1130)
• Potential injection of malicious SQL statements or clauses when calling an appropriate API (11D1)
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 46 Customer
Overview of the available checks
- Code Injection (ABAP) -
Manipulation of ABAP code created dynamically
• Potential injection of harmful code in the statements INSERT REPORT and GENERATE
SUBROUTINE POOL (1108)
• Potential manipulation of the dynamic WHERE condition in an internal table (1190)
• Potential injection of harmful code when the RFC-enabled function module
RFC_ABAP_INSTALL_AND_RUN was called (1109)
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 47 Customer
Overview of the available checks
- Call Injection -
Manipulation in dynamic calls
• Dynamic CALL TRANSACTION without whitelist check and or without authorization check (1142 /
114E / 114F / 114G )
• Potential call of an unwanted transaction using the statement LEAVE TO TRANSACTION (1143)
• Potential call of an illegal program using the statement SUBMIT (1141)
• Potential call of invalid function module using RFC (1140)
• UI-driven or RFC-driven dynamic call of a function module (1144)
• Static CALL TRANSACTION without whitelist check and or without authorization check (114A /
114B / 114C / 114D )
• C function call with names as potential user input (1171)
• Statement COMMUNICATION used (11C1)
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 48 Customer
Overview of the available checks
- OS Command Injection -
Injections of operating system commands
• Statement CALL 'SYSTEM' used (1170)
• Potential manipulation in the FILTER addition of the statement OPEN DATASET (1106)
• FILTER addition of the statement OPEN DATASET used (1107)
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 49 Customer
Overview of the available checks
- Directory Traversal -
Access to illegal directories and files
• Potential manipulation of the file name in the statement OPEN DATASET or DELETE DATASET
(1104)
• Potential manipulation of the file name in the method CREATE_UTF8_FILE_WITH_BOM of the
class CL_ABAP_FILE_UTILITIES (1124)
• Non-secure parameter of the function module FILE_GET_NAME or FILE_VALIDATE_NAME used
(1126)
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 50 Customer
Overview of the available checks
- Backdoors & Authorizations -
Weak authorization checks or user administration bypassed
• Hard-coded user name, possibly from undeleted test code or an indication of a back door (0821)
• Hard-coded host name sy-host, possibly from undeleted test code or an indication of a back door (11S1)
• Hard-coded system ID sy-sysid, possibly from undeleted test code or an indication of a back door (11S2)
• Hard-coded client sy-mandt, possibly from undeleted test code or an indication of a back door (11S3)
• System variable sy-xxxx compared with a hard-coded value from forgotten test code or that could indicate a
back door (11S4).
• SY-SUBRC not evaluated after the statement AUTHORITY-CHECK (1160)
• SY-SUBRC not evaluated after switchable authorization check (1161)
• AUTHORITY-CHECK with explicit user name (1180)
• AUTHORITY-CHECK with explicitly specified user name sy-uname (1181)
• SY-SUBRC not handled after a security-relevant function was called (1165)
• Static CALL TRANSACTION without or with possibly insufficient authorization
check (114A, 114B, 114C, 114D)
• FILTER addition of the statement OPEN DATASET used (1107)
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 51 Customer
Overview of the available checks
- Web Exploitability -
Possible attacks using Web technologies
• Obsolete escape method used (1150)
• Potential risk of cross-site scripting (1132)
• Potential unvalidated URL redirect (11P1)
• Missing Content Check During HTTP Upload (11F1)
Checks special for Business Server Pages
• forceEncode="enabled" not specified for htmlb:content (1151)
• Obsolete design or no design specified for htmlb:content (1152)
• The BSP application is not protected against XSRF (11RF).
Release - Availability
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 53 Customer
• ATC is the standard ABAP check frame work at SAP
• The ABAP Test Cockpit (ATC) is a tool for doing static and dynamic quality checks
of ABAP code and associated repository objects
• ATC is based on Code Inspector Very easy migration:
Just re-use your current global Code Inspector check variant
• ATC is available as part of:
SAP NetWeaver AS ABAP 7.0 EhP2 Support Package 12
SAP NetWeaver AS ABAP 7.0 EhP3 Support Package 05
SAP NetWeaver AS ABAP 7.3 EhP1 Support Package 05
SAP NetWeaver AS ABAP 7.4
ABAP Test Cockpit
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 54 Customer
• Developed by the team creating the ABAP language
• Tightly integrated into standard ABAP development & testing infrastructure
• Since years successfully used in the SAP Standard Software Development
• Successfully piloted and used by customers
• SAP NetWeaver AS, add-on for code vulnerability analysis is available as of:
SAP NetWeaver AS ABAP 7.0 EhP2 Support Package 14
SAP NetWeaver AS ABAP 7.0 EhP3 Support Package 09
SAP NetWeaver AS ABAP 7.3 EhP1 Support Package 09
SAP NetWeaver AS ABAP 7.4 Support Package 05 and later releases
SAP NetWeaver AS ABAP 7.5 including the new remote check framework
SAP NetWeaver AS, Add-on for Code Vulnerability Analysis
Summary
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 56 Customer
Recommendations
• Always have security in mind when developing software!
It‘s best practice to build good software in the first place. Repairing later is far more expensive.
And after all: you don‘t want to put insecure software into productive use.
• Move sanitizations as close as possible to the critical statement!
The critical statement and the sanitization often depends on the deployed technology.
Moreover, the sanitization is automatically reused when the code is reused.
• Use a static code analyzer. Use it every time you change your code!
Using a static code analyzer is a quick win. Many security problems can be detected just after the code has been written.
• Don’t forget dynamic security tests!
It might be tempting, but you can‘t rely on static checks alone. There are security issues which a static code checker
cannot find, e. g. missing encryption or virus check.
• Train your developers!
If they don‘t know of the possible security problems they can‘t avoid them. The ABAP keyword documentation can serve as
a starting point, and has been enhanced for critical statements.
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 57 Customer
Further Information
SAP NetWeaver Application Server, add-on for code vulnerability analysis
http://wiki.scn.sap.com/wiki/display/ABAP/SAP+NetWeaver+Application+Server%2C+add-on+for+code+vulnerability+analysis
Roadmap presentation: https://service.sap.com/~sapidb/011000358700000256742014E.pdf
ABAP Test and Analysis Tools
http://wiki.sdn.sap.com/wiki/display/ABAP/ABAP+Test+and+Analysis+Tools
ABAP Test Cockpit (ATC)
http://wiki.sdn.sap.com/wiki/display/ABAP/ABAP+Test+Cockpit
SAP Community
http://scn.sap.com/community/security
http://scn.sap.com/community/abap/testing-and-troubleshooting
Thank you
Jürgen Adolf
SAP Product Management Security, SAP SE
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 59 Customer
© 2016 SAP SE or an SAP affiliate company. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate
company) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices.
Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or its
affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or SAP affiliate company products and
services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as
constituting an additional warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop
or release any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future
developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time
for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-
looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place
undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.