Best Practices for Ensuring

ABAP Code Quality and Security

David Chapman - Vice President of Sales – iT Services 2 Stephen Lamy – Managing Director – Virtual Forge

2nd Generation SAP Consulting Firm

Focused on SAP since 1996

Senior, principal and platinum level expertise

Virtual Forge Sales and Services Business partner since 2012

“We’ve partnered with Virtual Forge because we value their

commitment to excellence and their deep SAP expertise.

Virtual Forge mirrors iT2 values and culture.”

Lynne McGrew CEO, iT Services 2

Founded in 2001

CodeProfiler released 2008

Patented Data and Control Flow Static Analysis for ABAP

Heidelberg, Weimar and Philadelphia

Experts in the field of SAP® application security and quality

1. Drivers for Change: ABAP Application Landscape

2. Today’s Practices?

3. BEST Practices

4. Benefits Summary

1. Drivers for Change: ABAP Application Landscape

2. Today’s Practices?

3. BEST Practices

4. Benefits Summary

The Evolution of the SAP Landscape

In the past Today Future

• Isolated systems • Long release cycles • Few attack vectors • Security using firewalls

• Open systems • Frequent release cycles • Network boundaries

disappearing • Cloud-based applications • Hacker attacks

• Open systems • High frequency releases • Interconnected networks • IT espionage • Cyber attacks & espionage

1 9 9 7

The Attack Surface of ABAP

2 0 0 2

The Attack Surface of ABAP

Since 2 0 0 7

The Attack Surface of ABAP

Little/no technical specifications

Manual/Basic code reviews

Testing focused on functional aspects

External/3rd Party development

Limited/no code change monitoring

Source of Defects

Cyberattacks

Data theft/Fraud

Industrial espionage

Loss of image

System failures

Business Risks

Cost of attack or system down $$$$$

to correct defect in production $10,000

to correct defect found in QA testing $1,000

to correct defect during development $100

Cost to Business

1. Drivers for Change: ABAP Application Landscape

2. Today’s Practices?

3. BEST Practices

4. Benefits Summary

1. Companies are responsible for their own custom code.

2. If you can’t enforce code quality and security standards consistently, it won’t work.

Important Rules to Remember

[ One solution, ] many capabilities

Test ABAP™ code

for defects fast and reliably by performing on-line scanning as needed during development

Developers

Tests applications for

full transparency of the ABAP code quality in their SAP® systems

IT and Security Responsibles

Ensures

that internally and externally developed applications and third-party solutions meet pre-defined security and quality criteria

Development and Project Managers

Who is responsible for the code?

[ One solution, ] many capabilities

Provided

full transparency of security and compliance risks in SAP® systems

Auditors and Controllers

Ensure

and document the code quality of their solutions

Software Companies and SAP® Partners

Check Deliverables

pre-defined quality criteria within the scope of tenders with „a click of a button“

Purchasers

Who is checking?

How ABAP code reviews are often done today:

• Manual code reviews

• Using top programming resources for reviews

• Using basic tools with limited testing and lot of false-

positive findings

• No effective technical code testing at all!

Today‘s Practices?

Manual Code Reviews:

– Use valuable development resources

– Delay project release (or accept lower quality)

– Limited effectiveness due to program complexity

– Feedback too late in development cycle • Performance/Failures in production • Higher cost of mediation

– Few/No defined security & quality standards • Styles and techniques vary by reviewer/developer

Today‘s Practices?

Basic ABAP Testing Tools: – Limited (and weak) testing, e.g. pattern recognition

– Not comprehensive for Security and Quality

– Not integrated with ABAP Development Workbench • No on-line scanning during development

• Higher TCO for manual corrections

• No documentation/navigation for efficient mediation

– Inaccurate results (High false-positive rate) • Loss of time spent evaluating

• Loss of credibility for tool

– Slow / Batch / Offline

Today‘s Practices?

1. Drivers for Change: ABAP Application Landscape

2. Today’s Practices?

3. BEST Practices

4. Benefits Summary

Best Practices for Ensuring ABAP code for Quality and Security

1. Online Scanning and Correction during Development

2. Testing of all Outsourced Deliverables (you are responsible!)

3. Automatic Scanning and Correction of SAP ABAP Changes

4. Static Code Analysis for ABAP

Quelle: Success Story with Linde, www.virtualforge.com

Best Practices

Online Scanning and Correction during Development

– Define clear code standards, train, and test results!

– Enable online scanning during development • Developers scan during unit testing for immediate feedback • Fast mediation

– Automatic code correction

– Provide detailed documentation for developer training and instructions for mediation

“since we’ve been using Virtual Forge CodeProfiler,

developers have become more aware and are

delivering better quality code.“ Stephan Sachs

Manager for Application Security

Best Practices : In-house Development

METHOD process

METHOD read

s_html

Stored in variable

s_data

s_out

Input

request->get_form_field()

Output

out->print_string()

Passed on to another method and variable

Modifed and copied to another variable

Passed on to dangerous function

METHOD process .

DATA: s_out TYPE string.

DATA: out TYPE REF TO if_bsp_writer.

CONCATENATE `<b>`

s_data

`</b>`

INTO s_out.

out = me->get_previous_out( ).

out->print_string( s_out ).

ENDMETHOD.

METHOD read .

DATA: request TYPE REF TO if_http_request.

DATA: s_html TYPE string.

DATA: event TYPE string.

s_html = request->get_form_field( 'mydata' ).

CALL METHOD me->process

EXPORTING

s_data = s_html.

RETURN.

ENDMETHOD.

Best Practices: Data and Control Flow Analysis

Testing of all Outsourced Deliverables

– Communicate and enforce SLA’s • Let them know that you will be testing

– Test all deliverables before beginning functional testing • Don’t waste time functionally testing inferior code • Recommend 2-4 weeks prior (at least)

– Test immediately? – is this code safe enough for your DEV?

– Decide who will be responsible for corrections beforehand • Plan for mediation activities – who is responsible for corrections

“using CodeProfiler software for verifying all 3rd party code

has revolutionized our way of working…We now have gained

control over the coding quality and security risks" Roderik Mooren,

IT DirectorServices

Best Practices : Outsourced Development

s

Security Tests

QA Tests

Security

ABAP™ Command Injection

OS Command Execution

SQL Injection

Broken Authority Checks

Hard-Coded Usernames

...

Performance

Usage of WAIT Command

Usage of SELECT*

Nested Loop

Incomplete Index

...

Data Loss Prevention

Disclosure of Critical Data

Disclosure of Source Code

Maintenance of sensitive data

…

Maintainability & Robustness

Naming Conventions

Nested Macro Calls

Hard-coded Org Units

Insufficient Error Handling

...

CodeProfiler PATENTED

all rights reserved

Best Practice : Comprehensive Testing

Security Performance Quality

ABAP Firewall: Automatic Scanning of all SAP ABAP Changes

– Scan all Transport Requests upon release

– Stop Transport Requests with defects – do not allow release

– Compliance testing and audit trail • PCI, PII, SOX, FDA, Basil II, etc.

– Ready for emergency corrections • Bypass Firewall with approval • Track flaws for mediation later

“Using CodeProfiler we can ensure transparency with regard to

the quality of our ABAP development. “ Kai-Uwe Beifuß,

SAP Applications

Best Practices: Automatic Code Scanning

ABAP Firewall: Automatic Scanning of all SAP ABAP Changes

Best Practices: Automatic Code Scanning

1. Drivers for Change: ABAP Application Landscape

2. Today’s Practices?

3. BEST Practices

4. Benefits Summary

Lower Risk

– Detect and support mediation of vulnerabilities

• Cyberattacks/Espionage

• Performance/System failures

• Data Theft/Fraud/Loss

– Test in-/out-sourced development and 3rd party add-ons.

• Enforces standards for all development deliverables

• Clear and enforceable definition of programming standards

– Ensure all ABAP code changes meet Compliance and Audit requirements

Benefits of Best Practices

Lower TCO • Find problems earlier in SDLC

= Lower cost to mediate defect • better quality code (maintainability, performance, robustness)

= Lower test and maintenance costs • Reduce review & testing times

= Faster delivery of new applications • Automate scanning and review

= Less use of (expensive) development resources • Online scanning & mediation support for faster resolution

= Less time for corrections and repair • Better quality code

= Less SAP production system issues

Benefits of Best Practices

Take the Test!

Complimentary Scan Virtual Forge CodeProfiler

see www.virtualforge.com

• Summary of findings

• Prioritization of found vulnerabilities

• Specific examples of findings from your own code

• Code metrics

• Benchmark (on request)

Robustness & Maintainability

Performance

Data Loss Prevention

Security & Compliance

Your ABAP™ code

Getting Started Complimentary Scan

Thank You!

David Chapman

dchapman@itservices2.com

Telephone: 214-303-9690

Stephen Lamy

stephen.lamy@virtualforge.com

Telephone: 610-864-0261

© 2012 Virtual Forge Inc | www.virtualforge.com | All rights reserved. Excellence in SAP Consulting www.itservices2.com

Disclaimer

© 2012 Virtual Forge Inc. All rights reserved.

SAP, R/3, SAP NetWeaver, and other SAP products and services mentioned herein as well as their

respective logos are trademarks or registered trademarks of SAP AG. All other product and service

names mentioned are the trademarks of their respective companies.

Information contained in this publication is subject to change without prior notice. It is provided by

Virtual Forge and serves informational purposes only. Virtual Forge is not liable for errors or

incomplete information in this publication. Information contained in this publication does not imply

any further liability.

Virtual Forge Terms and Conditions apply. See www.virtualforge.com for details.

THANK YOU FOR PARTICIPATING

Please provide feedback on this session by completing a short survey via the event mobile

application.

SESSION CODE: 0814

For ongoing education on this area of focus, visit www.ASUG.com