590 likes | 768 Views
Reliable SAP ® Applications. We protect your ABAP TM Code: Security, Compliance, Performance, Maintainability & Robustness. About Virtual Forge CodeProfiler – Protecting your ABAP TM Code CodeProfiler – Approach and Test Domains
E N D
Reliable SAP®Applications Weprotectyour ABAP TM Code: Security, Compliance, Performance, Maintainability & Robustness
About Virtual Forge • CodeProfiler – Protectingyour ABAPTM Code • CodeProfiler – Approach and Test Domains • Technology Integration (SAP TMS/ChaRM, SAP BI, IBM) • CodeProfiler – Certificationand References • Professional Services • Summary & Discussion
History & Facts • Founded in 2001, headquarters in Heidelberg, Germany • Privately held • Long-term development & consultancy expertise in the area of • SAP®security audits • SAP design and code reviews • SAP penetration testing • SAP Trusted Technology Partner • Unique solution Virtual Forge CodeProfiler (1.0 in 2008) • Data and Control Flow Analysis • Automated testing of ABAPTM, ABAP Objects, BSP, WebDynpro ABAP • Security, Compliance, Performance, Maintainability, Robustness • Book “Sichere ABAP-Programmierung”, SAP Press 2009 • Leading Industry Guideline for ABAP Development and Maintenance • Virtual Forge GmbH
Vision andPromise • Virtual Forge is the leading provider for code security and quality solutions in SAP® environments. • We help our clients as trusted advisor to • identify code security & quality gaps. • prioritize these gaps for mitigation and resolve them. • significantly improve their SAP environment. • We are able to offer our clients latest and market leading expertise through a clear focus on first-class research in SAP code security & quality. • SAP’s internal ABAPTM development uses Virtual Forge CodeProfiler in their security and quality processes. Thus, our clients benefit from first-hand experience from the world’s largest SAP development projects. • Virtual Forge GmbH
Identify, prioritize, andmitigateissues in your ABAPTM Code Worldwide more than 176.000 organizations of all sizes and industries are depending on SAP solutions and services to run their business, making SAP solutions highly critical. • More than 90% of SAP applicationsarewritten in ABAP. • Custom developmentaddsspecificfunctionality to applications • Oftennorequirements fornon-functionalaspects • Notestingbeyondfunctionaltesting • Consequence: unknownrisks in ABAP applications • Protectingyour SAP® applications
CodeProfiler – delivering a Business Case in keyareas • Howwehelpour Clients
Securing high riskareas in SAP ®infrastructures • Protection by CodeProfiler
Asset Flow Analysis • CodeProfilerdetermines,whethercriticaldataleavestheboundariesof a trustedenvironment(assetflowanalysis). • Three simple steps • Youdefinecriticaldata (HR data, creditcardnumbers, etc.). • Conduct CodeProfiler scanagainsttargetapplication: resultsshowwherecriticaldataisaccessedandwrittentoexternalcontext • Review findings, assessrisk, andmitigate potential backdoors • Data Loss Prevention
Data andControl Flow Analysis CodeProfiler uses data and control flow analysis in combination with a comprehensive rule set that covers many data sources and dangerous ABAPTMstatements. Data flow analysis is a technique that first identifies data source, i.e. points in the code where (external) data is read into variables. It then analyzes whether there are any connections between a data source and a potentially dangerous statement. Any identified connection (data flow) indicates that the dangerous statement is most likely exploitable. In addition to data and control flow analysis CodeProfiler applies further sanity tests like type checks, authority checks, usage of regular expresses etc. As a result we can prioritize the findings and improve the efficiency of the mitigation process. • CodeProfiler Engine
1 3 4 2 Data andControl Flow Analysis • CodeProfiler Engine
Security This domain covers test cases related to classical security defects, i.e. code with hidden side effects that can be misused by an attacker. Visit http://www.bizec.org for application security risks related to business applications. Testcases – Examples: ABAP Command Injection Directory Traversal Cross-Site Scripting Missing AUTHORITY-CHECK Pishing SQL Injection • Testdomain – Security
Code Sample • BIZEC APP/11 APP-01 (http://www.bizec.org)ABAP Command Injection: codingthat dynamically creates and executes arbitrary ABAP programs based on user input on a productive system. • Protection by CodeProfiler
Compliance This domain introduces test cases related to compliance defects, i.e. coding practices that bypass an important security mechanism in the SAP ®standard. Testcases – Examples: Hard-codedUser Name (sy-uname) Cross-Client Access to Business Data Hidden ABAP Code • Testdomain – Compliance
Performance This domain includes test cases that identify coding practices that have adverse effects on the performance of an SAP ®system. Testcases – Examples: Usageof WAIT Command Database Modifications in a Loop SELECT Statement in a Loop Usageof LIKE Clause Missing WHERE Restriction in SELECT Statement Nested SELECT Statement • Testdomain – Performance
Maintainability This domain contains test cases that analyze the ABAPTMcoding for issues that make the code difficult tomaintain. Factors that reduce maintainability include • Coding that is difficult to understand for a developer new to the project. • Coding with a complex structure. • Poor documentation. TestcasesExamples: Empty Block Empty Module Overlong Module • Testdomain – Quality (Maintainability)
Robustness This domain provides test cases that check for ABAPTMcoding practices which jeopardize the reliable execution of a business application. An important benefit of having robust code is business continuity: Robust code reacts to error conditions in a controlled, reliable and predefined way. Testcases – Examples: Insufficient Error Handling (TRY/CATCH) Incomplete CASE Statement Recursion (Immediate) • Testdomains – Quality (Robustness)
Beyond “Maintainability” and “Robustness”, the test group „Code Quality“ now also covers the frequently requested check for “Naming Conventions” • Application specific rules • different naming conventions per package • Validity timeframe (from / to) Check of legacy and new code without conflicts with the applicable rules • The naming conventions can be seamlessly integrated into the automated TMS/ChaRM “code firewall”. • Naming Conventions
CodeProfiler 3.1 • Status Quo: Getting Secure- As developer or auditor- Analysis of transports- Batch scheduling (SM37/SM36) • TMS/ChaRM Integration: Staying Secure- Automatic scan of transports (SE10)- Approval Workflow (enforcement of requirements) • Work with Findings: Mitigation- Finding Manager (review, qualification and correction in SE80)
Packages, individual ABAPTMObjectTypes, or Transports • CodeProfiler Analysis
The executive summary report (PDF) contains a prioritized list of all discovered issues. This list provides immediate feedback on current business risks at code level. Following the executive summary, the full PDF report (or result navigation in the Finding Manager) contains detailed information about each finding, grouped by test cases. Each test case starts with general information about the respective issue: • Introduction • Business Risk • DetailedExplanation • ExampleVulnerability • Solution in General • Solution Example In addition to the general information, the report lists details for all discovered issues. • Result Navigation
Finding Manager, Forward-Navigation to SE80 • Working with Scan Results
CodeProfiler findsandprioritizesSecurity Issuesandother Findings
The integration into the SAP Transport Management System (TMS) enables you to check transports with CodeProfiler automatically before the actual release on task level as well as transport level (or both). You can then release them or, if required, re-route them to a defined exception handling process. The automated check before importing code into an existing system (development, consolidation, production) can be carried out in the same way as the check during the release phase. From a technology point of view, it does not make a difference whether one or more SAP Systems are connected. CodeProfiler supports the common transport and release mechanisms, such as Transport Management System (TMS), Change Request Management (ChaRM), Change und Transport System (CTS), as well as CTS plus. Integration with additional tools such as theGuard! TransportManager by REALTECH, Transport Express by Basis Technologies, or other products is possible. The Virtual Forge CodeProfiler standard shipment includes a preconfigured SAP workflow (notification and approval workflow) for release, QA and exception processes. • Integration in Development Process
D60EhP4 P60EhP4 Q60EhP4 • TMS/ChaRM Integration Requirements-Paper CodeProfilerTMS-gatekeeper Test/QA Production Development Exception via QA
Governance & Compliance in Development Process • Approval Workflow Reject QA / PL Review Request Approve Developer Develop Release Review Change False CodeProfiler Parse Okay TMS Transp.
Workflow Process: • CodeProfiler allows to transport • CodeProfiler declines to transport • Developer ask QA instance via approval workflow for exception • Yes, transport will bereleased(compliance: documentexceptions) • No, back to development • Simplified Process: • Developer maydecide on hisowndiscretiontoreleasetransportalthough CodeProfiler reportedissues • Appropriateapproachdepends on yourrequirements • Organization (small, large) Compliance (4 eyes principle) • Reliability / Stability Speed (fixes, development) • Options of TMS/ChaRM Integration
Flexible Definition of Gatekeeper Functionality • Enforcementof ABAPTM Guidelines
CodeProfiler is often used in large system landscapes in order to monitor the entire code base (legacy and new ABAP code) • Making this more effective, several CodeProfiler instances can now be flexibly assigned to several SAP systems (m x n) • That way, scans can be easily parallelized and the high availability of the code audit infrastructure can be achieved • The implementation of a large scale CodeProfiler infrastructure is now simpler and “built-in” • High Availability
n x m relationsbetween CodeProfiler and SAP®system • High Availability SAPQ01 SAPD01 SAPD02 SAPQ02 CodeProfiler CodeProfiler CPSERVER3 CPSERVER1 CPSERVER4 CPSERVER2 CPTMSSERV2 CPTMSSERV1
Scans of Java applications • Technical integration • CodeProfiler is „Readyfor Rational“
Triage offindings in your ABAPTM Code • Integration IBM AppScan Source Edition
Drill-Down byVulnerabilitiesonly (all impactlevels) • Integration IBM AppScan Source Edition
Drill-Down byVulnerabilities(High Impact only) • Integration IBM AppScan Source Edition
ABAPTM analysis withdataflow, codedetailsanddescription • Integration IBM AppScan Source Edition
Aiming to expand the quality assurance of SAP® software enhancements, SAP® has licensed the testing software CodeProfiler, developed by the ABAP™ programming language security specialist, Virtual Forge. This is the first solution on the market that is designed for static analysis of ABAP™ applications with a specific focus on security and compliance tests. CodeProfiler offers SAP® customers that have developed their own ABAP™ code, extensive qualityassurance. “Security is important to us and to our customers. It’s good to see that our trusted partner Virtual Forge provides a tool for security test automation. Now all our customers can establish a baseline security level in their ABAP™ code.” SAP® Executive Board Member Gerhard Oswald (2009) • CodeProfiler protects SAP®
CodeProfiler has successfully completed SAP‘s integration certification program. • This proves that CodeProfiler is an extremely reliable solution for your SAP environments. • In addition, Virtual Forge is now listed as an official SAP Software Partner. • CodeProfiler is SAP®Certified
Poweredby Virtual Forge CodeProfiler • SAP® Custom Code Security Service