Is your SAP system vulnerable to cyber attacks?

Produced by Wellesley Information Services,
LLC, publisher of SAPinsider. © 2015 Wellesley
Information Services. All rights reserved.
Is Your SAP System Vulnerable to
Cyber Attacks? Critical Tactics to
Safeguard Your ABAP Applications
Stephen Lamy
Virtual Forge

1
In This Session
• You will learn about specific risks that custom ABAP can
introduce into an SAP system and get proven advice to minimize
ABAP security risks.
• You will:
 Learn about the most dangerous ABAP security vulnerabilities
 View demonstrations to see how an SAP system can be
exploited via ABAP vulnerabilities
 Get insight into the best practices for developing secure and
compliant ABAP code, such as:
 Implementing internal coding guidelines and standards
 Automatically testing all code changes before release

2
What We’ll Cover
• Risks from custom ABAP code
• The realities of ABAP development
• Best practices for ABAP code for security and quality
• Wrap-up

4
The Challenges with Custom ABAP Development
• Espionage or cyber
attack
• Application failure
• System performance
• High development
costs

5
APP/11: The Most Dangerous Security Vulnerabilities
1. ABAP command injection
2. OS command injection
3. Native SQL injection
4. Improper authorization checks
5. Directory traversal
6. Direct database modifications
7. Cross-client database access
8. Open SQL injection
9. Generic module execution
10. Cross-site scripting
11. Obscure ABAP Code
Source: BIZEC APP/11: www.bizec.org

6
The Average SAP Customer System Analyzed Has …
• 1.03 Critical Security/Compliance errors per 1,000 LOC
• 51% probability of an ABAP Command Injection vulnerability
• 70% probability of an open SQL injection vulnerability
• 86% probability of a Directory Traversal vulnerability
• 100% probability of defective Authorization Checks
Source: CodeProfiler scan of 453 Million lines of custom ABAP® code
from 217 SAP systems (status: Oct 2014)

7
Security/Compliance Testing
Test Case Probability per
Scan
Per x LOC
Sec: Missing AUTHORITY-CHECK before CALL TRANS 97% 4,066
Sec: Missing AUTHORITY-CHECK in Reports 96% 6,154
Com: Hard-coded User Name (sy-uname) 91% 8,998
Sec: Directory Traversal (Write Access) 86% 8,960
Sec: Missing AUTHORITY-CHECK in RFC-Enabled Funct 94% 14,347
Com: Cross-Client Access to Business Data 83% 15,254
Sec: Directory Traversal (Read Access) 86% 23,254
Com: Direct Database Modifications 86% 35,016
Source: CodeProfiler scan of 453 Million lines of custom ABAP® code from 217 SAP systems
(status: Oct 2014)

8
ABAP Risk Assessment Benchmark Results
Metric Average Total
Source Code Lines (LOC)
(without comments or empty lines)
2,087,618 453,013,210
Domain – Critical Only Average Per LOC
Security/Compliance 2,150 1.03
Performance 2,463 1.18
Maintainability 2,108 1.01
Robustness 6,618 3.17
Total 13,339 6.39
Source: CodeProfiler scan of 453 Million lines of custom ABAP® code from 217 SAP systems
(status: Oct 2014)

9
Cyber-Attacks and System Downtimes Are Key
Business Risks Caused by Custom Changes
• Performance
• Robustness
• Maintainability
• Security
• Compliance
• Data Loss Prevention
… can lead to key business risks:
Cyber-attacks $7.2 million cost per case in average
Fraud 5% loss in revenue p.a. per typical company
System downtimes 14hrs p.a. per company avg.
Sources: Cost of Cyber Crime Study (Poneomon Institute, 2013), Global Fraud
Study (ACFE, 2014), The Avoidable Cost of Downtime (CA Technologies,
2010)
Custom ABAP Apps …
Custom ABAP Code
Third-Party ABAP add-ons Testing Needed

10
Costs of Correcting a Single Defect
to correct defect during development$100 to correct defect during development$100
to correct defect found during QA testing$1,000 to correct defect found during QA testing$1,000
to correct defect in production$10,000
cost of attack or system down$$$
The earlier the code is repaired, the lower the cost

11
ABAP Security Vulnerability

12
What We’ll Cover
• Wrap-up

13
The Evolution of SAP and ABAP Technology
Past Today Future
• Simple, isolated systems
• Fewer users
• Less data
• Less custom development
• Regular but rare releases
• Complex and open systems
• More users
• More data
• More custom development
• Frequent release cycles
• Reduced staff
• More complex and open
• Even more users
• Even more data
• Even more development
• Higher frequency releases
• Even smaller staff

14
Attack Surface of SAP – 1997
Direct UIs
External
Systems
SAP ABAP® System

15
Attack Surface of SAP – Since 2011
Indirect UIs
External
Systems
Direct UIs
SAP ABAP® System

16
SAP Security – A Holistic View
• SAP security and quality
must be addressed
holistically – including
custom code
• Custom code can lead to:
 System failure
 Hacker access
 Slow performance
• Business apps must
properly enforce Business
Logic (rules)
• GRC and SoD are only
effective if they are
enforced within application
code
Business Logic
Business Runtime
Database
Operating System

17
Sources of Flaws in ABAP Code
• Manual code reviews/basic testing
• QA testing focused on functional aspects
• Inability to enforce technical coding standards
• External development/third-party add-ons
• Limited/no code change monitoring (during emergencies)

18
What We’ll Cover
• Wrap-up

19
Best Practices
• Ensure ABAP code quality and security through …
 Online scanning and correction during development
 Testing of all delivered code (you are responsible for
outsourced and third-party code too!)
 Automatic scanning of all ABAP changes

20
Best Practices: Static Online Scanning
• Static code scanning and correction during development
• Define clear code standards and enforce results
• Give developers the tools they need to test during development
 Faster feedback means lower cost
 Provide recommended remediation approach
• Apply automated corrections for larger clean-up projects
Stop believing that manual reviews are all you need!

21
Best Practices: Testing All Delivered Code
• Testing all code (including outsourced and third-party products)
 Communicate and enforce SLAs
 Let everyone know that you will be testing
 Test all deliverables before beginning functional testing
 Don’t waste time with user testing of inferior code
 Plan for issues!
 Test immediately! Is this code safe enough for your DEV?

22
Best Practices: Automatic Code Scanning
• Automatically scan all SAP ABAP code changes
 Scan all Transport Requests upon release
 Stop Transport Requests with critical issues
 Store test results as for compliance audit trail
 PCI, PII, SOX, FDA, Basil II, etc.
 Be ready for emergency corrections
 Enable override of tests with approval
 Track who approved exceptions

23
Continuous Monitoring of ABAP Code Changes
PRDDEV
Development Test/QA ProductionRequirement
SICHERE SAP PROGRAMMIERUNG
ABAP
Guideline
Java
Guideline
ABAP
Spezifikation
Java
Spezifikation
Generelle
Guideline
Interne
Entwicklung
Externe
Entwicklung
Automatic
Testing
QA
Exception
Approval?

24
Recommended Testing
• Security
• Compliance
• Data Loss Prevention
• Performance
• Robustness
• Maintainability

25
What We’ll Cover
• Wrap-up

26
ABAP Security Vulnerability

27
Where to Find More Information
• www.bizec.org/wiki/Main_Page
 The Business Application Security Initiative (BIZEC) is a non-profit
organization with a focus on security defects in business applications
• www.virtualforge.com/en/library/white-papers/whitepaper-the-abap-
underverse.html
 Andreas Wiegenstein, “The ABAP Underverse” (BlackHat Briefings,
2011).
 A Virtual Forge whitepaper on application and ABAP security
• www.virtualforge.com/en/resources/presentations/ensuring-the-security-
of-custom-abap-code.html
 Chris Warring and Stephen Lamy, “Best Practices for Ensuring the
Security of Custom ABAP Code” (SAP TechEd && d-code, 2014).

28
7 Key Points to Take Home
• Companies are responsible for their own custom code
• If you can’t enforce code quality and security standards
consistently, it won’t happen
• It’s not possible to accurately assess the security of ABAP code
through manual reviews alone
• Implementing best practices and corresponding tools early in the
development process will lower risk and result in lower TCO

29
7 Key Points to Take Home (cont.)
• Do not wait until it’s too late!
 Tighten ABAP security while you can
• Don’t forget the 11 most dangerous security vulnerabilities and
how testing during development can protect you
• Provide your developers a way to test and correct code easily
while they develop

30
Your Turn!
How to contact me:
Stephen Lamy
Stephen.Lamy@virtualforge.com
@virtual_forge
Please remember to complete your session evaluation

31
Disclaimer
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or
an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective
companies. Wellesley Information Services is neither owned nor controlled by SAP SE.

Is your SAP system vulnerable to cyber attacks?

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie Is your SAP system vulnerable to cyber attacks?

Ähnlich wie Is your SAP system vulnerable to cyber attacks? (20)

Mehr von Virtual Forge

Mehr von Virtual Forge (14)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Is your SAP system vulnerable to cyber attacks?