Christine Warring, Sustainment Project Manager, talks about her experience and the requirements which lead to the introduction of Virtual Forge CodeProfiler in the application development of TEWLS. SAP TEWLS (Theater Enterprise Wide Logistics System) is an SAP-based application developed by the US Army and used for all armed forces to support theater-level medical logistics and life cycle management of medical assemblages.

1. Ensuring the Quality and Security
of Custom SAP Applications at the
Department of Defense
Chris Warring, Department of Defense
Stephen Lamy, Virtual Forge
© 2014, Virtual Forge GmbH. All
rights reserved.

2. Introductions
TEWLS Sustainment Project Manager
JMLFDC
CACI Contractor

3. Agenda
q SAP TEWLS @ Department of Defense
q Challenges
q Custom ABAP
q Best Practices
q Virtual Forge CodeProfiler

4. SAP TEWLS @ Dept of Defense

5. SAP TEWLS @ Dept of Defense
Custom ABAP Applications
Theater Enterprise Wide Logistics System (TEWLS)
q SAP-based Enterprise Resource Planning
q Supports theater-level medical logistics
q Developed by US Army to replace TAMMIS
q Single shared data environment
q Developed in ABAP

6. SAP TEWLS @ Dept of Defense
Custom ABAP Applications
What is TEWLS?
q Enterprise-level total life cycle management of medical assemblages
(development, production, fielding, and sustainment)
q Materials and assemblage life cycle management
q Theater Intermediate-Level Medical Logistics:
q Acquisition & Life Cycle Management
q Strategic programs for mobilization & deployment of materials
q Theater Supply Chain Management to include full storage and distribution capabilities for
Medical Material (TLAMM)
q Compliance with Federal Financial Management Improvement Act (FFMIA), Standard
Financial Information Structure (SFIS), and Federal Information System Controls Audit
Manual (FISCAM)

7. Challenges

8. Challenges
Passing the Test
Department of Defense Adopted TEWLS
q TEWLS to be used for all armed forces
q Required to prove that ABAP code was secure and compliant
The Problem:
q Static code scanning required
q Code scanning solution that DOD mandated did not produce accurate result with ABAP code
q Precluded the finalization of Authority to Operate (ATO)

9. Challenges
The Problem
Limitations with existing tools
q Many false findings
q Inconsistent results (even with same code base)
q Limited test scope
q Not integrated with SAP
q No remediation instructions for developers
Impact
q Used valuable resource time working through false results
q Unable to prove that the code was secure and compliance to finalize DOD ATO
q Annoyed developers
q Late feedback for developers

10. Challenges
The Solution
ABAP Scanning with CodeProfiler
q Accurate results with prioritized findings
q Comprehensive testing
q Tightly integrated with SAP
q Detailed remediation instructions
Results
q Able to scan and remediate vulnerabilities quickly
q Reduced number of code corrections required
q Improved developer skills
q Reduced effort and time spent on code reviews
q Ensured ALL code meets security and compliance requirements

11. Custom ABAP

12. Custom ABAP
The Evolution of SAP®
In
the
past
Today
Future
§ Isolated
systems
§ Fewer
users
§ Less
data
§ Less
custom
development
§ Regular
but
rare
releases
§ Open
systems
§ More
users
§ More
data
§ More
custom
development
§ Frequent
release
cycles
§ Reduced
staff
§ More
open
systems
§ Even
more
users
§ Even
more
data
§ Even
more
development
§ Higher
frequency
releases
§ Even
smaller
staff

13. Custom ABAP
SAP Security – Holistic View
q SAP security and quality must be
addressed holistically - including
custom code
q Custom code can result in:
q system failure
q hacker access
q slow performance
q Business apps must properly
enforce Business Logic (rules)
q GRC & SoD are only effective if
they are enforced within
application code
Business Logic
Business Run-time
Database
Operating System

14. Attack Surface of SAP
1997 – Good old times
Direct UIs
External
Systems
SAP ABAP® System

15. Attack Surface of SAP
2002 – Complexity grows
SAP ABAP® System Indirect Uis
Direct UIs
External
Systems

16. Attack Surface of SAP
2007 – and grows
Direct UIs
Indirect UIs
External
Systems
SAP ABAP® System

17. Attack Surface of SAP
Since 2011 – and grows
Indirect UIs
External
Systems
SAP ABAP® System
Direct UIs

18. Custom ABAP
Current Situation
The average SAP customer system has:
q .84 Critical Security / Compliance errors per 1,000 LOC
q 50% probability of an ABAP® Command Injection vulnerability
q 88% probability of a Directory Traversal vulnerability
q 99.9% probability of defective Authorization Checks
Source: CodeProfiler of custom ABAP® code from 171 SAP systems (status: May 2014)
Total amount of scanned customers coding lines 377Mio

19. Custom ABAP
Costs of correcting a single defect
The earlier the code is repaired, the lower the cost
to correct defect $100 during development
$1,000 to correct same defect when found during QA testing
$10,000 to correct same defect found in production
$ cost of attack or system down

20. Custom ABAP
Cost of Correcting Code
1 : 10 : 100
DEV QAS PRD
Cost of
Development
Eclipse
integration
SE80
integration
TMS Integration
Test
Go Live Time (DEV, QAS, PRD)

21. Custom ABAP
Code Scanning Compliance
q DOD
Proof
of
security
and
compliance
q PCI-­‐DSS
(Payment
Card
Industry
Data
Security
Standard)
q PIA
(Privacy
Impact
Assessment)
q PII
(Personally
IdenHfiable
InformaHon)
q Company
specific
policies

22. Best Practices

23. Best Practices
Recommended Testing
q Security
q Compliance
q Performance
q Robustness
q Maintainability

24. Best Practices
Code Reviews!
Top 10 Most Dangerous Security Vulnerabilities:
q ABAP Command Injection
q OS Command Injection
q Native SQL Injection
q Improper Authorization Checks
q Directory Traversal
q Direct Database Modifications
q Cross-Client Database Access
q Open SQL Injection
q Generic Module Execution
q Cross-Site Scripting

25. Best Practices
Lessons Learned/Recommendations !
q Begin static code scanning NOW!
q Test and correct early and often during
development
q Set priorities based upon your own
code base
q Plan to manage cleanup activities as
well as ongoing development
q Don’t wait for an incident to occur
q Manual reviews are ineffective
q Don’t wait until QA
q Decide what will stop a transport
from being released
q Based upon your own code
q Vulnerabilities can be fatal

26. Best Practices
Automated Risk and Quality Management !
Development
Test/QA
ProducDon
AutomaDcally
scan
ALL
changes
DEV
QA
PRD
Approve
excepDon?

27. Virtual Forge CodeProfiler

28. Virtual Forge CodeProfiler
Automated Risk Management
ProacHve
protecHon
with
transparency
ConHnuous
validaHon
Patented
intelligent
and
efficient
verificaHon
Minimized
effort
and
total
cost
of
ownership
Flexible
and
scalable
Comprehensive
and
powerful

29. Virtual Forge CodeProfiler
Finding What Matters
Input
(SAP
GUI,
BSP,
RFC,
...)
Data Control Flow Analysis
Dangerous
Statement
SoPware

30. Virtual Forge CodeProfiler
Customer Testimonials
Proven success
[ “Applying the Virtual Forge CodeProfiler and the close collaboration helped us to
increase the level of security and improved the quality of our business solutions.” ]
Ralph Salomon, Vice President IT Security & Risk Office at SAP
[ “One of the key requirements was to scan several billions lines of code each week.
Together with Virtual Forge we have been able to create a truly unique solution.” ]
Michael Brauer, Director of Corporate Automation within the Corporate IT department at Siemens
[ “With Virtual Forge CodeProfiler tightly integrated into our SAP change and transport
management processes, we were able to scan all our custom ABAP® code and identify non-compliant
code in no time at all.” ]
Joby Joseph, SAP Security Lead at Globe and Mail

31. Virtual Forge CodeProfiler
Free Risk Assessment Offer!
How good is your SAP system?
Visit www.virtualforge.com
Free
" Summary of
findings
" Prioritization and
classification of
vulnerabilities
" Specific examples
of findings
" Code and system
metrics
Security
Compliance
Quality
SAP®
Risk Assessment
Virtual Forge CodeProfiler
and SystemProfiler

32. Disclaimer
© 2014 Virtual Forge GmbH. All rights reserved.
Information contained in this publication is subject to change without prior notice.
These materials are provided by Virtual Forge and serve only as information.
SAP, ABAP and other named SAP products and services as well as their respective logos are trademarks or
registered trademarks of SAP AG in Germany and other countries worldwide.
All other names of products and services are trademarks of their respective companies.
Virtual Forge accepts no liability or responsibility for errors or omissions in this publication. From the
information contained in this publication, no further liability is assumed. No part of this publication may be
reproduced or transmitted in any form or for any purpose without the express permission of Virtual Forge
GmbH, Germany or Virtual Forge Inc., Philadelphia. The General Terms and Conditions of Virtual Forge apply.

33. More Case Studies To Come …
@Virtual_Forge