Dr. Markus Schumacher

CD208: Automating Code Reviews for Custom ABAP 
PPT Masterfolie
zur Erstellung von Präsentationen
A...
Who we are
PPT Masterfolie
zur Erstellung von Präsentationen
Joby Joseph

SAP Functional / Security Lead
The Globe and Mai...
Agenda
PPT Masterfolie
•zur Erstellung von Präsentationen
SAP @ Globe and Mail

• Development life cycle @ Globe and Mail
...
Agenda
PPT Masterfolie
•zur Erstellung von Präsentationen
SAP @ Globe and Mail

• Development life cycle @ Globe and Mail
...
SAP @ The Globe and Mail
• PPT Masterfolie
The Company

zur Erstellung von Präsentationen
• Media company headquartered in...
SAP @ The Globe and Mail
• PPT Masterfolie
Highly customized development of Industry Solution for Media

zur Erstellung vo...
PPT Masterfolie
•zur Erstellung von Präsentationen
SAP @ Globe and Mail

• Development life cycle @ Globe and Mail
• Poten...
Conflicting Project Goals
• Goals of project / implementation teams:
PPT Masterfolie

• Project budget and go‐live date
zu...
Conflicting Project Goals
• Goals of project / implementation teams:
PPT Masterfolie

Approaches
• Project budget and go‐l...
Automated Code Reviews
Static Code Scanning

PPT Masterfolie
• Code Reviews – Why not manual reviews?
zur Erstellung von P...
Virtual Forge CodeProfiler
ABAP Firewall

PPT Masterfolie
• zur Erstellung von Präsentationen and SAP
Tightly integrated w...
Agenda
PPT Masterfolie
•zur Erstellung von Präsentationen
SAP @ Globe and Mail

• Development life cycle @ Globe and Mail
...
The Evolution of ABAPTM

Circa 2011

PPT Masterfolie
zur Erstellung von Präsentationen

© 2012 Virtual Forge Inc || www.vi...
More sophisticated Attackers
– Script Kiddies

PPT Masterfolie
• Minor knowledge
zur Erstellung von Präsentationen
• Works...
More sophisticated Attackers
- Professional Attackers

PPT Masterfolie
• Highly skilled
zur Erstellung von Präsentationen
...
The Forgotten Layer
Application Runtime

PPT Masterfolie
zur Erstellung von
• SAP security must be  Präsentationen
address...
ABAPTM Quality Benchmarks
Powered by CodeProfiler

PPT Masterfolie
Metric
Average
zur Erstellung von Präsentationen
Source...
ABAPTM Quality Benchmarks
Powered by CodeProfiler

PPT Masterfolie
The average SAP customer system has:
zur Erstellung von...
Regulatory Compliance
PPT Masterfolie
 PCI‐DSS (Payment Card Industry Data Security Standard)
zur Erstellung von Präsenta...
Custom Development
Cost of Defects

PPT Masterfolie
Custom ABAP Development Facts
zur Erstellung von Präsentationen
Cost o...
Agenda
PPT Masterfolie
•zur Erstellung von Präsentationen
SAP @ Globe and Mail

• Development life cycle @ Globe and Mail
...
Code Governance & Control
Built into the Process

PPT Masterfolie
zur Erstellung von Präsentationen

© 2012 Virtual Forge ...
Data and Control Flow Analysis
Shows only finding that matter
Input (SAP GUI, BSP, RFC, ...)
PPT Masterfolie
zur Erstellun...
CodeProfiler
Comprehensive Test Scope

PPT Masterfolie
Security
zur Erstellung von Präsentationen Data Loss Prevention
ABA...
ABAP Code Scanning ‐ Benefits
Lower Risk 
PPT Masterfolie
zur Erstellung von Präsentationen
– Detects and support mediatio...
ABAP Code Scanning ‐ Benefits
Lower TCO
PPT Masterfolie
• Problems are found earlier in SDLC 
zur Erstellung von Präsentat...
Agenda
PPT Masterfolie
•zur Erstellung von Präsentationen
SAP @ Globe and Mail

• Development life cycle @ Globe and Mail
...
ABAP Security in Context
PPT Masterfolie
zur Erstellung von Präsentationen

Internal Control Systems ‐Structure in the ERP...
Custom Development
Source of Defects
PPT Masterfolie
Custom ABAP Development Facts
zur Erstellung von Präsentationen
Sourc...
Custom Development
Business Risks
PPT Masterfolie
Business Risks
zur Erstellung von Präsentationen
Due to Security Defects...
ABAP Static Code Scanning
PPT Masterfolie
zur Erstellung von Präsentationen

Benefits of Static Code Scanning
Increase

De...
PPT Masterfolie
THANK YOU FOR PARTICIPATING
zur Erstellung von Präsentationen

Please provide feedback on this session by ...
Upcoming SlideShare
Loading in …5
×

Case Study: ABAP Development Life Cycle and Governance at THE GLOBE AND MAIL (SAPTechEd)

1,187 views

Published on

Check out this much-noticed presentation held at the 2013 SAPTechEd Conference in Las Vegas. Attendees were pleased and excited by the content that was presented.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,187
On SlideShare
0
From Embeds
0
Number of Embeds
7
Actions
Shares
0
Downloads
20
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Case Study: ABAP Development Life Cycle and Governance at THE GLOBE AND MAIL (SAPTechEd)

  1. 1. Dr. Markus Schumacher CD208: Automating Code Reviews for Custom ABAP  PPT Masterfolie zur Erstellung von Präsentationen Applications to Reduce Risk and Lower TCO © 2012 Virtual Forge Inc | www.virtualforge.com | rights reserved. 2013 | www.virtualforge.com | All All rights reserved.
  2. 2. Who we are PPT Masterfolie zur Erstellung von Präsentationen Joby Joseph SAP Functional / Security Lead The Globe and Mail | Toronto | Canada Dr. Markus Schumacher CEO of Virtual Forge Heidelberg | Weimar | Philadelphia Twitter: @virtual_forge | Questions: #safercode © 2012 Virtual Forge Inc || www.virtualforge.com || All rights reserved. © 2012 Virtual Forge Inc www.virtualforge.com All rights reserved.
  3. 3. Agenda PPT Masterfolie •zur Erstellung von Präsentationen SAP @ Globe and Mail • Development life cycle @ Globe and Mail • Potential Risks from Bad ABAP Code   • ABAP Firewall: Automatic Code Scanning  • Summary  © 2012 Virtual Forge Inc || www.virtualforge.com || All rights reserved. © 2012 Virtual Forge Inc www.virtualforge.com All rights reserved.
  4. 4. Agenda PPT Masterfolie •zur Erstellung von Präsentationen SAP @ Globe and Mail • Development life cycle @ Globe and Mail • Potential Risks from Bad ABAP Code   • ABAP Firewall: Automatic Code Scanning  • Summary  © 2012 Virtual Forge Inc || www.virtualforge.com || All rights reserved. © 2012 Virtual Forge Inc www.virtualforge.com All rights reserved.
  5. 5. SAP @ The Globe and Mail • PPT Masterfolie The Company zur Erstellung von Präsentationen • Media company headquartered in Toronto, Canada  • • Handles distribution of several other products in Canada,  including The New York Times  • • Produces and distributes nationally in Canada  Largest circulation national newspaper which heavily focuses on  business, current affairs and lifestyle coverage  SAP @ The Globe and Mail • The one and only Canadian customer of SAP’s IS‐Media • Implemented SAP in 2002 – 2007  • Modules IS‐MSD, IS‐MAM, SD, FICA, FI‐CO, HR, BW, BO • Heavily customized code in IS‐MSD due to the North American  media subscription model with contract accounting • Highly “custom ABAP” dependent implementation © 2012 Virtual Forge Inc || www.virtualforge.com || All rights reserved. © 2012 Virtual Forge Inc www.virtualforge.com All rights reserved.
  6. 6. SAP @ The Globe and Mail • PPT Masterfolie Highly customized development of Industry Solution for Media zur Erstellung von Präsentationen • Lots n’ lots of Customer Development  • Internal and External Development Staff • • • Independent ABAP consultants Off‐shore developments Users are both internal and external • • Subscribers and Retail Customers • Telemarketers • • Internal Functional users Vendors Interfaces to Public Facing Websites • Strict interface standards (PCI‐DSS) • Customer sensitive applications • Real‐time Java and .Net apps interfacing to SAP through custom RFCs • File based asynchronous interfaces from multiple web applications © 2012 Virtual Forge Inc || www.virtualforge.com || All rights reserved. © 2012 Virtual Forge Inc www.virtualforge.com All rights reserved.
  7. 7. PPT Masterfolie •zur Erstellung von Präsentationen SAP @ Globe and Mail • Development life cycle @ Globe and Mail • Potential Risks from Bad ABAP Code   • ABAP Firewall: Automatic Code Scanning  • Summary  © 2012 Virtual Forge Inc || www.virtualforge.com || All rights reserved. © 2012 Virtual Forge Inc www.virtualforge.com All rights reserved.
  8. 8. Conflicting Project Goals • Goals of project / implementation teams: PPT Masterfolie • Project budget and go‐live date zur• Erstellung von Präsentationen Delivered product must work at point of hand‐over • Satisfy the “direct customers“ (e.g. new site) • Minimize coordination effort where ever possible  (with the customer as well as team‐/supplier internally) • Minimize regression tests • Scope reductions (classic “not part of our job / contract” discussions) • Low cost / offshore • Goals of system owners: • • • • • • Long term maintainability Harmonized processes and “templates” Avoiding redundancies Low operating costs  Secure environment Quality, Sustainability & no surprises in coding © 2012 Virtual Forge Inc || www.virtualforge.com || All rights reserved. © 2012 Virtual Forge Inc www.virtualforge.com All rights reserved.
  9. 9. Conflicting Project Goals • Goals of project / implementation teams: PPT Masterfolie Approaches • Project budget and go‐live date • Clone existing ABAP code instead of extending or reusing  zur• Erstellung von Präsentationen Delivered product must work at point of hand‐over existing functionality • Satisfy the “direct customers“ (e.g. new site) • Ignore template, rather clone legacy system where ever  possible • Minimize coordination effort where ever possible  • Quick & dirty, hard‐coded (with the customer as well as team‐/supplier internally) • Cheap resources instead of experienced staff  • Minimize regression tests • Delay progress in order to force customer to accept  • Scope reductions (classic “not part of our job / contract” discussions) unsatisfactory solutions to keep time line • Low cost / offshore • … Have you ever wondered, where all the vulnerabilities are  • Goals of system owners: • • • • • • coming from? Long term maintainability Harmonized processes and “templates” Avoiding redundancies As system owners, we have to combine two contradicting  Low operating costs  goals to make a project really successful: Secure environment • Support and manage the project • “Defend” the system against the above short cuts Quality, Sustainability & no surprises in coding © 2012 Virtual Forge Inc || www.virtualforge.com || All rights reserved. © 2012 Virtual Forge Inc www.virtualforge.com All rights reserved.
  10. 10. Automated Code Reviews Static Code Scanning PPT Masterfolie • Code Reviews – Why not manual reviews? zur Erstellung von Präsentationen • Managing change process from ticket creation to Prod release • Tight integration with SAP  • Tracking changes, approvals, create/release transports, etc. • Ensures compliance (PCI DSS, SOX, ITIL, internal, etc.) • ‘ABAP Firewall’ ‐ static code analysis of ABAP application code  and changes © 2012 Virtual Forge Inc || www.virtualforge.com || All rights reserved. © 2012 Virtual Forge Inc www.virtualforge.com All rights reserved.
  11. 11. Virtual Forge CodeProfiler ABAP Firewall PPT Masterfolie • zur Erstellung von Präsentationen and SAP Tightly integrated with Change Process • Tests all domains: Security, Compliance, Performance, Maintainability and Robustness • • • • • On-line scanning with Best Coding Practices documentation Automatic Correction Very low False Positive rate (<5%) Fast scan rate for high volume scanning (>20k loc/sec) Integrated ABAP WB, Eclipse, SAP TMS, ATC, Solution Manager, etc. © 2012 Virtual Forge Inc || www.virtualforge.com || All rights reserved. © 2012 Virtual Forge Inc www.virtualforge.com All rights reserved.
  12. 12. Agenda PPT Masterfolie •zur Erstellung von Präsentationen SAP @ Globe and Mail • Development life cycle @ Globe and Mail • Potential Risks from Bad ABAP Code   • ABAP Firewall: Automatic Code Scanning  • Summary  © 2012 Virtual Forge Inc || www.virtualforge.com || All rights reserved. © 2012 Virtual Forge Inc www.virtualforge.com All rights reserved.
  13. 13. The Evolution of ABAPTM Circa 2011 PPT Masterfolie zur Erstellung von Präsentationen © 2012 Virtual Forge Inc || www.virtualforge.com || All rights reserved. © 2012 Virtual Forge Inc www.virtualforge.com All rights reserved.
  14. 14. More sophisticated Attackers – Script Kiddies PPT Masterfolie • Minor knowledge zur Erstellung von Präsentationen • Works with „copy & paste“ and uses public information, programs,  tools, etc. in order to attack / damage computer systems • Random targets • Motivation: usually  reputation © 2012 Virtual Forge Inc || www.virtualforge.com || All rights reserved. © 2012 Virtual Forge Inc www.virtualforge.com All rights reserved.
  15. 15. More sophisticated Attackers - Professional Attackers PPT Masterfolie • Highly skilled zur Erstellung von Präsentationen • Almost unlimited time and money resources • Targeted attacks (e.g. Stuxnet) • Often internal attackers • Motivation: Industrial espionage, sabotage, … © 2012 Virtual Forge Inc || www.virtualforge.com || All rights reserved. © 2012 Virtual Forge Inc www.virtualforge.com All rights reserved.
  16. 16. The Forgotten Layer Application Runtime PPT Masterfolie zur Erstellung von • SAP security must be  Präsentationen addressed holistically • Business Run‐time Apps  must properly enforce  Business Logic security • GRC & SoD are only  effective if they are  enforced within the  applications © 2012 Virtual Forge Inc || www.virtualforge.com || All rights reserved. © 2012 Virtual Forge Inc www.virtualforge.com All rights reserved. Front-end/Business Logic Business Runtime Database Operating System
  17. 17. ABAPTM Quality Benchmarks Powered by CodeProfiler PPT Masterfolie Metric Average zur Erstellung von Präsentationen Source Code Lines (LOC) Total  1,862,418 156,443,087 Average Per KLOC  (Average) 1,475 0.79 Compliance (Critical only) 270 0.14 Performance (Critical only) 1,171 0.63 415 0.22 1,586 0.85 (without comments and empty lines) Domain Security (Critical only) Maintainability (High prio only) Robustness (Critical only) Totals © 2012 Virtual Forge Inc || www.virtualforge.com || All rights reserved. © 2012 Virtual Forge Inc www.virtualforge.com All rights reserved. 4,917
  18. 18. ABAPTM Quality Benchmarks Powered by CodeProfiler PPT Masterfolie The average SAP customer system has: zur Erstellung von Präsentationen • .93 Critical Security/Compliance errors per 1,000 LOC • 50% probability of an ABAP Command Injection vulnerability • 93% probability of a Directory Traversal vulnerability  • 100% probability of defective Authorization Checks Source: Initial scan of 156,443,087 Lines of custom ABAP code from 88 SAP customers (status: July 2013) © 2012 Virtual Forge Inc || www.virtualforge.com || All rights reserved. © 2012 Virtual Forge Inc www.virtualforge.com All rights reserved.
  19. 19. Regulatory Compliance PPT Masterfolie  PCI‐DSS (Payment Card Industry Data Security Standard) zur Erstellung von Präsentationen CodeProfiler provides more than 30 test cases in order to test for PCI DSS compliance (PCI  DSS Requirements and Security Assessment Procedures, Version 2.0)  PII (Personally Identifiable Information) To protect the PII, CodeProfiler has test cases related to the disclosure of critical data  ("assets").  Exit points for this domain exist in the following classifications: SAP GUI, HTTP/HTML, FTP,  GUI Download, Files, Return values of RFC enabled function modules. Main purpose of  this test domain is to identify data leaks.  SOX CodeProfiler provides more than 30 test cases in order to test for SOX /SOX‐EUR  compliance (Sarbanes‐Oxley Act). SOX audits rely on IT General Controls (ITGC) to provide  a sound technical basis for the reliability and accountability of business processes. Custom  development is relevant for Change Management, which is in turn relevant for ITGC.  Therefore, any changes to program logic are SOX relevant, if they introduce a potential  security issue. ABAP coding practices and standards must ensure that ITGC are not  bypassed by insecure coding. SOX audits must check that appropriate controls are in place  that make sure no relevant security defects exist in ABAP code. © 2012 Virtual Forge Inc || www.virtualforge.com || All rights reserved. © 2012 Virtual Forge Inc www.virtualforge.com All rights reserved.
  20. 20. Custom Development Cost of Defects PPT Masterfolie Custom ABAP Development Facts zur Erstellung von Präsentationen Cost of Defects  $100 $1,000 $10,000 $$$$$ © 2012 Virtual Forge Inc || www.virtualforge.com || All rights reserved. © 2012 Virtual Forge Inc www.virtualforge.com All rights reserved. to correct defect during development to correct defect found in QA testing to correct defect in production Cost of attack or system down
  21. 21. Agenda PPT Masterfolie •zur Erstellung von Präsentationen SAP @ Globe and Mail • Development life cycle @ Globe and Mail • Potential Risks from Bad ABAP Code   • ABAP Firewall: Automatic Code Scanning  • Summary © 2012 Virtual Forge Inc || www.virtualforge.com || All rights reserved. © 2012 Virtual Forge Inc www.virtualforge.com All rights reserved.
  22. 22. Code Governance & Control Built into the Process PPT Masterfolie zur Erstellung von Präsentationen © 2012 Virtual Forge Inc || www.virtualforge.com || All rights reserved. © 2012 Virtual Forge Inc www.virtualforge.com All rights reserved.
  23. 23. Data and Control Flow Analysis Shows only finding that matter Input (SAP GUI, BSP, RFC, ...) PPT Masterfolie zur Erstellung von Präsentationen Software Dangerous Statement © 2012 Virtual Forge Inc || www.virtualforge.com || All rights reserved. © 2012 Virtual Forge Inc www.virtualforge.com All rights reserved.
  24. 24. CodeProfiler Comprehensive Test Scope PPT Masterfolie Security zur Erstellung von Präsentationen Data Loss Prevention ABAP™ Command Injection Disclosure of Critical Data OS Command Execution SQL Injection Broken Authority Checks Hard‐Coded Usernames ... Performance Usage of WAIT Command Usage of SELECT* s Security Tests Maintenance of sensitive data … CodeProfiler PATENTED all rights  reserved  Maintainability & Robustness QA Tests Naming Conventions Nested Macro Calls Nested Loop Hard‐coded Org Units Incomplete Index  Insufficient Error Handling ... Security  Disclosure of Source Code ... Performance  © 2012 Virtual Forge Inc || www.virtualforge.com || All rights reserved. © 2012 Virtual Forge Inc www.virtualforge.com All rights reserved. Quality 
  25. 25. ABAP Code Scanning ‐ Benefits Lower Risk  PPT Masterfolie zur Erstellung von Präsentationen – Detects and support mediation of vulnerabilities  • • • • Cyberattacks System Failures  Data theft/Fraud Industrial Espionage  – Tests in‐/out‐sourced development and 3rd party add‐ons.  • Enforces standards for all development deliverables  • Clear and enforceable definition of programming standards – Ensures all ABAP code changes meet Compliance and  Audit requirements   © 2012 Virtual Forge Inc || www.virtualforge.com || All rights reserved. © 2012 Virtual Forge Inc www.virtualforge.com All rights reserved.
  26. 26. ABAP Code Scanning ‐ Benefits Lower TCO PPT Masterfolie • Problems are found earlier in SDLC  zur Erstellung von Präsentationen = Lower cost to mediate defect • better quality code (maintainability, performance, robustness)  = Lower test and maintenance costs  • Reduced review & testing times  = Faster delivery of new applications  • Automated scanning  = Less use of (expensive) development resources • Online scan & mediation support for faster resolution = Less time for corrections and repair • Better quality code  = Less SAP production system issues © 2012 Virtual Forge Inc || www.virtualforge.com || All rights reserved. © 2012 Virtual Forge Inc www.virtualforge.com All rights reserved.
  27. 27. Agenda PPT Masterfolie •zur Erstellung von Präsentationen SAP @ Globe and Mail • Development life cycle @ Globe and Mail • Potential Risks from Bad ABAP Code   • ABAP Firewall: Automatic Code Scanning  • Summary © 2012 Virtual Forge Inc || www.virtualforge.com || All rights reserved. © 2012 Virtual Forge Inc www.virtualforge.com All rights reserved.
  28. 28. ABAP Security in Context PPT Masterfolie zur Erstellung von Präsentationen Internal Control Systems ‐Structure in the ERP Environment IT General Controls (ITGC) Change Management ABAP Application Code Business Rules Enforcement Authentication, Encryption, Authorization,  Logging, Interfaces, Audit… © 2012 Virtual Forge Inc || www.virtualforge.com || All rights reserved. © 2012 Virtual Forge Inc www.virtualforge.com All rights reserved.
  29. 29. Custom Development Source of Defects PPT Masterfolie Custom ABAP Development Facts zur Erstellung von Präsentationen Source of Defects  Little/no technical specifications Manual/Basic code reviews Testing focused on  functional aspects External/3rd Party development Limited/no code change monitoring © 2012 Virtual Forge Inc || www.virtualforge.com || All rights reserved. © 2012 Virtual Forge Inc www.virtualforge.com All rights reserved.
  30. 30. Custom Development Business Risks PPT Masterfolie Business Risks zur Erstellung von Präsentationen Due to Security Defects  Cyberattacks  Data theft/Fraud Industrial espionage Loss of image System failures © 2012 Virtual Forge Inc || www.virtualforge.com || All rights reserved. © 2012 Virtual Forge Inc www.virtualforge.com All rights reserved.
  31. 31. ABAP Static Code Scanning PPT Masterfolie zur Erstellung von Präsentationen Benefits of Static Code Scanning Increase Decrease  Security and compliance of  SAP® applications  Business risks  Performance  Maintenance efforts  System stability  Test and correction efforts  Quality standards  of internal and external  software development  Operating costs © 2012 Virtual Forge Inc || www.virtualforge.com || All rights reserved. © 2012 Virtual Forge Inc www.virtualforge.com All rights reserved.
  32. 32. PPT Masterfolie THANK YOU FOR PARTICIPATING zur Erstellung von Präsentationen Please provide feedback on this session by  completing a short survey via the event mobile  application. SESSION CODE: CD208 For ongoing education on this area of focus, visit www.ASUG.com Meet Joby and Markus at the Virtual Forge Booth 159 © 2012 Virtual Forge Inc || www.virtualforge.com || All rights reserved. © 2012 Virtual Forge Inc www.virtualforge.com All rights reserved.

×