This presentation was held by Stephen Lamy, Virtual Forge, at the Basis & SAP Administration 2015 Conference in Las Vegas, March 2015.
Stephen Lamy explained important elements of crucial testing included in a risk assessment of SAP system configurations and custom (and third-party) ABAP code. What strategies exist for identifying the types of testing to perform as well as ensuring SAP systems remain safe and secure through the building of automated processes.
Key Takeaways:
- Why automated risk assessments can benefit you in a cost-effective way
- How to ensure security and compliance without losing quality in SAP systems and applications
- How to lower the risk of vulnerabilities by implementing a code or system scanning solution to test for security, compliance and quality
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Assess SAP Risks in One Click
1. Virtual Forge, Inc.
How to Assess the Risks in Your SAP® Systems
at the Push of a Button
Basis and SAP Administration 2015
2. Virtual Forge: Management Summary
We reduce business risks and protect your entire SAP environment.
We cover all SAP® risk categories from Security to Compliance to Quality,
on both code- and system layer.
Our solutions follow a simple approach: Assess – Safeguard – Optimize.
Improving the state of your entire SAP system continuously.
We provide highly efficient, automated solutions built using our deep knowledge and
experience.
We ensure that SAP systems of leading global companies adhere to the highest
Security, Compliance and Quality standards.
4. Customer Success Stories
The U.S. Department of Defense
“Virtual Forge CodeProfiler enables us to prove that our code is secure and compliant… It is accurate, comprehensive and
consistent and ensures that all ABAP code meets our high standards.”
~Christine Warring, TEWLS Sustainment Manager for the Dept of Defense
The Globe and Mail
“With Virtual Forge CodeProfiler tightly integrated into our SAP change and transport management processes, we were able
to scan all our custom ABAP code and identify non-compliant code in no time at all.”
~Joby Joseph, SAP Security Lead at the Globe and Mail
SAP
“Applying the Virtual Forge CodeProfiler and the close collaboration helped us to increase the level of security and
improved the quality of our business solutions.”
~Ralph Salomon, Vice President, IT Security & Risk Office, at SAP
Siemens
“One of the key requirements was to scan several billion lines of code each week. Together with Virtual Forge,
we have been able to create a truly unique solution.”
~Michael Brauer, Director of Corporate Automation within the Corporate IT department at Siemens
5. A simple approach: Assess – Safeguard – Optimize.
Assess:
Automatically assess risk by continuously monitoring
system configuration and code changes.
Safeguard:
Implement automatic testing for risk in ABAP code and
SAP System Configurations.
Optimize:
Continually reduce risk exposure as possible during
ongoing operations and projects.
SAP
Security, Compliance
& Quality
1. Assess
2. Safeguard3. Optimize
6. Why manage risk?
Some facts…
1. More than 248,500 companies depend upon SAP to run their business
2. SAP customers include:
1. Transport > 1.1 million flight passengers per day
2. Produce > 77,000 cars every day
3. Produce > 65% of all TV’s
4. 72% of the world-wide beer production depends on companies that run SAP!!!
8. Cyber-attacks, fraud, and system downtimes are key business risks
SAP Security, Compliance and Quality challenges
SAP Applications
• Authorizations
• Transport
Management
• Patches
• Business Continuity
• Application
Performance
SAP Configuration
• Authorizations
• SAP Operating
& Database System
• Web Security
• Communication
Channels
• Logging / Forensic
SAP Coding
• Assessment
• Development
• Architecture
• Code Quality
• Testing
• Deployment
Key Business RisksSources of Risk
System configuration
and settings
Custom coding
Extended functionality
of the SAP standard
Sources: Cost of Cyber Crime Study (Poneomon Institute, 2013), Global Fraud Study (ACFE, 2014),The Avoidable Cost of Downtime (CA Technologies, 2010)
Cyber-attacks $7.2 million per case
Frauds 5% annual revenue loss per company
System downtimes 14 hrs per case
9. Analysis of custom ABAP in 217 customer systems shows:
ABAP
Custom ABAP
code
There is more than 1 critical
security/compliance issue per 1,000
Lines of Custom ABAP® Code. A
typical SAP system has 2,150
security/compliance issues in custom
code.
For you this means:
An attacker gains full access to all
business data by exploiting just one
of these vulnerabilities.
For you this means:
Companies only use a fraction of the
hardware speed their systems could
provide. Any failure can lead to data
corruption and system downtime.
There are 1 critical performance and
3 critical Robustness issues per
1,000 Lines of Custom ABAP® Code.
Source: CodeProfiler analysis of 453 million lines of custom ABAP® code from 217 SAP systems (status: Oct 2014)
11. Analysis of the configuration of 121 SAP Systems shows:
SAP
System
Configuration
90% of all SAP systems are
vulnerable to attacks, and the number
of SAP systems connected to the
internet is increasing rapidly
For you this means:
An attacker gains full access to all
business data by exploiting just one
critical vulnerability.
For you this means:
Manual configuration results in high operating
costs. Only one omission can lead to severe
security, compliance, or quality issues
Understanding best practices and managing
configurations in a changing environment is a
difficult and ongoing task, and configuration
drift is a constant challenge.
Source: SystemProfiler analysis of 427 SAP systems (Status: Dec 2014)
15. The Evolution of SAP & ABAP Technology
In the past Today Future
Isolated systems
Fewer users
Less data
Less custom development
Regular but rare releases
Open systems
More users
More data
More custom development
Frequent release cycles
More open systems
Even more users
Even more data
Even more development
Higher frequency releases
16. Attack Surface of SAP
1997 – A simpler life
Direct UIs
External
Systems
SAP ABAP® System
17. Attack Surface of SAP
Since 2011 – complexity continues to grow
Indirect UIs
External
Systems
Direct UIs
SAP ABAP® System
18. SAP System Administration – a simple task
Profile
Parameters
Logging
OS Security
System Authorizations
Password Policies
Communication
Security
Patch Days Enhancement Packs
Transport Requests
FirewallsDatabase
Performance
Java Servers
System Audits
Web AS
Security
Security
Notes
21. The Benefits of Automated Risk Management
1. Apply best practice rules to reduce business risks
2. Enforce company policies consistently throughout organization
3. Reduce costs and time by eliminating manual tasks
4. Eliminate human error and lack of knowledge as risk factors
5. Manage emergencies without increasing risk
22. A simple approach: Assess – Safeguard – Optimize.
CodeProfiler for ABAP Code
Assess:
Continually test and correct ABAP code during
development. Inspect entire code base regularly.
Safeguard:
Implement automatic code testing to prevent risky
code from reaching your productive systems.
Optimize:
Continually improve code as possible to close
security and quality gaps.
SAP
Security, Compliance
& Quality
1. Assess
2. Safeguard3. Optimize
24. Ensures that ABAP code meets industry best-practice
standards for security, quality and performance
Performs automatic testing of any code changes and
stops transport of bad code
Reduces the time and cost of development and code
reviews
Developers can scan/correct online during
development
Online documentation includes remediation
instructions for on-the-job learning
Automatic testing of all code changes
Automatic correction for fast remediation
Highly accurate results!
CodeProfiler Benefits
25. A simple approach: Assess – Safeguard – Optimize.
Assess:
Continually audit configuration risk across
the SAP landscape.
Safeguard:
Implement automatic testing and escalation
to reduce potential of risk exposure.
Optimize:
Continually reduce risk exposure as
possible during ongoing operations and
projects.
SystemProfiler for SAP Configuration
SAP
Security, Compliance
& Quality
1. Assess
2. Safeguard3. Optimize
27. Ensures that SAP System Configuration meets
industry best practices
Allows automatic monitoring and correction of
SAP configuration settings across your landscape
Saves time and money by automating manual,
error-prone tasks
Allows you to distribute security policies across
the landscape quickly and easily
Easy to install and scalable to any size landscape
Highly accurate results!
SystemProfiler Benefits
SYSTEMPROFILER
28. Virtual Forge CodeProfiler
Free Risk Assessment Offer!
How good is your SAP system?
Visit www.virtualforge.com
Quality
Compliance
Security
SAP®
Risk Assessment
Virtual Forge CodeProfiler
and SystemProfiler
32. Disclaimer
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of
SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks
of their respective companies. Wellesley Information Services is neither owned nor controlled by SAP SE.