SlideShare ist ein Scribd-Unternehmen logo
1 von 19
10 GOLDEN RULES FOR CODING AUTHORIZATION CHECKS IN ABAP
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
 Click to edit Master text styles
 Second level
 Third level
 Fourth level
 Fifth level
© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Dr. Markus Schumacher
© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
March 18, Heidelberg
SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
Ten golden rules for coding authorization checks in ABAP
Andreas Wiegenstein
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
 Click to edit Master text styles
 Second level
 Third level
 Fourth level
 Fifth level
© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Andreas Wiegenstein (Twitter: @codeprofiler)
 Founder of Virtual Forge (Heidelberg), responsible for R&D
 SAP Security Researcher, active since 2003
 Received Credits from SAP for 66 reported 0-day Vulnerabilities
 Speaker at international Conferences
 SAP TechEd (USA & Europe), DSAG (Europe)
 BlackHat (Europe), Hack in the Box (Europe)
 Troopers (Europe), IT Defense (Europe), RSA (USA)
 Co-Author of „Sichere ABAP Programmierung" (SAP Press, 2009)
 Co-Author of "ABAP Best Practices Guideline (DSAG, 2013/2014)
 Created training class WDESA3 (ABAP Security) @ SAP University
My car, my house, my boat, …
I am with
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
 Click to edit Master text styles
 Second level
 Third level
 Fourth level
 Fifth level
© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Authorizations in Custom Code
Ongoing survey, results as of March 12, 2014
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
 Click to edit Master text styles
 Second level
 Third level
 Fourth level
 Fifth level
© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Golden Rule #1
Perform authority checks
General advice
 Check with your business department, if (and which) authorizations
are required in order to execute the business logic you provide.
 As a fallback, analyze code that is similar to your business process for
authorization checks.
 If authority checks are required for your custom business logic, add
them to your code.
On average there are 866 missing authority checks in custom code.
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
 Click to edit Master text styles
 Second level
 Third level
 Fourth level
 Fifth level
© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Golden Rule #1
Perform authority checks (cont’d)
Specific advice
 Don't rely on S_RFC authorizations. They only determine, *if* a function module can be
invoked remotely. They are by no means related to the specific business logic of your
custom code. You don't want users with S_RFC * authorizations to be able to issue
purchase orders or to raise someone's salary. Auditors don't like this either...
 Don't rely on authorization groups assigned to reports. They are usually coarse
grained, as the same authorization group is used for multiple programs. And they are not
necessarily related to the specific business logic of your custom code.
 Always check start authorizations when using CALL TRANSACTION, as no implicit start
authorization check is performed by the kernel.
 Function module AUTHORITY_CHECK_TCODE
 Since 740: CALL TRANSACTION … WITH AUTHORITY-CHECK
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
 Click to edit Master text styles
 Second level
 Third level
 Fourth level
 Fifth level
© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Golden Rule #2
Perform authority checks according to SAP standard functionality
General advice
 Always use functionality based on the ABAP command AUTHORITY-
CHECK in order to perform authorization checks.
(A common bad practice is to base authorizations on usernames.)
On average there are 187 hard-coded username checks in custom code.
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
 Click to edit Master text styles
 Second level
 Third level
 Fourth level
 Fifth level
© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Golden Rule #3
Check the result of an authority check
General advice
 Always check the result of sy-subrc after you perform an
AUTHORITY-CHECK. sy-subrc with value zero means authorization
sufficient.
 Since other ABAP commands also change sy-subrc, make sure to
perform the sy-subrc check *immediately* after the AUTHORITY-
CHECK.
On average there are 13 broken authority checks in custom code.
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
 Click to edit Master text styles
 Second level
 Third level
 Fourth level
 Fifth level
© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Golden Rule #4
Perform authority checks for the user that is actually logged on
General advice
 Only check the authorization of the currently logged on user
(by avoiding the optional parameter FOR USER).
On average there are 2 ‘alias’ authority checks in custom code.
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
 Click to edit Master text styles
 Second level
 Third level
 Fourth level
 Fifth level
© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Golden Rule #5
Always use APIs instead of AUTHORITY-CHECK, if they exist
General advice
 Always use specialized API functions for authorization checks instead of
AUTHORITY-CHECK.
Specific advice
 Use AUTHORITY_CHECK_TCODE instead of S_TCODE
 Use AUTHORITY_CHECK_DATASET instead of S_DATASET / S_PATH
On average there are 92 insufficient authority checks in custom code.
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
 Click to edit Master text styles
 Second level
 Third level
 Fourth level
 Fifth level
© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Golden Rule #6
Declare all fields of the authorization object
General advice
 Always use specialized API functions for authorization checks instead of
AUTHORITY-CHECK.
Specific advice
 Always make sure to specify all fields of the authorization object you check.
 If there are fields you don't want to check, mark them as DUMMY in order to
make your intentions explicit.
No meaningful statistical information available at this time.
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
 Click to edit Master text styles
 Second level
 Third level
 Fourth level
 Fifth level
© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Golden Rule #7
Don't use DUMMY values in important fields
General advice
 Do not use DUMMY values in important authorization fields like 'ACTVT'
On average there are 8 DUMMY authority checks (ACTVT) in custom code.
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
 Click to edit Master text styles
 Second level
 Third level
 Fourth level
 Fifth level
© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Golden Rule #8
Don't program privileging authorization checks
AUTHORITY-CHECK OBJECT 'S_DEVELOP'
ID 'DEVCLASS' FIELD '*'
ID 'OBJTYPE' FIELD 'PROG'
ID 'OBJNAME' FIELD lv_prog
ID 'P_GROUP' DUMMY " Field not required in this context
ID 'ACTVT' FIELD '03'.
IF sy-subrc = 0.
READ REPORT lv_prog INTO lt_code.
ENDIF.
General advice
 Avoid "*" values in authorization fields, as they force administrators to grant
unnecessarily high privileges to users
On average there are 2 privileging authority checks (ACTVT) in custom code.
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
 Click to edit Master text styles
 Second level
 Third level
 Fourth level
 Fifth level
© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Golden Rule #9
Make authorization checks early in your business logic
General advice
 If an authorization check is required for a given business logic, it should be
checked as early as possible
No meaningful statistical information available at this time.
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
 Click to edit Master text styles
 Second level
 Third level
 Fourth level
 Fifth level
© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Golden Rule #10
Perform authorization checks in order to avoid dumps
Specific advice
 Always make sure to test for S_DATASET and S_PATH authorizations before
you open a server-side file.
No meaningful statistical information available at this time.
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
 Click to edit Master text styles
 Second level
 Third level
 Fourth level
 Fifth level
© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Further Information
Blog Post “Ten golden rules for ABAP authorization checks”
https://www.virtualforge.com/en/blog/post/ten_golden_rules_authorizations_en.html
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
 Click to edit Master text styles
 Second level
 Third level
 Fourth level
 Fifth level
© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Twitter: @codeprofiler
© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Thank you for your attention
Andreas Wiegenstein
CTO
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
 Click to edit Master text styles
 Second level
 Third level
 Fourth level
 Fifth level
© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Insert CTA Header
MISSED THE BIZEC SAP SECURITY WORKSHOP
AT TROOPERS14 CONFERENCE?
CLICK HERE FOR A RETROSPECTIVE
+ ALL PRESENTATIONS FOR FREE DOWNLOAD
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
 Click to edit Master text styles
 Second level
 Third level
 Fourth level
 Fifth level
© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Disclaimer
SAP, R/3, ABAP, SAP GUI, SAP NetWeaver and other SAP products and services mentioned herein as well as
their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.
All other product and service names mentioned are the trademarks of their respective companies. Data contained
in this document serves informational purposes only.
The authors assume no responsibility for errors or omissions in this document. The authors do not warrant the
accuracy or completeness of the information, text, graphics, links, or other items contained within this material.
This document is provided without a warranty of any kind, either express or implied, including but not limited to the
implied warranties of merchantability, fitness for a particular purpose, or non-infringement.
The authors shall have no liability for damages of any kind including without limitation direct, special, indirect, or
consequential damages that may result from the use of this document.
No part of this document may be reproduced without the prior written permission of Virtual Forge GmbH.
© 2014 Virtual Forge GmbH.

Weitere ähnliche Inhalte

Was ist angesagt?

Bdc BATCH DATA COMMUNICATION
Bdc BATCH DATA COMMUNICATIONBdc BATCH DATA COMMUNICATION
Bdc BATCH DATA COMMUNICATIONHitesh Gulani
 
LeverX IQ DMS Overview - SAP DMS Simplified
LeverX IQ DMS Overview - SAP DMS SimplifiedLeverX IQ DMS Overview - SAP DMS Simplified
LeverX IQ DMS Overview - SAP DMS SimplifiedEric Stajda
 
User exit training
User exit trainingUser exit training
User exit trainingJen Ringel
 
Chapter 02 sap script forms
Chapter 02 sap script formsChapter 02 sap script forms
Chapter 02 sap script formsKranthi Kumar
 
abap list viewer (alv)
abap list viewer (alv)abap list viewer (alv)
abap list viewer (alv)Kranthi Kumar
 
Day1 Sap Basis Overview V1 1
Day1 Sap Basis Overview V1 1Day1 Sap Basis Overview V1 1
Day1 Sap Basis Overview V1 1Guang Ying Yuan
 
Sap abap real time questions
Sap abap real time questionsSap abap real time questions
Sap abap real time questionstechie_gautam
 
Vofm requirement routines
Vofm requirement routinesVofm requirement routines
Vofm requirement routinesNiranjan Patro
 
ABAP for Beginners - www.sapdocs.info
ABAP for Beginners - www.sapdocs.infoABAP for Beginners - www.sapdocs.info
ABAP for Beginners - www.sapdocs.infosapdocs. info
 
Lsmw (Legacy System Migration Workbench)
Lsmw (Legacy System Migration Workbench)Lsmw (Legacy System Migration Workbench)
Lsmw (Legacy System Migration Workbench)Leila Morteza
 
Object oriented approach to ALV Lists in ABAP
Object oriented approach to ALV Lists in ABAPObject oriented approach to ALV Lists in ABAP
Object oriented approach to ALV Lists in ABAPNoman Mohamed Hanif
 
S4 HANA Finance Contents
S4 HANA Finance Contents S4 HANA Finance Contents
S4 HANA Finance Contents Pradeep Hota
 

Was ist angesagt? (20)

Bdc BATCH DATA COMMUNICATION
Bdc BATCH DATA COMMUNICATIONBdc BATCH DATA COMMUNICATION
Bdc BATCH DATA COMMUNICATION
 
07 sap scripts
07 sap scripts07 sap scripts
07 sap scripts
 
LeverX IQ DMS Overview - SAP DMS Simplified
LeverX IQ DMS Overview - SAP DMS SimplifiedLeverX IQ DMS Overview - SAP DMS Simplified
LeverX IQ DMS Overview - SAP DMS Simplified
 
User exit training
User exit trainingUser exit training
User exit training
 
Chapter 02 sap script forms
Chapter 02 sap script formsChapter 02 sap script forms
Chapter 02 sap script forms
 
Badi document
Badi documentBadi document
Badi document
 
abap list viewer (alv)
abap list viewer (alv)abap list viewer (alv)
abap list viewer (alv)
 
Bapi step-by-step
Bapi step-by-stepBapi step-by-step
Bapi step-by-step
 
Day1 Sap Basis Overview V1 1
Day1 Sap Basis Overview V1 1Day1 Sap Basis Overview V1 1
Day1 Sap Basis Overview V1 1
 
Module pool programming
Module pool programmingModule pool programming
Module pool programming
 
Sapscript
SapscriptSapscript
Sapscript
 
HANA Modeling
HANA Modeling HANA Modeling
HANA Modeling
 
Sap abap real time questions
Sap abap real time questionsSap abap real time questions
Sap abap real time questions
 
Sap scripts
Sap scriptsSap scripts
Sap scripts
 
SAP HANA Overview
SAP HANA OverviewSAP HANA Overview
SAP HANA Overview
 
Vofm requirement routines
Vofm requirement routinesVofm requirement routines
Vofm requirement routines
 
ABAP for Beginners - www.sapdocs.info
ABAP for Beginners - www.sapdocs.infoABAP for Beginners - www.sapdocs.info
ABAP for Beginners - www.sapdocs.info
 
Lsmw (Legacy System Migration Workbench)
Lsmw (Legacy System Migration Workbench)Lsmw (Legacy System Migration Workbench)
Lsmw (Legacy System Migration Workbench)
 
Object oriented approach to ALV Lists in ABAP
Object oriented approach to ALV Lists in ABAPObject oriented approach to ALV Lists in ABAP
Object oriented approach to ALV Lists in ABAP
 
S4 HANA Finance Contents
S4 HANA Finance Contents S4 HANA Finance Contents
S4 HANA Finance Contents
 

Andere mochten auch

Implementasi kartu jakarta sehat
Implementasi kartu jakarta sehatImplementasi kartu jakarta sehat
Implementasi kartu jakarta sehatJoan Mahulae
 
Ferreteria gutierrez 1
Ferreteria gutierrez 1Ferreteria gutierrez 1
Ferreteria gutierrez 1carmitagarcia
 
150527 cuestionario evaluación club de internet i
150527 cuestionario evaluación club de internet i150527 cuestionario evaluación club de internet i
150527 cuestionario evaluación club de internet iRoberto GARCÍA ARRIBAS
 
Helpedia 2.0
Helpedia 2.0Helpedia 2.0
Helpedia 2.0Helpedia
 
Carta de España Nº 674 Septiembre 2011
Carta de España Nº 674 Septiembre 2011Carta de España Nº 674 Septiembre 2011
Carta de España Nº 674 Septiembre 2011Cext
 
Comte de Rius, Química
Comte de Rius, QuímicaComte de Rius, Química
Comte de Rius, Químicaclara87
 
Optymalizacja aplikacji ASP.NET
Optymalizacja aplikacji ASP.NETOptymalizacja aplikacji ASP.NET
Optymalizacja aplikacji ASP.NETBartlomiej Zass
 
En torno a la cultura escrita – margaret meek- Leidy Melo
En torno a la cultura escrita – margaret meek- Leidy MeloEn torno a la cultura escrita – margaret meek- Leidy Melo
En torno a la cultura escrita – margaret meek- Leidy MeloLeidy Melo
 
Equipo de trabajo de Hospital Pirovano - Jornada "Convivencia Escolar para un...
Equipo de trabajo de Hospital Pirovano - Jornada "Convivencia Escolar para un...Equipo de trabajo de Hospital Pirovano - Jornada "Convivencia Escolar para un...
Equipo de trabajo de Hospital Pirovano - Jornada "Convivencia Escolar para un...PrensaDMB
 
Cómo hacer sal de colores.
Cómo hacer sal de colores.Cómo hacer sal de colores.
Cómo hacer sal de colores.Ritamv91
 
Caracteristicas de los modulos fotovoltaicos
Caracteristicas de los modulos fotovoltaicosCaracteristicas de los modulos fotovoltaicos
Caracteristicas de los modulos fotovoltaicosKarolayn Farfan Cruz
 
Paso a paso: Como hacer una pagina en Jimdo
Paso a paso: Como hacer una pagina en JimdoPaso a paso: Como hacer una pagina en Jimdo
Paso a paso: Como hacer una pagina en JimdoGabriel Tibaquira
 
Manual del-equipo-para-kendo
Manual del-equipo-para-kendoManual del-equipo-para-kendo
Manual del-equipo-para-kendoclubkendovigo
 
Training Needs Analysis Modified
Training Needs Analysis ModifiedTraining Needs Analysis Modified
Training Needs Analysis ModifiedPhil Mayor
 
Catalog LEICA Silverline | Optics Trade | 2014
Catalog LEICA Silverline | Optics Trade | 2014Catalog LEICA Silverline | Optics Trade | 2014
Catalog LEICA Silverline | Optics Trade | 2014Optics-Trade
 
Seminar Social Media Marketing WS11/12
Seminar Social Media Marketing WS11/12Seminar Social Media Marketing WS11/12
Seminar Social Media Marketing WS11/12Marco Jakob
 

Andere mochten auch (20)

Implementasi kartu jakarta sehat
Implementasi kartu jakarta sehatImplementasi kartu jakarta sehat
Implementasi kartu jakarta sehat
 
Elvens kall
Elvens kallElvens kall
Elvens kall
 
Ferreteria gutierrez 1
Ferreteria gutierrez 1Ferreteria gutierrez 1
Ferreteria gutierrez 1
 
150527 cuestionario evaluación club de internet i
150527 cuestionario evaluación club de internet i150527 cuestionario evaluación club de internet i
150527 cuestionario evaluación club de internet i
 
Proyecto de verano delicias
Proyecto de verano deliciasProyecto de verano delicias
Proyecto de verano delicias
 
Helpedia 2.0
Helpedia 2.0Helpedia 2.0
Helpedia 2.0
 
Phone android jelly bean
Phone   android jelly beanPhone   android jelly bean
Phone android jelly bean
 
Carta de España Nº 674 Septiembre 2011
Carta de España Nº 674 Septiembre 2011Carta de España Nº 674 Septiembre 2011
Carta de España Nº 674 Septiembre 2011
 
Comte de Rius, Química
Comte de Rius, QuímicaComte de Rius, Química
Comte de Rius, Química
 
Nbolmnf
NbolmnfNbolmnf
Nbolmnf
 
Optymalizacja aplikacji ASP.NET
Optymalizacja aplikacji ASP.NETOptymalizacja aplikacji ASP.NET
Optymalizacja aplikacji ASP.NET
 
En torno a la cultura escrita – margaret meek- Leidy Melo
En torno a la cultura escrita – margaret meek- Leidy MeloEn torno a la cultura escrita – margaret meek- Leidy Melo
En torno a la cultura escrita – margaret meek- Leidy Melo
 
Equipo de trabajo de Hospital Pirovano - Jornada "Convivencia Escolar para un...
Equipo de trabajo de Hospital Pirovano - Jornada "Convivencia Escolar para un...Equipo de trabajo de Hospital Pirovano - Jornada "Convivencia Escolar para un...
Equipo de trabajo de Hospital Pirovano - Jornada "Convivencia Escolar para un...
 
Cómo hacer sal de colores.
Cómo hacer sal de colores.Cómo hacer sal de colores.
Cómo hacer sal de colores.
 
Caracteristicas de los modulos fotovoltaicos
Caracteristicas de los modulos fotovoltaicosCaracteristicas de los modulos fotovoltaicos
Caracteristicas de los modulos fotovoltaicos
 
Paso a paso: Como hacer una pagina en Jimdo
Paso a paso: Como hacer una pagina en JimdoPaso a paso: Como hacer una pagina en Jimdo
Paso a paso: Como hacer una pagina en Jimdo
 
Manual del-equipo-para-kendo
Manual del-equipo-para-kendoManual del-equipo-para-kendo
Manual del-equipo-para-kendo
 
Training Needs Analysis Modified
Training Needs Analysis ModifiedTraining Needs Analysis Modified
Training Needs Analysis Modified
 
Catalog LEICA Silverline | Optics Trade | 2014
Catalog LEICA Silverline | Optics Trade | 2014Catalog LEICA Silverline | Optics Trade | 2014
Catalog LEICA Silverline | Optics Trade | 2014
 
Seminar Social Media Marketing WS11/12
Seminar Social Media Marketing WS11/12Seminar Social Media Marketing WS11/12
Seminar Social Media Marketing WS11/12
 

Ähnlich wie 10 GOLDEN RULES FOR CODING AUTHORIZATION CHECKS IN ABAP

The how and why of patch management by N-able
The how and why of patch management by N-able The how and why of patch management by N-able
The how and why of patch management by N-able Solarwinds N-able
 
Cloud native Microservices using Spring Boot
Cloud native Microservices using Spring BootCloud native Microservices using Spring Boot
Cloud native Microservices using Spring BootSufyaan Kazi
 
My Personal DevOps Journey: From Pipelines to Platforms
My Personal DevOps Journey: From Pipelines to PlatformsMy Personal DevOps Journey: From Pipelines to Platforms
My Personal DevOps Journey: From Pipelines to PlatformsVMware Tanzu
 
How to Write a Request for Proposal (RFP) for Web Content Management
How to Write a Request for Proposal (RFP) for Web Content ManagementHow to Write a Request for Proposal (RFP) for Web Content Management
How to Write a Request for Proposal (RFP) for Web Content ManagementPercussion Software
 
Introduction of ARMule and a live demo - AutoRABIT at Tri-Valley Salesforce D...
Introduction of ARMule and a live demo - AutoRABIT at Tri-Valley Salesforce D...Introduction of ARMule and a live demo - AutoRABIT at Tri-Valley Salesforce D...
Introduction of ARMule and a live demo - AutoRABIT at Tri-Valley Salesforce D...AutoRABIT
 
Automating your ms world part 3 a brand new way to monitor with am ps web
Automating your ms world part 3 a brand new way to monitor with am ps   webAutomating your ms world part 3 a brand new way to monitor with am ps   web
Automating your ms world part 3 a brand new way to monitor with am ps webSolarwinds N-able
 
Application Security Management with ThreadFix
Application Security Management with ThreadFixApplication Security Management with ThreadFix
Application Security Management with ThreadFixVirtual Forge
 
Unit Tests and Test Seams for abap Hamburg June 2017 presented
Unit Tests and Test Seams for abap Hamburg June 2017   presentedUnit Tests and Test Seams for abap Hamburg June 2017   presented
Unit Tests and Test Seams for abap Hamburg June 2017 presentedRainer Winkler
 
Introducing Keyword-driven Test Automation
Introducing Keyword-driven Test AutomationIntroducing Keyword-driven Test Automation
Introducing Keyword-driven Test AutomationTechWell
 
Make synthetic monitoring a critical part of your IT monitoring strategy: Why...
Make synthetic monitoring a critical part of your IT monitoring strategy: Why...Make synthetic monitoring a critical part of your IT monitoring strategy: Why...
Make synthetic monitoring a critical part of your IT monitoring strategy: Why...eG Innovations
 
Vizag Virtual Meetup #7: Trending API Topics for 2022
Vizag Virtual Meetup #7: Trending API Topics for 2022Vizag Virtual Meetup #7: Trending API Topics for 2022
Vizag Virtual Meetup #7: Trending API Topics for 2022Ravi Tamada
 
Dissecting and Attacking RMI Frameworks
Dissecting and Attacking RMI FrameworksDissecting and Attacking RMI Frameworks
Dissecting and Attacking RMI FrameworksOnapsis Inc.
 
SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis Overview
SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis OverviewSAP NetWeaver Application Server Add-On for Code Vulnerability Analysis Overview
SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis OverviewSAP Technology
 
N able - 5 things to look for in msp automation platform
N able - 5 things to look for in msp automation platformN able - 5 things to look for in msp automation platform
N able - 5 things to look for in msp automation platformSolarwinds N-able
 
WordCamp LA 2014- Writing Code that Scales
WordCamp LA 2014-  Writing Code that ScalesWordCamp LA 2014-  Writing Code that Scales
WordCamp LA 2014- Writing Code that ScalesSpectrOMTech.com
 
Programmable infrastructure with FlyScript
Programmable infrastructure with FlyScriptProgrammable infrastructure with FlyScript
Programmable infrastructure with FlyScriptRiverbed Technology
 
Exploiting Critical Attack Vectors to Gain Control of SAP Systems
Exploiting Critical Attack Vectors to Gain Control of SAP SystemsExploiting Critical Attack Vectors to Gain Control of SAP Systems
Exploiting Critical Attack Vectors to Gain Control of SAP SystemsOnapsis Inc.
 

Ähnlich wie 10 GOLDEN RULES FOR CODING AUTHORIZATION CHECKS IN ABAP (20)

The how and why of patch management by N-able
The how and why of patch management by N-able The how and why of patch management by N-able
The how and why of patch management by N-able
 
Server pac 101
Server pac 101Server pac 101
Server pac 101
 
StarForce ProActive for Business
StarForce ProActive for BusinessStarForce ProActive for Business
StarForce ProActive for Business
 
Cloud native Microservices using Spring Boot
Cloud native Microservices using Spring BootCloud native Microservices using Spring Boot
Cloud native Microservices using Spring Boot
 
My Personal DevOps Journey: From Pipelines to Platforms
My Personal DevOps Journey: From Pipelines to PlatformsMy Personal DevOps Journey: From Pipelines to Platforms
My Personal DevOps Journey: From Pipelines to Platforms
 
How to Write a Request for Proposal (RFP) for Web Content Management
How to Write a Request for Proposal (RFP) for Web Content ManagementHow to Write a Request for Proposal (RFP) for Web Content Management
How to Write a Request for Proposal (RFP) for Web Content Management
 
Introduction of ARMule and a live demo - AutoRABIT at Tri-Valley Salesforce D...
Introduction of ARMule and a live demo - AutoRABIT at Tri-Valley Salesforce D...Introduction of ARMule and a live demo - AutoRABIT at Tri-Valley Salesforce D...
Introduction of ARMule and a live demo - AutoRABIT at Tri-Valley Salesforce D...
 
Automating your ms world part 3 a brand new way to monitor with am ps web
Automating your ms world part 3 a brand new way to monitor with am ps   webAutomating your ms world part 3 a brand new way to monitor with am ps   web
Automating your ms world part 3 a brand new way to monitor with am ps web
 
Application Security Management with ThreadFix
Application Security Management with ThreadFixApplication Security Management with ThreadFix
Application Security Management with ThreadFix
 
Unit Tests and Test Seams for abap Hamburg June 2017 presented
Unit Tests and Test Seams for abap Hamburg June 2017   presentedUnit Tests and Test Seams for abap Hamburg June 2017   presented
Unit Tests and Test Seams for abap Hamburg June 2017 presented
 
Introducing Keyword-driven Test Automation
Introducing Keyword-driven Test AutomationIntroducing Keyword-driven Test Automation
Introducing Keyword-driven Test Automation
 
Webinar: Mass Additions – R12 Asset Management
Webinar: Mass Additions – R12 Asset ManagementWebinar: Mass Additions – R12 Asset Management
Webinar: Mass Additions – R12 Asset Management
 
Make synthetic monitoring a critical part of your IT monitoring strategy: Why...
Make synthetic monitoring a critical part of your IT monitoring strategy: Why...Make synthetic monitoring a critical part of your IT monitoring strategy: Why...
Make synthetic monitoring a critical part of your IT monitoring strategy: Why...
 
Vizag Virtual Meetup #7: Trending API Topics for 2022
Vizag Virtual Meetup #7: Trending API Topics for 2022Vizag Virtual Meetup #7: Trending API Topics for 2022
Vizag Virtual Meetup #7: Trending API Topics for 2022
 
Dissecting and Attacking RMI Frameworks
Dissecting and Attacking RMI FrameworksDissecting and Attacking RMI Frameworks
Dissecting and Attacking RMI Frameworks
 
SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis Overview
SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis OverviewSAP NetWeaver Application Server Add-On for Code Vulnerability Analysis Overview
SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis Overview
 
N able - 5 things to look for in msp automation platform
N able - 5 things to look for in msp automation platformN able - 5 things to look for in msp automation platform
N able - 5 things to look for in msp automation platform
 
WordCamp LA 2014- Writing Code that Scales
WordCamp LA 2014-  Writing Code that ScalesWordCamp LA 2014-  Writing Code that Scales
WordCamp LA 2014- Writing Code that Scales
 
Programmable infrastructure with FlyScript
Programmable infrastructure with FlyScriptProgrammable infrastructure with FlyScript
Programmable infrastructure with FlyScript
 
Exploiting Critical Attack Vectors to Gain Control of SAP Systems
Exploiting Critical Attack Vectors to Gain Control of SAP SystemsExploiting Critical Attack Vectors to Gain Control of SAP Systems
Exploiting Critical Attack Vectors to Gain Control of SAP Systems
 

Mehr von Virtual Forge

How the U.S. Department of Defense Secures Its Custom ABAP Code
How the U.S. Department of Defense Secures Its Custom ABAP CodeHow the U.S. Department of Defense Secures Its Custom ABAP Code
How the U.S. Department of Defense Secures Its Custom ABAP CodeVirtual Forge
 
How Pratt & Whitney Streamlined Their ABAP Security and Quality Code Review P...
How Pratt & Whitney Streamlined Their ABAP Security and Quality Code Review P...How Pratt & Whitney Streamlined Their ABAP Security and Quality Code Review P...
How Pratt & Whitney Streamlined Their ABAP Security and Quality Code Review P...Virtual Forge
 
SAP HANA Security: New Technology, New Risks
SAP HANA Security: New Technology, New RisksSAP HANA Security: New Technology, New Risks
SAP HANA Security: New Technology, New RisksVirtual Forge
 
Stabile und performante Anwendungen für SAP HANA entwickeln
Stabile und performante Anwendungen für SAP HANA entwickelnStabile und performante Anwendungen für SAP HANA entwickeln
Stabile und performante Anwendungen für SAP HANA entwickelnVirtual Forge
 
Develop Stable, High-Performance Applications for SAP HANA
Develop Stable, High-Performance Applications for SAP HANADevelop Stable, High-Performance Applications for SAP HANA
Develop Stable, High-Performance Applications for SAP HANAVirtual Forge
 
ABAP Qualitäts-Benchmark: Eine Analyse von über 200 SAP Installationen
ABAP Qualitäts-Benchmark: Eine Analyse von über 200 SAP InstallationenABAP Qualitäts-Benchmark: Eine Analyse von über 200 SAP Installationen
ABAP Qualitäts-Benchmark: Eine Analyse von über 200 SAP InstallationenVirtual Forge
 
Is your SAP system vulnerable to cyber attacks?
Is your SAP system vulnerable to cyber attacks?Is your SAP system vulnerable to cyber attacks?
Is your SAP system vulnerable to cyber attacks?Virtual Forge
 
How to assess the risks in your SAP systems at the push of a button
How to assess the risks in your SAP systems at the push of a buttonHow to assess the risks in your SAP systems at the push of a button
How to assess the risks in your SAP systems at the push of a buttonVirtual Forge
 
Case Study: Ensuring the Quality and Security of Custom SAP Applications at t...
Case Study: Ensuring the Quality and Security of Custom SAP Applications at t...Case Study: Ensuring the Quality and Security of Custom SAP Applications at t...
Case Study: Ensuring the Quality and Security of Custom SAP Applications at t...Virtual Forge
 
Uninvited Guests: Why do hackers love our SAP landscapes?
Uninvited Guests: Why do hackers love our SAP landscapes?Uninvited Guests: Why do hackers love our SAP landscapes?
Uninvited Guests: Why do hackers love our SAP landscapes?Virtual Forge
 
Ungebetene Gäste: Warum lieben Hacker aus aller Welt unsere SAP Landschaften?
Ungebetene Gäste: Warum lieben Hacker aus aller Welt unsere SAP Landschaften?Ungebetene Gäste: Warum lieben Hacker aus aller Welt unsere SAP Landschaften?
Ungebetene Gäste: Warum lieben Hacker aus aller Welt unsere SAP Landschaften?Virtual Forge
 
Case Study: Automated Code Reviews In A Grown SAP Application Landscape At EW...
Case Study: Automated Code Reviews In A Grown SAP Application Landscape At EW...Case Study: Automated Code Reviews In A Grown SAP Application Landscape At EW...
Case Study: Automated Code Reviews In A Grown SAP Application Landscape At EW...Virtual Forge
 
Case Study: Automatisierte Code Reviews in einer gewachsenen SAP-Applikations...
Case Study: Automatisierte Code Reviews in einer gewachsenen SAP-Applikations...Case Study: Automatisierte Code Reviews in einer gewachsenen SAP-Applikations...
Case Study: Automatisierte Code Reviews in einer gewachsenen SAP-Applikations...Virtual Forge
 
Risks of Hosted SAP Environments
Risks of Hosted SAP EnvironmentsRisks of Hosted SAP Environments
Risks of Hosted SAP EnvironmentsVirtual Forge
 
Case Study: ABAP Development Life Cycle and Governance at THE GLOBE AND MAIL ...
Case Study: ABAP Development Life Cycle and Governance at THE GLOBE AND MAIL ...Case Study: ABAP Development Life Cycle and Governance at THE GLOBE AND MAIL ...
Case Study: ABAP Development Life Cycle and Governance at THE GLOBE AND MAIL ...Virtual Forge
 
Die Top 5 Mythen der SAP Sicherheit
Die Top 5 Mythen der SAP SicherheitDie Top 5 Mythen der SAP Sicherheit
Die Top 5 Mythen der SAP SicherheitVirtual Forge
 
Mobile Trends And The New Threats - Is Your SAP System Vulnerable to Cyber At...
Mobile Trends And The New Threats - Is Your SAP System Vulnerable to Cyber At...Mobile Trends And The New Threats - Is Your SAP System Vulnerable to Cyber At...
Mobile Trends And The New Threats - Is Your SAP System Vulnerable to Cyber At...Virtual Forge
 
ABAP Code Qualität - Best Practices
ABAP Code Qualität - Best PracticesABAP Code Qualität - Best Practices
ABAP Code Qualität - Best PracticesVirtual Forge
 
Best Practices for Ensuring SAP ABAP Code Quality and Security
Best Practices for Ensuring SAP ABAP Code Quality and SecurityBest Practices for Ensuring SAP ABAP Code Quality and Security
Best Practices for Ensuring SAP ABAP Code Quality and SecurityVirtual Forge
 
Case Study: Automating Code Reviews for Custom SAP ABAP Applications with Vir...
Case Study: Automating Code Reviews for Custom SAP ABAP Applications with Vir...Case Study: Automating Code Reviews for Custom SAP ABAP Applications with Vir...
Case Study: Automating Code Reviews for Custom SAP ABAP Applications with Vir...Virtual Forge
 

Mehr von Virtual Forge (20)

How the U.S. Department of Defense Secures Its Custom ABAP Code
How the U.S. Department of Defense Secures Its Custom ABAP CodeHow the U.S. Department of Defense Secures Its Custom ABAP Code
How the U.S. Department of Defense Secures Its Custom ABAP Code
 
How Pratt & Whitney Streamlined Their ABAP Security and Quality Code Review P...
How Pratt & Whitney Streamlined Their ABAP Security and Quality Code Review P...How Pratt & Whitney Streamlined Their ABAP Security and Quality Code Review P...
How Pratt & Whitney Streamlined Their ABAP Security and Quality Code Review P...
 
SAP HANA Security: New Technology, New Risks
SAP HANA Security: New Technology, New RisksSAP HANA Security: New Technology, New Risks
SAP HANA Security: New Technology, New Risks
 
Stabile und performante Anwendungen für SAP HANA entwickeln
Stabile und performante Anwendungen für SAP HANA entwickelnStabile und performante Anwendungen für SAP HANA entwickeln
Stabile und performante Anwendungen für SAP HANA entwickeln
 
Develop Stable, High-Performance Applications for SAP HANA
Develop Stable, High-Performance Applications for SAP HANADevelop Stable, High-Performance Applications for SAP HANA
Develop Stable, High-Performance Applications for SAP HANA
 
ABAP Qualitäts-Benchmark: Eine Analyse von über 200 SAP Installationen
ABAP Qualitäts-Benchmark: Eine Analyse von über 200 SAP InstallationenABAP Qualitäts-Benchmark: Eine Analyse von über 200 SAP Installationen
ABAP Qualitäts-Benchmark: Eine Analyse von über 200 SAP Installationen
 
Is your SAP system vulnerable to cyber attacks?
Is your SAP system vulnerable to cyber attacks?Is your SAP system vulnerable to cyber attacks?
Is your SAP system vulnerable to cyber attacks?
 
How to assess the risks in your SAP systems at the push of a button
How to assess the risks in your SAP systems at the push of a buttonHow to assess the risks in your SAP systems at the push of a button
How to assess the risks in your SAP systems at the push of a button
 
Case Study: Ensuring the Quality and Security of Custom SAP Applications at t...
Case Study: Ensuring the Quality and Security of Custom SAP Applications at t...Case Study: Ensuring the Quality and Security of Custom SAP Applications at t...
Case Study: Ensuring the Quality and Security of Custom SAP Applications at t...
 
Uninvited Guests: Why do hackers love our SAP landscapes?
Uninvited Guests: Why do hackers love our SAP landscapes?Uninvited Guests: Why do hackers love our SAP landscapes?
Uninvited Guests: Why do hackers love our SAP landscapes?
 
Ungebetene Gäste: Warum lieben Hacker aus aller Welt unsere SAP Landschaften?
Ungebetene Gäste: Warum lieben Hacker aus aller Welt unsere SAP Landschaften?Ungebetene Gäste: Warum lieben Hacker aus aller Welt unsere SAP Landschaften?
Ungebetene Gäste: Warum lieben Hacker aus aller Welt unsere SAP Landschaften?
 
Case Study: Automated Code Reviews In A Grown SAP Application Landscape At EW...
Case Study: Automated Code Reviews In A Grown SAP Application Landscape At EW...Case Study: Automated Code Reviews In A Grown SAP Application Landscape At EW...
Case Study: Automated Code Reviews In A Grown SAP Application Landscape At EW...
 
Case Study: Automatisierte Code Reviews in einer gewachsenen SAP-Applikations...
Case Study: Automatisierte Code Reviews in einer gewachsenen SAP-Applikations...Case Study: Automatisierte Code Reviews in einer gewachsenen SAP-Applikations...
Case Study: Automatisierte Code Reviews in einer gewachsenen SAP-Applikations...
 
Risks of Hosted SAP Environments
Risks of Hosted SAP EnvironmentsRisks of Hosted SAP Environments
Risks of Hosted SAP Environments
 
Case Study: ABAP Development Life Cycle and Governance at THE GLOBE AND MAIL ...
Case Study: ABAP Development Life Cycle and Governance at THE GLOBE AND MAIL ...Case Study: ABAP Development Life Cycle and Governance at THE GLOBE AND MAIL ...
Case Study: ABAP Development Life Cycle and Governance at THE GLOBE AND MAIL ...
 
Die Top 5 Mythen der SAP Sicherheit
Die Top 5 Mythen der SAP SicherheitDie Top 5 Mythen der SAP Sicherheit
Die Top 5 Mythen der SAP Sicherheit
 
Mobile Trends And The New Threats - Is Your SAP System Vulnerable to Cyber At...
Mobile Trends And The New Threats - Is Your SAP System Vulnerable to Cyber At...Mobile Trends And The New Threats - Is Your SAP System Vulnerable to Cyber At...
Mobile Trends And The New Threats - Is Your SAP System Vulnerable to Cyber At...
 
ABAP Code Qualität - Best Practices
ABAP Code Qualität - Best PracticesABAP Code Qualität - Best Practices
ABAP Code Qualität - Best Practices
 
Best Practices for Ensuring SAP ABAP Code Quality and Security
Best Practices for Ensuring SAP ABAP Code Quality and SecurityBest Practices for Ensuring SAP ABAP Code Quality and Security
Best Practices for Ensuring SAP ABAP Code Quality and Security
 
Case Study: Automating Code Reviews for Custom SAP ABAP Applications with Vir...
Case Study: Automating Code Reviews for Custom SAP ABAP Applications with Vir...Case Study: Automating Code Reviews for Custom SAP ABAP Applications with Vir...
Case Study: Automating Code Reviews for Custom SAP ABAP Applications with Vir...
 

Kürzlich hochgeladen

Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 

Kürzlich hochgeladen (20)

Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 

10 GOLDEN RULES FOR CODING AUTHORIZATION CHECKS IN ABAP

  • 2. © 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Dr. Markus Schumacher © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. March 18, Heidelberg SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage Ten golden rules for coding authorization checks in ABAP Andreas Wiegenstein
  • 3. © 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Andreas Wiegenstein (Twitter: @codeprofiler)  Founder of Virtual Forge (Heidelberg), responsible for R&D  SAP Security Researcher, active since 2003  Received Credits from SAP for 66 reported 0-day Vulnerabilities  Speaker at international Conferences  SAP TechEd (USA & Europe), DSAG (Europe)  BlackHat (Europe), Hack in the Box (Europe)  Troopers (Europe), IT Defense (Europe), RSA (USA)  Co-Author of „Sichere ABAP Programmierung" (SAP Press, 2009)  Co-Author of "ABAP Best Practices Guideline (DSAG, 2013/2014)  Created training class WDESA3 (ABAP Security) @ SAP University My car, my house, my boat, … I am with
  • 4. © 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Authorizations in Custom Code Ongoing survey, results as of March 12, 2014
  • 5. © 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Golden Rule #1 Perform authority checks General advice  Check with your business department, if (and which) authorizations are required in order to execute the business logic you provide.  As a fallback, analyze code that is similar to your business process for authorization checks.  If authority checks are required for your custom business logic, add them to your code. On average there are 866 missing authority checks in custom code.
  • 6. © 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Golden Rule #1 Perform authority checks (cont’d) Specific advice  Don't rely on S_RFC authorizations. They only determine, *if* a function module can be invoked remotely. They are by no means related to the specific business logic of your custom code. You don't want users with S_RFC * authorizations to be able to issue purchase orders or to raise someone's salary. Auditors don't like this either...  Don't rely on authorization groups assigned to reports. They are usually coarse grained, as the same authorization group is used for multiple programs. And they are not necessarily related to the specific business logic of your custom code.  Always check start authorizations when using CALL TRANSACTION, as no implicit start authorization check is performed by the kernel.  Function module AUTHORITY_CHECK_TCODE  Since 740: CALL TRANSACTION … WITH AUTHORITY-CHECK
  • 7. © 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Golden Rule #2 Perform authority checks according to SAP standard functionality General advice  Always use functionality based on the ABAP command AUTHORITY- CHECK in order to perform authorization checks. (A common bad practice is to base authorizations on usernames.) On average there are 187 hard-coded username checks in custom code.
  • 8. © 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Golden Rule #3 Check the result of an authority check General advice  Always check the result of sy-subrc after you perform an AUTHORITY-CHECK. sy-subrc with value zero means authorization sufficient.  Since other ABAP commands also change sy-subrc, make sure to perform the sy-subrc check *immediately* after the AUTHORITY- CHECK. On average there are 13 broken authority checks in custom code.
  • 9. © 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Golden Rule #4 Perform authority checks for the user that is actually logged on General advice  Only check the authorization of the currently logged on user (by avoiding the optional parameter FOR USER). On average there are 2 ‘alias’ authority checks in custom code.
  • 10. © 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Golden Rule #5 Always use APIs instead of AUTHORITY-CHECK, if they exist General advice  Always use specialized API functions for authorization checks instead of AUTHORITY-CHECK. Specific advice  Use AUTHORITY_CHECK_TCODE instead of S_TCODE  Use AUTHORITY_CHECK_DATASET instead of S_DATASET / S_PATH On average there are 92 insufficient authority checks in custom code.
  • 11. © 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Golden Rule #6 Declare all fields of the authorization object General advice  Always use specialized API functions for authorization checks instead of AUTHORITY-CHECK. Specific advice  Always make sure to specify all fields of the authorization object you check.  If there are fields you don't want to check, mark them as DUMMY in order to make your intentions explicit. No meaningful statistical information available at this time.
  • 12. © 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Golden Rule #7 Don't use DUMMY values in important fields General advice  Do not use DUMMY values in important authorization fields like 'ACTVT' On average there are 8 DUMMY authority checks (ACTVT) in custom code.
  • 13. © 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Golden Rule #8 Don't program privileging authorization checks AUTHORITY-CHECK OBJECT 'S_DEVELOP' ID 'DEVCLASS' FIELD '*' ID 'OBJTYPE' FIELD 'PROG' ID 'OBJNAME' FIELD lv_prog ID 'P_GROUP' DUMMY " Field not required in this context ID 'ACTVT' FIELD '03'. IF sy-subrc = 0. READ REPORT lv_prog INTO lt_code. ENDIF. General advice  Avoid "*" values in authorization fields, as they force administrators to grant unnecessarily high privileges to users On average there are 2 privileging authority checks (ACTVT) in custom code.
  • 14. © 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Golden Rule #9 Make authorization checks early in your business logic General advice  If an authorization check is required for a given business logic, it should be checked as early as possible No meaningful statistical information available at this time.
  • 15. © 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Golden Rule #10 Perform authorization checks in order to avoid dumps Specific advice  Always make sure to test for S_DATASET and S_PATH authorizations before you open a server-side file. No meaningful statistical information available at this time.
  • 16. © 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Further Information Blog Post “Ten golden rules for ABAP authorization checks” https://www.virtualforge.com/en/blog/post/ten_golden_rules_authorizations_en.html
  • 17. © 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Twitter: @codeprofiler © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Thank you for your attention Andreas Wiegenstein CTO
  • 18. © 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Insert CTA Header MISSED THE BIZEC SAP SECURITY WORKSHOP AT TROOPERS14 CONFERENCE? CLICK HERE FOR A RETROSPECTIVE + ALL PRESENTATIONS FOR FREE DOWNLOAD
  • 19. © 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Disclaimer SAP, R/3, ABAP, SAP GUI, SAP NetWeaver and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. The authors assume no responsibility for errors or omissions in this document. The authors do not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. The authors shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of this document. No part of this document may be reproduced without the prior written permission of Virtual Forge GmbH. © 2014 Virtual Forge GmbH.