Christine Warring, Project Manager at the DoD, presented at this year's SAP TechEd, how she and her team managed to successfully pass all tests and audits for a self-developed SAP-based medical logistics system for the armed forces and ultimately to obtain "Authority to Operate" - authorization to start operating.
She also gives recommendations for the testing of custom SAP applications.
5. SAP TEWLS @ Dept of Defense
Custom ABAP Applications
Theater Enterprise Wide Logistics System (TEWLS)
SAP-based Enterprise Resource Planning
Supports theater-level medical logistics
Developed by US Army to replace TAMMIS
Single shared data environment
Developed in ABAP
5
6. SAP TEWLS @ Dept of Defense
Custom ABAP Applications
What is TEWLS?
Enterprise-level total life cycle management of medical assemblages
Development
Production
Fielding
Sustainment
Theater Intermediate-Level Medical Logistics:
Acquisition & life-cycle management
Strategic programs for mobilization & deployment of materials
Theater Supply Chain Management to include full storage and distribution capabilities for
Medical Materials (TLAMM)
Compliance with Federal Financial Management Improvement Act (FFMIA); Standard Financial
Information Structure (SFIS); Federal Information System Controls Audit Manual (FISCAM)
6
8. Challenges
Passing the Test
Department of Defense Adopted TEWLS
TEWLS to be used for all armed forces
Required to prove that ABAP code was secure and compliant
The Problem
Static code scanning required
Code scanning solution that DOD mandated did not produce accurate results
Unable to go live without Authority to Operate (ATO)!
8
9. Challenges
The Problem
Limitations with existing tools
Many false findings
Inconsistent results (even with same code base)
Developers could not use day to day
Limited test scope
No help with remediation!
Impact
Used valuable resource time working through false results
Unable to prove that the code was secure and compliant to finalize DOD ATO
Annoyed developers
Late feedback for developers
9
10. Challenges
The Solution
ABAP Scanning with CodeProfiler
Accurate results with prioritized findings
Comprehensive testing
Developers can correct and learn while the work
Detailed remediation instructions and auto correction
Results
Able to scan and remediate vulnerabilities quickly
Reduced number of code corrections required
Improved developer skills
Reduced effort and time spent on code reviews
Ensured ALL code meets security and compliance requirements
10
11. Custom ABAP
Are your custom applications compliant?
ATO (Authority To Operate)
PII (Personally Identifiable Information)
PIA (Privacy Impact Assessment)
PCI-DSS (Payment Card Industry Data Security Standard)
Internal standards
11
14. Best Practices
Code Reviews
Top 11 Most Dangerous Security Vulnerabilities:
1. ABAP Command Injection
2. OS Command Injection
3. Native SQL Injection
4. Improper Authorization Checks
5. Directory Traversal
6. Direct Database Modifications
7. Cross-Client Database Access
8. Open SQL Injection
9. Generic Module Execution
10. Cross-Site Scripting
11. Hidden ABAP code
14
15. Best Practices
Lessons Learned/Recommendations
Custom code can be a source of risk to SAP systems.
Automated testing is necessary to ensure code security and quality.
All solutions are not alike – Compare!
Start now. Don’t wait for an incident to occur.
15
16. Virtual Forge CodeProfiler
Free Risk Assessment Offer!
How good is your SAP system?
Visit www.virtualforge.com
ü Summary of
findings
ü Priorization and
classification of
vulnerabilities
ü Specific examples
of findings
ü Code and system
metrics
Quality
Compliance
Security
SAP-
System
Risk Assessment /
Penetration Test
• SAP configuration
• Custom code
Free
16