This presentation was held by Stephen Lamy, Virtual Forge, at the Basis & SAP Administration 2015 Conference in Las Vegas, March 2015.
Stephen Lamy demonstrated specific risks that custom ABAP can introduce into an SAP system, and provided proven advice to minimize ABAP security risks.
Key Takeaways:
- What vulnerabilities exist in productive SAP systems, and better understand how your SAP systems can be compromised
- What are common and dangerous ABAP risks, such as directory traversal and ABAP command injection
- Best practices to develop secure and compliant ABAP code, such as implementing internal coding guidelines and standards, protecting your systems from risky third-party code, and choosing the right tools for your process
2. 1
In This Session
• You will learn about specific risks that custom ABAP can
introduce into an SAP system and get proven advice to minimize
ABAP security risks.
• You will:
Learn about the most dangerous ABAP security vulnerabilities
View demonstrations to see how an SAP system can be
exploited via ABAP vulnerabilities
Get insight into the best practices for developing secure and
compliant ABAP code, such as:
Implementing internal coding guidelines and standards
Automatically testing all code changes before release
3. 2
What We’ll Cover
• Risks from custom ABAP code
• The realities of ABAP development
• Best practices for ABAP code for security and quality
• Wrap-up
7. 6
The Average SAP Customer System Analyzed Has …
• 1.03 Critical Security/Compliance errors per 1,000 LOC
• 51% probability of an ABAP Command Injection vulnerability
• 70% probability of an open SQL injection vulnerability
• 86% probability of a Directory Traversal vulnerability
• 100% probability of defective Authorization Checks
Source: CodeProfiler scan of 453 Million lines of custom ABAP® code
from 217 SAP systems (status: Oct 2014)
8. 7
Security/Compliance Testing
Test Case Probability per
Scan
Per x LOC
Sec: Missing AUTHORITY-CHECK before CALL TRANS 97% 4,066
Sec: Missing AUTHORITY-CHECK in Reports 96% 6,154
Com: Hard-coded User Name (sy-uname) 91% 8,998
Sec: Directory Traversal (Write Access) 86% 8,960
Sec: Missing AUTHORITY-CHECK in RFC-Enabled Funct 94% 14,347
Com: Cross-Client Access to Business Data 83% 15,254
Sec: Directory Traversal (Read Access) 86% 23,254
Com: Direct Database Modifications 86% 35,016
Source: CodeProfiler scan of 453 Million lines of custom ABAP® code from 217 SAP systems
(status: Oct 2014)
9. 8
ABAP Risk Assessment Benchmark Results
Metric Average Total
Source Code Lines (LOC)
(without comments or empty lines)
2,087,618 453,013,210
Domain – Critical Only Average Per LOC
Security/Compliance 2,150 1.03
Performance 2,463 1.18
Maintainability 2,108 1.01
Robustness 6,618 3.17
Total 13,339 6.39
Source: CodeProfiler scan of 453 Million lines of custom ABAP® code from 217 SAP systems
(status: Oct 2014)
10. 9
Cyber-Attacks and System Downtimes Are Key
Business Risks Caused by Custom Changes
• Performance
• Robustness
• Maintainability
• Security
• Compliance
• Data Loss Prevention
… can lead to key business risks:
Cyber-attacks $7.2 million cost per case in average
Fraud 5% loss in revenue p.a. per typical company
System downtimes 14hrs p.a. per company avg.
Sources: Cost of Cyber Crime Study (Poneomon Institute, 2013), Global Fraud
Study (ACFE, 2014), The Avoidable Cost of Downtime (CA Technologies,
2010)
Custom ABAP Apps …
Custom ABAP Code
Third-Party ABAP add-ons Testing Needed
11. 10
Costs of Correcting a Single Defect
to correct defect during development$100 to correct defect during development$100
to correct defect found during QA testing$1,000 to correct defect found during QA testing$1,000
to correct defect in production$10,000
cost of attack or system down$$$
The earlier the code is repaired, the lower the cost
13. 12
What We’ll Cover
• Risks from custom ABAP code
• The realities of ABAP development
• Best practices for ABAP code for security and quality
• Wrap-up
14. 13
The Evolution of SAP and ABAP Technology
Past Today Future
• Simple, isolated systems
• Fewer users
• Less data
• Less custom development
• Regular but rare releases
• Complex and open systems
• More users
• More data
• More custom development
• Frequent release cycles
• Reduced staff
• More complex and open
• Even more users
• Even more data
• Even more development
• Higher frequency releases
• Even smaller staff
16. 15
Attack Surface of SAP – Since 2011
Indirect UIs
External
Systems
Direct UIs
SAP ABAP® System
17. 16
SAP Security – A Holistic View
• SAP security and quality
must be addressed
holistically – including
custom code
• Custom code can lead to:
System failure
Hacker access
Slow performance
• Business apps must
properly enforce Business
Logic (rules)
• GRC and SoD are only
effective if they are
enforced within application
code
Business Logic
Business Runtime
Database
Operating System
18. 17
Sources of Flaws in ABAP Code
• Manual code reviews/basic testing
• QA testing focused on functional aspects
• Inability to enforce technical coding standards
• External development/third-party add-ons
• Limited/no code change monitoring (during emergencies)
19. 18
What We’ll Cover
• Risks from custom ABAP code
• The realities of ABAP development
• Best practices for ABAP code for security and quality
• Wrap-up
20. 19
Best Practices
• Ensure ABAP code quality and security through …
Online scanning and correction during development
Testing of all delivered code (you are responsible for
outsourced and third-party code too!)
Automatic scanning of all ABAP changes
21. 20
Best Practices: Static Online Scanning
• Static code scanning and correction during development
• Define clear code standards and enforce results
• Give developers the tools they need to test during development
Faster feedback means lower cost
Provide recommended remediation approach
• Apply automated corrections for larger clean-up projects
Stop believing that manual reviews are all you need!
22. 21
Best Practices: Testing All Delivered Code
• Testing all code (including outsourced and third-party products)
Communicate and enforce SLAs
Let everyone know that you will be testing
Test all deliverables before beginning functional testing
Don’t waste time with user testing of inferior code
Plan for issues!
Test immediately! Is this code safe enough for your DEV?
23. 22
Best Practices: Automatic Code Scanning
• Automatically scan all SAP ABAP code changes
Scan all Transport Requests upon release
Stop Transport Requests with critical issues
Store test results as for compliance audit trail
PCI, PII, SOX, FDA, Basil II, etc.
Be ready for emergency corrections
Enable override of tests with approval
Track who approved exceptions
24. 23
Continuous Monitoring of ABAP Code Changes
PRDDEV
Development Test/QA ProductionRequirement
SICHERE SAP PROGRAMMIERUNG
ABAP
Guideline
Java
Guideline
ABAP
Spezifikation
Java
Spezifikation
Generelle
Guideline
Interne
Entwicklung
Externe
Entwicklung
Automatic
Testing
QA
Exception
Approval?
26. 25
What We’ll Cover
• Risks from custom ABAP code
• The realities of ABAP development
• Best practices for ABAP code for security and quality
• Wrap-up
28. 27
Where to Find More Information
• www.bizec.org/wiki/Main_Page
The Business Application Security Initiative (BIZEC) is a non-profit
organization with a focus on security defects in business applications
• www.virtualforge.com/en/library/white-papers/whitepaper-the-abap-
underverse.html
Andreas Wiegenstein, “The ABAP Underverse” (BlackHat Briefings,
2011).
A Virtual Forge whitepaper on application and ABAP security
• www.virtualforge.com/en/resources/presentations/ensuring-the-security-
of-custom-abap-code.html
Chris Warring and Stephen Lamy, “Best Practices for Ensuring the
Security of Custom ABAP Code” (SAP TechEd && d-code, 2014).
29. 28
7 Key Points to Take Home
• Companies are responsible for their own custom code
• If you can’t enforce code quality and security standards
consistently, it won’t happen
• It’s not possible to accurately assess the security of ABAP code
through manual reviews alone
• Implementing best practices and corresponding tools early in the
development process will lower risk and result in lower TCO
30. 29
7 Key Points to Take Home (cont.)
• Do not wait until it’s too late!
Tighten ABAP security while you can
• Don’t forget the 11 most dangerous security vulnerabilities and
how testing during development can protect you
• Provide your developers a way to test and correct code easily
while they develop
31. 30
Your Turn!
How to contact me:
Stephen Lamy
Stephen.Lamy@virtualforge.com
@virtual_forge
Please remember to complete your session evaluation
32. 31
Disclaimer
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or
an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective
companies. Wellesley Information Services is neither owned nor controlled by SAP SE.