Best Practices for Ensuring SAP ABAP Code Quality and Security


Published on

Virtual Forge Presentation on Best Practices at #SAPPHIRENOW #ASUG2013

Published in: Technology

Best Practices for Ensuring SAP ABAP Code Quality and Security

  1. 1. Best Practices for Ensuring ABAP Code Quality and SecurityDavid Chapman ‐ Vice President of Sales – iT Services 2Stephen Lamy – Managing Director – Virtual Forge
  2. 2.  2nd Generation SAP Consulting Firm Focused on SAP since 1996 Senior, principal and platinum level expertise Virtual Forge Sales and Services Business partner since 2012“We’ve partnered with Virtual Forge because we value theircommitment to excellence and their deep SAP expertise.Virtual Forge mirrors iT2 values and culture.”Lynne McGrew CEO, iT Services 2
  3. 3. Founded in 2001CodeProfiler released 2008Patented Data and Control Flow Static Analysis for ABAP Heidelberg, Weimar and PhiladelphiaExperts in the field of SAP® application security and quality
  4. 4. 1. Drivers for Change: ABAP Application Landscape2. Today’s Practices?3. BEST Practices4. Benefits Summary
  5. 5. 1. Drivers for Change: ABAP Application Landscape2. Today’s Practices?3. BEST Practices4. Benefits Summary
  6. 6. The Evolution of the SAP LandscapeIn the past Today Future• Isolated systems• Long release cycles• Few attack vectors• Security using firewalls• Open systems• Frequent release cycles• Network boundaries disappearing• Cloud‐based applications• Hacker attacks • Open systems• High frequency releases• Interconnected networks• IT espionage• Cyber attacks & espionage
  7. 7. 1 9 9 7The Attack Surface of ABAP
  8. 8. 2 0 0 2The Attack Surface of ABAP
  9. 9. Since 2 0 0 7 The Attack Surface of ABAP
  10. 10. Little/no technical specificationsManual/Basic code reviewsTesting focused on  functional aspectsExternal/3rd Party developmentLimited/no code change monitoringSource of Defects
  11. 11. Cyberattacks Data theft/FraudIndustrial espionageLoss of imageSystem failuresBusiness Risks
  12. 12. Cost of attack or system down$$$$$to correct defect in production$10,000to correct defect found in QA testing$1,000to correct defect during development$100Cost to Business
  13. 13. 614 as of September 1, 2012What are you doing to ensure the quality of your custom code?SAP’s Increases Focus on Security
  14. 14. 1. Drivers for Change: ABAP Application Landscape2. Today’s Practices?3. BEST Practices4. Benefits Summary
  15. 15. 1. Companies are responsible for their own custom code.2. If you can’t enforce code quality and security standards consistently, it won’t work.Important Rules to Remember
  16. 16. [ One solution, ] many capabilitiesTest ABAP™ code for defects fast and reliably by performing on‐line scanning as needed during development Test ABAP™ code for defects fast and reliably by performing on‐line scanning as needed during development DevelopersTests applications for full transparency of the ABAP code quality in their SAP®systemsTests applications for full transparency of the ABAP code quality in their SAP®systemsIT and Security ResponsiblesEnsures  that internally and externally developed applications and third‐party solutions meet pre‐defined security and  quality criteriaEnsures  that internally and externally developed applications and third‐party solutions meet pre‐defined security and  quality criteriaDevelopment and Project ManagersWho is responsible for the code?
  17. 17. [ One solution, ] many capabilitiesProvidedfull transparency of security and compliance risks in SAP®systemsProvidedfull transparency of security and compliance risks in SAP®systemsAuditors and ControllersEnsureand document the code quality of their solutionsEnsureand document the code quality of their solutionsSoftware Companies and  SAP® PartnersCheck Deliverables pre‐defined quality criteria within the scope of tenders with „a click of a button“Check Deliverables pre‐defined quality criteria within the scope of tenders with „a click of a button“PurchasersWho is checking?
  18. 18. How ABAP code reviews are often done today:• Manual code reviews• Using top programming resources for reviews• Using basic tools with limited testing and lot of false-positive findings• No effective technical code testing at all!Today‘s Practices?
  19. 19. Manual Code Reviews:– Use valuable development resources– Delay project release (or accept lower quality)– Limited effectiveness due to program complexity – Feedback too late in development cycle• Performance/Failures in production • Higher cost of mediation– Few/No defined security & quality standards• Styles and techniques vary by reviewer/developerToday‘s Practices?
  20. 20. Basic ABAP Testing Tools:– Limited (and weak) testing, e.g. pattern recognition– Not comprehensive for Security and Quality– Not integrated with ABAP Development Workbench• No on‐line scanning during development• Higher TCO for manual corrections • No documentation/navigation for efficient mediation– Inaccurate results (High false‐positive rate)• Loss of time spent evaluating • Loss of credibility for tool– Slow / Batch / OfflineToday‘s Practices?
  21. 21. 1. Drivers for Change: ABAP Application Landscape2. Today’s Practices?3. BEST Practices4. Benefits Summary
  22. 22. Best Practices for Ensuring ABAP code for Quality and Security1. Online Scanning and Correction during Development2. Testing of all Outsourced Deliverables (you are responsible!)3. Automatic Scanning and Correction of SAP ABAP Changes4. Static Code Analysis for ABAPQuelle: Success Story with Linde, www.virtualforge.comBest Practices
  23. 23. Online Scanning and Correction during Development– Define clear code standards, train, and test results!– Enable online scanning during development • Developers scan during unit testing for immediate feedback• Fast mediation– Automatic code correction – Provide detailed documentation for developer training and instructions for mediation“since we’ve been using Virtual Forge CodeProfiler,developers have become more aware and aredelivering better quality code.“ Stephan SachsManager for Application SecurityBest Practices : In-house Development
  24. 24. Best Practices: Data and Control Flow Analysis
  25. 25. Testing of all Outsourced Deliverables– Communicate and enforce SLA’s • Let them know that you will be testing– Test all deliverables before beginning functional testing• Don’t waste time functionally testing inferior code• Recommend 2‐4 weeks prior (at least)– Test immediately? – is this code safe enough for your DEV? – Decide who will be responsible for corrections beforehand• Plan for mediation activities – who is responsible for corrections“using CodeProfiler software for verifying all 3rd party codehas revolutionized our way of working…We now have gainedcontrol over the coding quality and security risks"Roderik Mooren,IT DirectorServicesBest Practices : Outsourced Development
  26. 26. sSecurity TestsSecurity TestsQA TestsQA TestsSecurityABAP™ Command InjectionOS Command ExecutionSQL InjectionBroken Authority ChecksHard‐Coded Usernames...PerformanceUsage of WAIT CommandUsage of SELECT*Nested LoopIncomplete Index ...Data Loss PreventionDisclosure of Critical DataDisclosure of Source CodeMaintenance of sensitive data…Maintainability & RobustnessNaming ConventionsNested Macro CallsHard‐coded Org UnitsInsufficient Error Handling...CodeProfilerPATENTEDall rights reserved CodeProfilerPATENTEDall rights reserved Best Practice : Comprehensive TestingSecurity  Performance  Quality 
  27. 27. ABAP Firewall: Automatic Scanning of all SAP ABAP Changes– Scan all Transport Requests upon release– Stop Transport Requests with defects – do not allow release– Compliance testing and audit trail• PCI, PII, SOX, FDA, Basil II, etc.– Ready for emergency corrections• Bypass Firewall with approval• Track flaws for mediation later“One of the key requirements was to defend our SAPsystems against the project teams. Together with Virtual Forgewe have been able to enforce sustainability for code qualityand security“ Markus Seibel,GM IT Business ServicesBest Practices: Automatic Code Scanning
  28. 28. ABAP Firewall: Automatic Scanning of all SAP ABAP ChangesBest Practices: Automatic Code Scanning
  29. 29. 1. Drivers for Change: ABAP Application Landscape2. Today’s Practices?3. BEST Practices4. Benefits Summary
  30. 30. Lower Risk – Detect and support mediation of vulnerabilities• Cyberattacks/Espionage• Performance/System failures• Data Theft/Fraud/Loss– Test in‐/out‐sourced development and 3rd party add‐ons. • Enforces standards for all development deliverables • Clear and enforceable definition of programming standards– Ensure all ABAP code changes meet Compliance and Audit requirements  Benefits of Best Practices
  31. 31. Lower TCO• Find problems earlier in SDLC = Lower cost to mediate defect• better quality code (maintainability, performance, robustness) = Lower test and maintenance costs • Reduce review & testing times = Faster delivery of new applications • Automate scanning and review = Less use of (expensive) development resources• Online scanning & mediation support for faster resolution= Less time for corrections and repair• Better quality code = Less SAP production system issuesBenefits of Best Practices
  32. 32. Take the Test!Complimentary ScanVirtual ForgeCodeProfilersee • Summary of findings• Prioritization of found vulnerabilities• Specific examples of findings from your own code• Code metrics• Benchmark (on request)Robustness & MaintainabilityPerformanceData Loss PreventionSecurity & ComplianceYourABAP™codeGetting StartedComplimentary Scan
  33. 33. Thank You!David Chapmandchapman@itservices2.comTelephone: 214-303-9690Stephen Lamystephen.lamy@virtualforge.comTelephone: 610-864-0261
  34. 34. © 2012 Virtual Forge Inc | | All rights reserved.Excellence in SAP Consulting www.itservices2.comDisclaimer© 2012 Virtual Forge Inc. All rights reserved.SAP, R/3, SAP NetWeaver, and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP AG. All other product and servicenames mentioned are the trademarks of their respective companies.Information contained in this publication is subject to change without prior notice. It is provided byVirtual Forge and serves informational purposes only. Virtual Forge is not liable for errors orincomplete information in this publication. Information contained in this publication does not imply anyfurther liability.Virtual Forge Terms and Conditions apply. See for details.
  35. 35. THANK YOU FOR PARTICIPATINGPlease provide feedback on this session by completing a short survey via the event mobile application.SESSION CODE: 0814For ongoing education on this area of focus,visit