How Pratt & Whitney Streamlined Their ABAP Security and Quality Code Review Process

/* How Pratt & Whitney
Streamlined Their ABAP Security and
Quality Code Review Process */
#SAPtd

SEC 108
How Pratt & Whitney Streamlined Their ABAP
Security and Quality Code Review Process
Giovanni Rondinelli
SAP Data Management & IT Performance Lead
UTC Pratt & Whitney © 2015, Virtual Forge, Inc.
All rights reserved.
This document does not contain technical data to the EAR or ITAR.

Agenda
 About UTC Pratt & Whitney
 Challenges
 Solution
 Results
 Recommendations
3

Your Speaker
Giovanni Rondinelli
  Responsible for SAP Performance, Data Management, and HANA
deployment
  20 years of SAP experience
  Worked at SAP for 7 years
  At Pratt & Whitney for almost 12 years
4

About UTC Pratt & Whitney
  Founded in Hartford, Conn., in 1925
  A United Technologies Corp. company
  World leader in the design, manufacture and service of aircraft engines
  Revenues: $14.5 billion (2014)
  Operating Profit: $2.0 billion (2014)
  More than 11,000 customers around the world
  Approximately 33,500 employees worldwide
5

Challenges

Challenges
Limitations
Limitations with the existing process
  Complex, slow and expensive review process
  Required extensive manpower and heavy time commitment
  Cumbersome email-based system with a lot of back-and-forth
  Manual process resulting in the inconsistent application of code
review standards
  Previous performance process tool not available to developers
7

Challenges
Limitations
Goals
  Lower cost
  Reduce risk
  Streamline and simplify the code review process
Requirements
  Maintain and improve code security
  Improve quality of custom ABAP code
  Implement user-friendly, standard tools for all developers
$ !
8

Cost to correct increases exponentially
$100 : $1,000 : $10,000
DEV QAS PRD
Average
cost of a
single
code
correction
UI5/Eclipse SE80 TMS QA/UAT Go Live
Time (DEV, QAS, PRD)Development Functional Testing
9

Top 11 ABAP code security tests
ID Vulnerability Descrip2on
APP-01 ABAP Command Injec<on Execu<on of arbitrary ABAP Commands
APP-02 OS Command Injec<on Execu<on of arbitrary OS Commands
APP-03 Na<ve SQL Injec<on Execu<on of arbitrary SQL Commands
APP-04
Improper Authoriza<on
(Missing, Broken, Proprietary,
Generic)
Missing or incorrect Authoriza<on Checks
APP-05 Directory Traversal Unauthorized write/read access to ﬁles (SAP Server)
APP-06 Direct Database Modiﬁca<ons Unauthorized Access to SAP Standard Tables
APP-07 Cross-Client Database Access Cross-Client Access to Business Data
APP-08 Open SQL Injec<on Malicious Manipula<on of OSQL Commands
APP-09 Generic Module Execu<on Unauthorized Execu<on of Modules (Reports, FMs, etc.)
APP-10 Cross-Site Scrip<ng Manipula<on of the Browser UI, Iden<ty The_
APP-11 Obscure ABAP Code Hidden / untestable ABAP Code
10

Solution

Solution
Automated Scanning
ABAP Scanning
  Accurate results with prioritized findings
  Comprehensive testing for security, performance and quality
  Tightly integrated with SAP and the development process
(available to all developers in the entire process)
  Detailed remediation instructions for on-the-job training
(good for new developers)
  Automated audit reports
12

Solution
A simple approach: Assess – Safeguard – Optimize
Assess:
Continually test and correct ABAP code during
development. Inspect entire code base
regularly.
Safeguard:
Implement automatic code testing to prevent
risky code from reaching your productive
systems.
Optimize:
Continually improve code to close security
and quality gaps.
SAP
Security, Compliance
& Quality
1. Assess
2. Safeguard3. Optimize
13

Solution
Incorporating into HANA Roadmap
  HANA Roadmap
  Leverage CodeProfiler for code remediation in preparation for ECC on
HANA
  Hybrid Performance Analysis in ECC
14

Results

Results
Benefits Realized
  Effective governance: less effort and
reduced costs
  Quality standards set for internal/external
developments
  Accurate and resource-saving analysis and
evaluation
  Reduction of security and compliance
risks
  Reduced from from cyber-attack, fraud and
system downtime
  Reduced development costs
  Considerable cost reduction for development
and maintenance by improving program
quality
  Improved availability: faster and safer
programs
  Reduced runtime and hardware utilization
through improved performance
  Minimized system failures and downtime
using selective corrections
16

Results
Today
  Nothing goes through unless ABAP scan is clean
  Big improvements across the entire code review process
  All developers have access to CodeProfiler
  Common process for new and existing development objects
  More consistent code reviews
  Reduce overall code review time by 70%
  Reduce overall cost of review by 65%
  No code-related incidents since implementation
  TMS integration with approval and escalation process
  Continue to automate additional parts of the process and further reduce costs
17

Recommendations

Recommendations
  Include automated tools in your reviews in order to lower risk of costly errors
  Provide a solution all developers can use
  Simplify your review process with automated code scanning tools
  Expedite your reviews through automation in order to save time and money
  Use automation to fulfill security, performance and quality requirements
  You cannot fix everything at once. It’s an ongoing process.
19

Hybrid Performance Analysis
20

Automatic Scanning of All Changes
21

Scanning by Developers During Development (ECC)
Online development scans screenshot placeholder
22

Key Takeaways
  CodeProfiler has become an important asset to our quality review process
  Easy to implement and maintain
  Little or no training required for developers
  Quick acceptance by the developers.
  Developers become better developers
  CodeProfiler did not eliminate the need for code reviewers
  The approval process still exists, but CodeProfiler made the process
easier and faster
23

Virtual Forge CodeProfiler
Free Risk Assessment Offer!
How good is your SAP system?
Visit www.virtualforge.com
ü  Summary of
findings
ü  Priorization and
classification of
vulnerabilities
ü  Specific examples
of findings
ü  Code and system
metrics
Quality
Compliance
Security
SAP-
System
Risk Assessment /
Penetration Test
•  SAP configuration
•  Custom code
Free
24

www.virtualforge.com
@Virtual_Forge
Thank you!

Disclaimer
© 2015 Virtual Forge Inc. All rights reserved.
SAP, R/3, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective
logos are trademarks or registered trademarks of SAP AG. All other product and service names mentioned are
the trademarks of their respective companies.
Information contained in this publication is subject to change without prior notice. It is provided by Virtual
Forge and serves informational purposes only. Virtual Forge is not liable for errors or incomplete information in
this publication. Information contained in this publication does not imply any further liability.
Virtual Forge Terms and Conditions apply. See www.virtualforge.com for details.

How Pratt & Whitney Streamlined Their ABAP Security and Quality Code Review Process

More Related Content

Viewers also liked

Similar to How Pratt & Whitney Streamlined Their ABAP Security and Quality Code Review Process

More from Virtual Forge

Recently uploaded

How Pratt & Whitney Streamlined Their ABAP Security and Quality Code Review Process