best practices for ensuring sap abap code quality and security
DESCRIPTION
Virtual Forge Presentation on Best Practices at #SAPPHIRENOW #ASUG2013TRANSCRIPT
Best Practices for Ensuring ABAP Code Quality and SecurityDavid Chapman ‐ Vice President of Sales – iT Services 2Stephen Lamy – Managing Director – Virtual Forge
2nd Generation SAP Consulting Firm
Focused on SAP since 1996
Senior, principal and platinum level expertise
Virtual Forge Sales and Services Business partner since 2012
“We’ve partnered with Virtual Forge because we value their
commitment to excellence and their deep SAP expertise.
Virtual Forge mirrors iT2 values and culture.”
Lynne McGrew CEO, iT Services 2
Founded in 2001
CodeProfiler released 2008
Patented Data and Control Flow Static Analysis for ABAP
Heidelberg, Weimar and Philadelphia
Experts in the field of SAP® application security and quality
1. Drivers for Change: ABAP Application Landscape
2. Today’s Practices?
3. BEST Practices
4. Benefits Summary
1. Drivers for Change: ABAP Application Landscape
2. Today’s Practices?
3. BEST Practices
4. Benefits Summary
The Evolution of the SAP Landscape
In the past Today Future
• Isolated systems• Long release cycles• Few attack vectors• Security using firewalls
• Open systems• Frequent release cycles• Network boundaries
disappearing• Cloud‐based applications• Hacker attacks
• Open systems• High frequency releases• Interconnected networks• IT espionage• Cyber attacks & espionage
1 9 9 7
The Attack Surface of ABAP
2 0 0 2
The Attack Surface of ABAP
Since 2 0 0 7
The Attack Surface of ABAP
Little/no technical specifications
Manual/Basic code reviews
Testing focused on functional aspects
External/3rd Party development
Limited/no code change monitoring
Source of Defects
Cyberattacks
Data theft/Fraud
Industrial espionage
Loss of image
System failures
Business Risks
Cost of attack or system down$$$$$
to correct defect in production$10,000
to correct defect found in QA testing$1,000
to correct defect during development$100
Cost to Business
614 as of September 1, 2012What are you doing to ensure the quality of your custom code?
SAP’s Increases Focus on Security
1. Drivers for Change: ABAP Application Landscape
2. Today’s Practices?
3. BEST Practices
4. Benefits Summary
1. Companies are responsible for their own custom code.
2. If you can’t enforce code quality and security standards consistently, it won’t work.
Important Rules to Remember
[ One solution, ] many capabilities
Test ABAP™ code
for defects fast and reliably by performing on‐line scanning as needed during development
Test ABAP™ code
for defects fast and reliably by performing on‐line scanning as needed during development
Developers
Tests applications for
full transparency of the ABAP code quality in their SAP®
systems
Tests applications for
full transparency of the ABAP code quality in their SAP®
systems
IT and Security Responsibles
Ensures
that internally and externally developed applications and third‐party solutions meet pre‐defined security and quality criteria
Ensures
that internally and externally developed applications and third‐party solutions meet pre‐defined security and quality criteria
Development and Project Managers
Who is responsible for the code?
[ One solution, ] many capabilities
Provided
full transparency of security and compliance risks in SAP®
systems
Provided
full transparency of security and compliance risks in SAP®
systems
Auditors and Controllers
Ensure
and document the code quality of their solutions
Ensure
and document the code quality of their solutions
Software Companies and SAP® Partners
Check Deliverables
pre‐defined quality criteria within the scope of tenders with „a click of a button“
Check Deliverables
pre‐defined quality criteria within the scope of tenders with „a click of a button“
Purchasers
Who is checking?
How ABAP code reviews are often done today:
• Manual code reviews
• Using top programming resources for reviews
• Using basic tools with limited testing and lot of false-positive findings
• No effective technical code testing at all!
Today‘s Practices?
Manual Code Reviews:– Use valuable development resources– Delay project release (or accept lower quality)– Limited effectiveness due to program complexity – Feedback too late in development cycle
• Performance/Failures in production • Higher cost of mediation
– Few/No defined security & quality standards• Styles and techniques vary by reviewer/developer
Today‘s Practices?
Basic ABAP Testing Tools:– Limited (and weak) testing, e.g. pattern recognition– Not comprehensive for Security and Quality– Not integrated with ABAP Development Workbench
• No on‐line scanning during development• Higher TCO for manual corrections • No documentation/navigation for efficient mediation
– Inaccurate results (High false‐positive rate)• Loss of time spent evaluating • Loss of credibility for tool
– Slow / Batch / Offline
Today‘s Practices?
1. Drivers for Change: ABAP Application Landscape
2. Today’s Practices?
3. BEST Practices
4. Benefits Summary
Best Practices for Ensuring ABAP code for Quality and Security
1. Online Scanning and Correction during Development
2. Testing of all Outsourced Deliverables (you are responsible!)
3. Automatic Scanning and Correction of SAP ABAP Changes
4. Static Code Analysis for ABAP
Quelle: Success Story with Linde, www.virtualforge.com
Best Practices
Online Scanning and Correction during Development– Define clear code standards, train, and test results!– Enable online scanning during development
• Developers scan during unit testing for immediate feedback• Fast mediation
– Automatic code correction – Provide detailed documentation for developer training and instructions for mediation
“since we’ve been using Virtual Forge CodeProfiler, developers have become more aware and are delivering better quality code.“ Stephan Sachs
Manager for Application Security
Best Practices : In-house Development
Best Practices: Data and Control Flow Analysis
Testing of all Outsourced Deliverables– Communicate and enforce SLA’s
• Let them know that you will be testing
– Test all deliverables before beginning functional testing• Don’t waste time functionally testing inferior code• Recommend 2‐4 weeks prior (at least)
– Test immediately? – is this code safe enough for your DEV? – Decide who will be responsible for corrections beforehand
• Plan for mediation activities – who is responsible for corrections
“using CodeProfiler software for verifying all 3rd party code has revolutionized our way of working…We now have gained control over the coding quality and security risks"
Roderik Mooren,IT DirectorServices
Best Practices : Outsourced Development
s
Security TestsSecurity Tests
QA TestsQA Tests
Security
ABAP™ Command Injection
OS Command Execution
SQL Injection
Broken Authority Checks
Hard‐Coded Usernames
...
Performance
Usage of WAIT Command
Usage of SELECT*
Nested Loop
Incomplete Index
...
Data Loss Prevention
Disclosure of Critical Data
Disclosure of Source Code
Maintenance of sensitive data
…
Maintainability & Robustness
Naming Conventions
Nested Macro Calls
Hard‐coded Org Units
Insufficient Error Handling
...
CodeProfilerPATENTEDall rights reserved
CodeProfilerPATENTEDall rights reserved
Best Practice : Comprehensive Testing
Security Performance Quality
ABAP Firewall: Automatic Scanning of all SAP ABAP Changes– Scan all Transport Requests upon release– Stop Transport Requests with defects – do not allow release– Compliance testing and audit trail
• PCI, PII, SOX, FDA, Basil II, etc.
– Ready for emergency corrections• Bypass Firewall with approval• Track flaws for mediation later
“One of the key requirements was to defend our SAP systems against the project teams. Together with Virtual Forge we have been able to enforce sustainability for code quality and security“ Markus Seibel,
GM IT Business Services
Best Practices: Automatic Code Scanning
ABAP Firewall: Automatic Scanning of all SAP ABAP Changes
Best Practices: Automatic Code Scanning
1. Drivers for Change: ABAP Application Landscape
2. Today’s Practices?
3. BEST Practices
4. Benefits Summary
Lower Risk – Detect and support mediation of vulnerabilities
• Cyberattacks/Espionage• Performance/System failures• Data Theft/Fraud/Loss
– Test in‐/out‐sourced development and 3rd party add‐ons. • Enforces standards for all development deliverables • Clear and enforceable definition of programming standards
– Ensure all ABAP code changes meet Compliance and Audit requirements
Benefits of Best Practices
Lower TCO• Find problems earlier in SDLC
= Lower cost to mediate defect• better quality code (maintainability, performance, robustness)
= Lower test and maintenance costs • Reduce review & testing times
= Faster delivery of new applications • Automate scanning and review
= Less use of (expensive) development resources• Online scanning & mediation support for faster resolution
= Less time for corrections and repair• Better quality code
= Less SAP production system issues
Benefits of Best Practices
Take the Test!
Complimentary ScanVirtual ForgeCodeProfiler
see www.virtualforge.com
• Summary of findings• Prioritization of found vulnerabilities
• Specific examples of findings from your own code
• Code metrics• Benchmark (on request)
Robustness & Maintainability
Performance
Data Loss Prevention
Security & Compliance
YourABAP™code
Getting StartedComplimentary Scan
Thank You!
David Chapman
Telephone: 214-303-9690
Stephen Lamy
Telephone: 610-864-0261
© 2012 Virtual Forge Inc | www.virtualforge.com | All rights reserved.Excellence in SAP Consulting www.itservices2.com
Disclaimer
© 2012 Virtual Forge Inc. All rights reserved.
SAP, R/3, SAP NetWeaver, and other SAP products and services mentioned herein as well as their
respective logos are trademarks or registered trademarks of SAP AG. All other product and service
names mentioned are the trademarks of their respective companies.
Information contained in this publication is subject to change without prior notice. It is provided by
Virtual Forge and serves informational purposes only. Virtual Forge is not liable for errors or
incomplete information in this publication. Information contained in this publication does not imply any
further liability.
Virtual Forge Terms and Conditions apply. See www.virtualforge.com for details.
THANK YOU FOR PARTICIPATING
Please provide feedback on this session by completing a short survey via the event mobile
application.
SESSION CODE: 0814
For ongoing education on this area of focus,visit www.ASUG.com