reliable sap applications n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Reliable SAP ® Applications PowerPoint Presentation
Download Presentation
Reliable SAP ® Applications

Loading in 2 Seconds...

play fullscreen
1 / 57

Reliable SAP ® Applications - PowerPoint PPT Presentation


  • 110 Views
  • Uploaded on

Reliable SAP ® Applications. We protect your ABAP TM Code: Security, Compliance, Performance, Maintainability & Robustness. About Virtual Forge CodeProfiler – Protecting your ABAP TM Code CodeProfiler – Approach and Test Domains

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Reliable SAP ® Applications' - tale


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
reliable sap applications
Reliable SAP®Applications

Weprotectyour ABAP TM Code: Security, Compliance, Performance, Maintainability & Robustness

slide2
About Virtual Forge
  • CodeProfiler – Protectingyour ABAPTM Code
  • CodeProfiler – Approach and Test Domains
  • Technology Integration (SAP TMS/ChaRM, SAP BI, IBM)
  • CodeProfiler – Certificationand References
  • Professional Services
  • Summary & Discussion
history facts
History & Facts
  • Founded in 2001, headquarters in Heidelberg, Germany
  • Privately held
  • Long-term development & consultancy expertise in the area of
    • SAP®security audits
    • SAP design and code reviews
    • SAP penetration testing
  • SAP Trusted Technology Partner
  • Unique solution Virtual Forge CodeProfiler (1.0 in 2008)
    • Data and Control Flow Analysis
    • Automated testing of ABAPTM, ABAP Objects, BSP, WebDynpro ABAP
    • Security, Compliance, Performance, Maintainability, Robustness
  • Book “Sichere ABAP-Programmierung”, SAP Press 2009
  • Leading Industry Guideline for ABAP Development and Maintenance
  • Virtual Forge GmbH
vision and promise
Vision andPromise
  • Virtual Forge is the leading provider for code security and quality solutions in SAP® environments.
  • We help our clients as trusted advisor to
    • identify code security & quality gaps.
    • prioritize these gaps for mitigation and resolve them.
    • significantly improve their SAP environment.
  • We are able to offer our clients latest and market leading expertise through a clear focus on first-class research in SAP code security & quality.
  • SAP’s internal ABAPTM development uses Virtual Forge CodeProfiler in their security and quality processes. Thus, our clients benefit from first-hand experience from the world’s largest SAP development projects.
  • Virtual Forge GmbH
identify prioritize and mitigate issues in your abap tm code
Identify, prioritize, andmitigateissues in your ABAPTM Code

Worldwide more than 176.000 organizations of all sizes and industries are depending on SAP solutions and services to run their business, making SAP solutions highly critical.

  • More than 90% of SAP applicationsarewritten in ABAP.
  • Custom developmentaddsspecificfunctionality to applications
    • Oftennorequirements fornon-functionalaspects
    • Notestingbeyondfunctionaltesting
    • Consequence: unknownrisks in ABAP applications
  • Protectingyour SAP® applications
asset flow analysis
Asset Flow Analysis
  • CodeProfilerdetermines,whethercriticaldataleavestheboundariesof a trustedenvironment(assetflowanalysis).
  • Three simple steps
    • Youdefinecriticaldata (HR data, creditcardnumbers, etc.).
    • Conduct CodeProfiler scanagainsttargetapplication: resultsshowwherecriticaldataisaccessedandwrittentoexternalcontext
    • Review findings, assessrisk, andmitigate potential backdoors
  • Data Loss Prevention
data and control flow analysis
Data andControl Flow Analysis

CodeProfiler uses data and control flow analysis in combination with a comprehensive rule set that covers many data sources and dangerous ABAPTMstatements.

Data flow analysis is a technique that first identifies data source, i.e. points in the code where (external) data is read into variables. It then analyzes whether there are any connections between a data source and a potentially dangerous statement. Any identified connection (data flow) indicates that the dangerous statement is most likely exploitable.

In addition to data and control flow analysis CodeProfiler applies further sanity tests like type checks, authority checks, usage of regular expresses etc. As a result we can prioritize the findings and improve the efficiency of the mitigation process.

  • CodeProfiler Engine
data and control flow analysis1

1

3

4

2

Data andControl Flow Analysis
  • CodeProfiler Engine
slide14
Security

This domain covers test cases related to classical security defects, i.e. code with hidden side effects that can be misused by an attacker.

Visit http://www.bizec.org for application security risks related to business applications.

Testcases – Examples:

ABAP Command Injection

Directory Traversal

Cross-Site Scripting

Missing AUTHORITY-CHECK

Pishing

SQL Injection

  • Testdomain – Security
code sample
Code Sample
  • BIZEC APP/11 APP-01 (http://www.bizec.org)ABAP Command Injection: codingthat dynamically creates and executes arbitrary ABAP programs based on user input on a productive system.
  • Protection by CodeProfiler
slide16
Compliance

This domain introduces test cases related to compliance defects, i.e. coding practices that bypass an important security mechanism in the SAP ®standard.

Testcases – Examples:

Hard-codedUser Name (sy-uname)

Cross-Client Access to Business Data

Hidden ABAP Code

  • Testdomain – Compliance
slide17
Performance

This domain includes test cases that identify coding practices that have adverse effects on the performance of an SAP ®system.

Testcases – Examples:

Usageof WAIT Command

Database Modifications in a Loop

SELECT Statement in a Loop

Usageof LIKE Clause

Missing WHERE Restriction in SELECT Statement

Nested SELECT Statement

  • Testdomain – Performance
slide18
Maintainability

This domain contains test cases that analyze the ABAPTMcoding for issues that make the code difficult tomaintain.

Factors that reduce maintainability include

  • Coding that is difficult to understand for a developer new to the project.
  • Coding with a complex structure.
  • Poor documentation.

TestcasesExamples:

Empty Block

Empty Module

Overlong Module

  • Testdomain – Quality (Maintainability)
slide19
Robustness

This domain provides test cases that check for ABAPTMcoding practices which jeopardize the reliable execution of a business application.

An important benefit of having robust code is business continuity: Robust code reacts to error conditions in a controlled, reliable and predefined way.

Testcases – Examples:

Insufficient Error Handling (TRY/CATCH)

Incomplete CASE Statement

Recursion (Immediate)

  • Testdomains – Quality (Robustness)
slide20
Beyond “Maintainability” and “Robustness”, the test group „Code Quality“ now also covers the frequently requested check for “Naming Conventions”
  • Application specific rules
    • different naming conventions per package
    • Validity timeframe (from / to)

 Check of legacy and new code without conflicts with the applicable rules

  • The naming conventions can be seamlessly integrated into the automated TMS/ChaRM “code firewall”.
  • Naming Conventions
codeprofiler 3 1
CodeProfiler 3.1
  • Status Quo: Getting Secure- As developer or auditor- Analysis of transports- Batch scheduling (SM37/SM36)
  • TMS/ChaRM Integration: Staying Secure- Automatic scan of transports (SE10)- Approval Workflow (enforcement of requirements)
  • Work with Findings: Mitigation- Finding Manager (review, qualification and correction in SE80)
slide27
The executive summary report (PDF) contains a prioritized list of all discovered issues. This list provides immediate feedback on current business risks at code level.

Following the executive summary, the full PDF report (or result navigation in the Finding Manager) contains detailed information about each finding, grouped by test cases. Each test case starts with general information about the respective issue:

  • Introduction
  • Business Risk
  • DetailedExplanation
  • ExampleVulnerability
  • Solution in General
  • Solution Example

In addition to the general information, the report lists details for all discovered issues.

  • Result Navigation
slide31
The integration into the SAP Transport Management System (TMS) enables you to check transports with CodeProfiler automatically before the actual release on task level as well as transport level (or both). You can then release them or, if required, re-route them to a defined exception handling process.

The automated check before importing code into an existing system (development, consolidation, production) can be carried out in the same way as the check during the release phase. From a technology point of view, it does not make a difference whether one or more SAP Systems are connected. CodeProfiler supports the common transport and release mechanisms, such as Transport Management System (TMS), Change Request Management (ChaRM), Change und Transport System (CTS), as well as CTS plus.

Integration with additional tools such as theGuard! TransportManager by REALTECH, Transport Express by Basis Technologies, or other products is possible.

The Virtual Forge CodeProfiler standard shipment includes a preconfigured SAP workflow (notification and approval workflow) for release, QA and exception processes.

  • Integration in Development Process
slide32

D60EhP4

P60EhP4

Q60EhP4

  • TMS/ChaRM Integration

Requirements-Paper

CodeProfilerTMS-gatekeeper

Test/QA

Production

Development

Exception

via QA

governance compliance in development process
Governance & Compliance in Development Process
  • Approval Workflow

Reject

QA / PL

Review

Request

Approve

Developer

Develop

Release

Review

Change

False

CodeProfiler

Parse

Okay

TMS

Transp.

slide34
Workflow Process:
    • CodeProfiler allows to transport
    • CodeProfiler declines to transport
      • Developer ask QA instance via approval workflow for exception
      • Yes, transport will bereleased(compliance: documentexceptions)
      • No, back to development
  • Simplified Process:
    • Developer maydecide on hisowndiscretiontoreleasetransportalthough CodeProfiler reportedissues
  • Appropriateapproachdepends on yourrequirements
    • Organization (small, large) Compliance (4 eyes principle)
    • Reliability / Stability Speed (fixes, development)
  • Options of TMS/ChaRM Integration
slide37
CodeProfiler is often used in large system landscapes in order to monitor the entire code base (legacy and new ABAP code)
  • Making this more effective, several CodeProfiler instances can now be flexibly assigned to several SAP systems (m x n)
  • That way, scans can be easily parallelized and the high availability of the code audit infrastructure can be achieved
  • The implementation of a large scale CodeProfiler infrastructure is now simpler and “built-in”
  • High Availability
n x m relations between codeprofiler and sap system
n x m relationsbetween CodeProfiler and SAP®system
  • High Availability

SAPQ01

SAPD01

SAPD02

SAPQ02

CodeProfiler

CodeProfiler

CPSERVER3

CPSERVER1

CPSERVER4

CPSERVER2

CPTMSSERV2

CPTMSSERV1

slide41
Scans of Java applications
  • Technical integration
  • CodeProfiler is „Readyfor Rational“
triage of findings in your abap tm code
Triage offindings in your ABAPTM Code
  • Integration IBM AppScan Source Edition
drill down by vulnerabilities only all impact levels
Drill-Down byVulnerabilitiesonly (all impactlevels)
  • Integration IBM AppScan Source Edition
drill down by vulnerabilities high impact only
Drill-Down byVulnerabilities(High Impact only)
  • Integration IBM AppScan Source Edition
abap tm analysis with data flow code details and description
ABAPTM analysis withdataflow, codedetailsanddescription
  • Integration IBM AppScan Source Edition
slide47
Aiming to expand the quality assurance of SAP® software enhancements, SAP® has licensed the testing software CodeProfiler, developed by the ABAP™ programming language security specialist, Virtual Forge. This is the first solution on the market that is designed for static analysis of ABAP™ applications with a specific focus on security and compliance tests. CodeProfiler offers SAP® customers that have developed their own ABAP™ code, extensive qualityassurance.

“Security is important to us and to our customers. It’s good to see that our trusted partner Virtual Forge provides a tool for security test automation. Now all our customers can establish a baseline security level in their ABAP™ code.”

SAP® Executive Board Member Gerhard Oswald (2009)

  • CodeProfiler protects SAP®
slide48
CodeProfiler has successfully completed SAP‘s integration certification program.
  • This proves that CodeProfiler is an extremely reliable solution for your SAP environments.
  • In addition, Virtual Forge is now listed as an official SAP Software Partner.
  • CodeProfiler is SAP®Certified
powered by virtual forge codeprofiler
Poweredby Virtual Forge CodeProfiler
  • SAP® Custom Code Security Service
slide52
Virtual Forge supportscustomersas a“Trusted Advisor” and delivers high quality Professional Services:
  • Application Audits withthe Virtual Forge CodeProfiler
  • Review andChangesofthedevelopmentlifecycle
  • Implementation ofthe Virtual Forge Development Guidelines intoyourdevelopmentprocess
  • ClassroomTraining „Secure ABAPTM Coding“
  • Project drivenAudits
  • Penetrationtests
  • Fixing ofVulnerabilities
  • Coordinationof Consulting Partners
  • Set Upof a transparent Security and Compliance Environment

With Virtual Forge asyour Partner for Security and Compliance in ABAP Developments in smallandhugesystemlandscapesandprojectsyou will getvalue out of a lotofexperiencesand expert knowhow.

  • Virtual Forge Service Portfolio
6 summary discussion
6. Summary & Discussion

Feedback isalwayswelcome!

slide54
CodeProfiler is the tool of choice for in-depth ABAPTM analyses
  • Security, Compliance, Performance, Maintainability, Robustness
  • Prioritization helps you to define the mitigation plan

Governance and Compliance in your Development Process

  • No single line of code enters your SAP®-System without a thorough check (“Code Firewall”)
  • Enforcement of Security and Quality standards for ABAP development
  • Controlled roll-out: tighten scan profile over time in a grace period
  • Accountability and compliance: exceptions are documents via four-eyes principle in approval workflow
  • Possible to integrate CodeProfiler in popular transport management systems (SAP TMS, Solution Manager ChaRM, RealtechtheGuard!, Basis Technologies Transport Express, etc.)
  • Whyshouldyouuse CodeProfiler?!
slide55
Cost effectiveness: running safe business processes
  • Be prepared for cyber attacks and industrial espionage: prevent security weaknesses and backdoors
  • Value for money: control externally supplied ABAPTMcode (offshore/nearshore/vendor)
  • No invest in own content needed, no maintenance of content
  • State-of-the art security content in the standard release
  • Always up-to-date content with new releases (active research & continuous updates)

Ease of use: check your ABAP while you write it

  • Run CodeProfiler as developer while you write code (like “spell checker”)
  • Run CodeProfiler as QA manager (like “lector of a book”)
  • Fully integrated in SAP® standard environment: SE80, TMS/ChaRM
  • Value Proposition
slide56
Being in control: governance & compliance at the process level
  • Central control for new ABAPTM code - “gatekeeper” for code in the development process ) - governance at the process level (TMS-Integration)
  • Approval workflow - compliance regarding coding standards

Use the standard: CodeProfiler is industry ready

  • Auditors (internal / external) use CodeProfiler in company audits
  • Customers worldwide use CodeProfiler for QA & Compliance including SAP®, Siemens, Linde, Munich Re, and many more
  • Scan your ABAP anytime – in one run: unparalleled analysis speed: up to 6.000 Lines of Code per Second, results available instantly
  • Gartner selected Virtual Forge as Cool Vendor for the SAP Ecosystem 2011
  • Value Proposition
your questions
Yourquestions?

VIRTUAL FORGE

Dr. Markus Schumacher

markus.schumacher@virtualforge.com

Speyerer Straße 6

69115 Heidelberg

Deutschland

Telefon: + 49 (0) 6221 86 89 0 - 170

Fax: + 49 (0) 6221 86 89 0 - 101

VIRTUAL FORGE Distributor in

Scandinavia

ADSOTECH Scandinavia Oy

christer.makela@adsotech.com.com

Ilmakuja 4 a

02210 ESPOO

Finland

Telefon: + 358 9 86 78 820

Fax: + 358 9 80 42 811