is your sap system vulnerable to cyber attacks?
TRANSCRIPT
Produced by Wellesley Information Services, LLC, publisher of SAPinsider. © 2015 Wellesley
Information Services. All rights reserved.
Is Your SAP System Vulnerable to Cyber Attacks? Critical Tactics to Safeguard Your ABAP Applications
Stephen LamyVirtual Forge
1
In This Session
• You will learn about specific risks that custom ABAP can introduce into an SAP system and get proven advice to minimize ABAP security risks.
• You will: Learn about the most dangerous ABAP security vulnerabilities View demonstrations to see how an SAP system can be
exploited via ABAP vulnerabilities Get insight into the best practices for developing secure and
compliant ABAP code, such as: Implementing internal coding guidelines and standards Automatically testing all code changes before release
2
What We’ll Cover
• Risks from custom ABAP code• The realities of ABAP development• Best practices for ABAP code for security and quality• Wrap-up
3
ABAP Security Vulnerability
4
The Challenges with Custom ABAP Development
• Espionage or cyber attack
• Application failure• System performance• High development
costs
5
APP/11: The Most Dangerous Security Vulnerabilities
1. ABAP command injection2. OS command injection3. Native SQL injection4. Improper authorization checks5. Directory traversal6. Direct database modifications7. Cross-client database access8. Open SQL injection9. Generic module execution10. Cross-site scripting11. Obscure ABAP CodeSource: BIZEC APP/11: www.bizec.org
6
The Average SAP Customer System Analyzed Has …
• 1.03 Critical Security/Compliance errors per 1,000 LOC• 51% probability of an ABAP Command Injection vulnerability• 70% probability of an open SQL injection vulnerability• 86% probability of a Directory Traversal vulnerability• 100% probability of defective Authorization Checks
Source: CodeProfiler scan of 453 Million lines of custom ABAP® code from 217 SAP systems (status: Oct 2014)
7
Security/Compliance Testing
Test Case Probability per Scan
Per x LOC
Sec: Missing AUTHORITY-CHECK before CALL TRANS 97% 4,066
Sec: Missing AUTHORITY-CHECK in Reports 96% 6,154Com: Hard-coded User Name (sy-uname) 91% 8,998Sec: Directory Traversal (Write Access) 86% 8,960Sec: Missing AUTHORITY-CHECK in RFC-Enabled Funct 94% 14,347Com: Cross-Client Access to Business Data 83% 15,254Sec: Directory Traversal (Read Access) 86% 23,254Com: Direct Database Modifications 86% 35,016
Source: CodeProfiler scan of 453 Million lines of custom ABAP® code from 217 SAP systems (status: Oct 2014)
8
ABAP Risk Assessment Benchmark Results
Metric Average TotalSource Code Lines (LOC)(without comments or empty lines)
2,087,618 453,013,210
Domain – Critical Only Average Per LOCSecurity/Compliance 2,150 1.03Performance 2,463 1.18Maintainability 2,108 1.01Robustness 6,618 3.17Total 13,339 6.39
Source: CodeProfiler scan of 453 Million lines of custom ABAP® code from 217 SAP systems (status: Oct 2014)
9
Cyber-Attacks and System Downtimes Are Key Business Risks Caused by Custom Changes
• Performance
• Robustness
• Maintainability
• Security
• Compliance
• Data Loss Prevention
… can lead to key business risks:
Cyber-attacks $7.2 million cost per case in averageFraud 5% loss in revenue p.a. per typical companySystem downtimes 14hrs p.a. per company avg.Sources: Cost of Cyber Crime Study (Poneomon Institute, 2013), Global Fraud Study (ACFE, 2014), The Avoidable Cost of Downtime (CA Technologies, 2010)
Custom ABAP Apps …
Custom ABAP Code
Third-Party ABAP add-ons Testing Needed
10
Costs of Correcting a Single Defect
to correct defect during development$100 to correct defect during development$100
to correct defect found during QA testing$1,000 to correct defect found during QA testing$1,000
to correct defect in production$10,000
cost of attack or system down$$$
The earlier the code is repaired, the lower the cost
11
ABAP Security Vulnerability
12
What We’ll Cover
• Risks from custom ABAP code• The realities of ABAP development• Best practices for ABAP code for security and quality• Wrap-up
13
The Evolution of SAP and ABAP Technology
Past Today Future
• Simple, isolated systems• Fewer users• Less data• Less custom development• Regular but rare releases
• Complex and open systems• More users• More data• More custom development • Frequent release cycles• Reduced staff
• More complex and open• Even more users• Even more data• Even more development • Higher frequency releases• Even smaller staff
14
Attack Surface of SAP – 1997
Direct UIs
External Systems
SAP ABAP® System
15
Attack Surface of SAP – Since 2011
Indirect UIs
External Systems
Direct UIs
SAP ABAP® System
16
SAP Security – A Holistic View
• SAP security and quality must be addressed holistically – including custom code
• Custom code can lead to: System failure Hacker access Slow performance
• Business apps must properly enforce Business Logic (rules)
• GRC and SoD are only effective if they are enforced within application code
Business Logic
Business Runtime
Database
Operating System
17
Sources of Flaws in ABAP Code
• Manual code reviews/basic testing• QA testing focused on functional aspects• Inability to enforce technical coding standards• External development/third-party add-ons• Limited/no code change monitoring (during emergencies)
18
What We’ll Cover
• Risks from custom ABAP code• The realities of ABAP development• Best practices for ABAP code for security and quality• Wrap-up
19
Best Practices
• Ensure ABAP code quality and security through … Online scanning and correction during development Testing of all delivered code (you are responsible for
outsourced and third-party code too!) Automatic scanning of all ABAP changes
20
Best Practices: Static Online Scanning
• Static code scanning and correction during development• Define clear code standards and enforce results• Give developers the tools they need to test during development Faster feedback means lower cost Provide recommended remediation approach
• Apply automated corrections for larger clean-up projects
Stop believing that manual reviews are all you need!
21
Best Practices: Testing All Delivered Code
• Testing all code (including outsourced and third-party products) Communicate and enforce SLAs Let everyone know that you will be testing
Test all deliverables before beginning functional testing Don’t waste time with user testing of inferior code Plan for issues! Test immediately! Is this code safe enough for your DEV?
22
Best Practices: Automatic Code Scanning
• Automatically scan all SAP ABAP code changes Scan all Transport Requests upon release Stop Transport Requests with critical issues Store test results as for compliance audit trail PCI, PII, SOX, FDA, Basil II, etc.
Be ready for emergency corrections Enable override of tests with approval Track who approved exceptions
23
Continuous Monitoring of ABAP Code Changes
PRDDEV
Development Test/QA ProductionRequirement
SICHERE SAP PROGRAMMIERUNG
ABAPGuideline
JavaGuideline
ABAPSpezifikation
JavaSpezifikation
GenerelleGuideline
InterneEntwicklung
ExterneEntwicklung
AutomaticTesting
QA
ExceptionApproval?
24
Recommended Testing
• Security• Compliance• Data Loss Prevention• Performance• Robustness• Maintainability
25
What We’ll Cover
• Risks from custom ABAP code• The realities of ABAP development• Best practices for ABAP code for security and quality• Wrap-up
26
ABAP Security Vulnerability
27
Where to Find More Information
• www.bizec.org/wiki/Main_Page The Business Application Security Initiative (BIZEC) is a non-profit
organization with a focus on security defects in business applications• www.virtualforge.com/en/library/white-papers/whitepaper-the-abap-
underverse.html Andreas Wiegenstein, “The ABAP Underverse” (BlackHat Briefings,
2011). A Virtual Forge whitepaper on application and ABAP security
• www.virtualforge.com/en/resources/presentations/ensuring-the-security-of-custom-abap-code.html Chris Warring and Stephen Lamy, “Best Practices for Ensuring the
Security of Custom ABAP Code” (SAP TechEd && d-code, 2014).
28
7 Key Points to Take Home
• Companies are responsible for their own custom code
• If you can’t enforce code quality and security standards consistently, it won’t happen
• It’s not possible to accurately assess the security of ABAP code through manual reviews alone
• Implementing best practices and corresponding tools early in the development process will lower risk and result in lower TCO
29
7 Key Points to Take Home (cont.)
• Do not wait until it’s too late! Tighten ABAP security while you can
• Don’t forget the 11 most dangerous security vulnerabilities and how testing during development can protect you
• Provide your developers a way to test and correct code easily while they develop
30
Your Turn!
How to contact me:Stephen Lamy
[email protected]@virtual_forge
Please remember to complete your session evaluation
31
Disclaimer
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies. Wellesley Information Services is neither owned nor controlled by SAP SE.