/* How Pratt & Whitney
Streamlined Their ABAP Security and
Quality Code Review Process */
#SAPtd
SEC 108
How Pratt & Whitney Streamlined Their ABAP
Security and Quality Code Review Process
Giovanni Rondinelli
SAP Data Management & IT Performance Lead
UTC Pratt & Whitney © 2015, Virtual Forge, Inc.
All rights reserved.
This	document	does	not	contain	technical	data	to	the	EAR	or	ITAR.
Agenda
 About UTC Pratt & Whitney
 Challenges
 Solution
 Results
 Recommendations
This	document	does	not	contain	technical	data	to	the	EAR	or	ITAR.	
3
Your Speaker
Giovanni Rondinelli
  Responsible for SAP Performance, Data Management, and HANA
deployment
  20 years of SAP experience
  Worked at SAP for 7 years
  At Pratt & Whitney for almost 12 years
This	document	does	not	contain	technical	data	to	the	EAR	or	ITAR.	
4
About UTC Pratt & Whitney
  Founded in Hartford, Conn., in 1925
  A United Technologies Corp. company
  World leader in the design, manufacture and service of aircraft engines
  Revenues: $14.5 billion (2014)
  Operating Profit: $2.0 billion (2014)
  More than 11,000 customers around the world
  Approximately 33,500 employees worldwide
This	document	does	not	contain	technical	data	to	the	EAR	or	ITAR.	
5
Challenges
This	document	does	not	contain	technical	data	to	the	EAR	or	ITAR.
Challenges
Limitations
Limitations with the existing process
  Complex, slow and expensive review process
  Required extensive manpower and heavy time commitment
  Cumbersome email-based system with a lot of back-and-forth
  Manual process resulting in the inconsistent application of code
review standards
  Previous performance process tool not available to developers
This	document	does	not	contain	technical	data	to	the	EAR	or	ITAR.	
7
Challenges
Limitations
Goals
  Lower cost
  Reduce risk
  Streamline and simplify the code review process
Requirements
  Maintain and improve code security
  Improve quality of custom ABAP code
  Implement user-friendly, standard tools for all developers
$	 !	
This	document	does	not	contain	technical	data	to	the	EAR	or	ITAR.	
8
Cost to correct increases exponentially
$100 : $1,000 : $10,000
DEV QAS PRD
Average
cost of a
single
code
correction
UI5/Eclipse SE80 TMS QA/UAT Go Live
Time (DEV, QAS, PRD)Development Functional Testing
This	document	does	not	contain	technical	data	to	the	EAR	or	ITAR.	
9
Top 11 ABAP code security tests
ID	 Vulnerability	 Descrip2on	
APP-01	 ABAP	Command	Injec<on	 Execu<on	of	arbitrary	ABAP	Commands	
APP-02	 OS	Command	Injec<on	 Execu<on	of	arbitrary	OS	Commands	
APP-03	 Na<ve	SQL	Injec<on	 Execu<on	of	arbitrary	SQL	Commands	
APP-04	
Improper	Authoriza<on	
(Missing,	Broken,	Proprietary,	
Generic)		
Missing	or	incorrect	Authoriza<on	Checks	
APP-05	 Directory	Traversal	 Unauthorized	write/read	access	to	files	(SAP	Server)	
APP-06	 Direct	Database	Modifica<ons	 Unauthorized	Access	to	SAP	Standard	Tables	
APP-07	 Cross-Client	Database	Access		 Cross-Client	Access	to	Business	Data	
APP-08	 Open	SQL	Injec<on		 Malicious	Manipula<on	of	OSQL	Commands	
APP-09	 Generic	Module	Execu<on		 Unauthorized	Execu<on	of	Modules	(Reports,	FMs,	etc.)	
APP-10	 Cross-Site	Scrip<ng		 Manipula<on	of	the	Browser	UI,	Iden<ty	The_	
APP-11	 Obscure	ABAP	Code	 Hidden	/	untestable	ABAP	Code	
This	document	does	not	contain	technical	data	to	the	EAR	or	ITAR.	
10
Solution
This	document	does	not	contain	technical	data	to	the	EAR	or	ITAR.
Solution
Automated Scanning
ABAP Scanning
  Accurate results with prioritized findings
  Comprehensive testing for security, performance and quality
  Tightly integrated with SAP and the development process
(available to all developers in the entire process)
  Detailed remediation instructions for on-the-job training
(good for new developers)
  Automated audit reports
This	document	does	not	contain	technical	data	to	the	EAR	or	ITAR.	
12
Solution
A simple approach: Assess – Safeguard – Optimize
Assess:
Continually test and correct ABAP code during
development. Inspect entire code base
regularly.
Safeguard:
Implement automatic code testing to prevent
risky code from reaching your productive
systems.
Optimize:
Continually improve code to close security
and quality gaps.
SAP
Security, Compliance
& Quality
1. Assess
2. Safeguard3. Optimize
This	document	does	not	contain	technical	data	to	the	EAR	or	ITAR.	
13
Solution
Incorporating into HANA Roadmap
  HANA Roadmap
  Leverage CodeProfiler for code remediation in preparation for ECC on
HANA
  Hybrid Performance Analysis in ECC
This	document	does	not	contain	technical	data	to	the	EAR	or	ITAR.	
14
Results
This	document	does	not	contain	technical	data	to	the	EAR	or	ITAR.
Results
Benefits Realized
  Effective governance: less effort and
reduced costs
  Quality standards set for internal/external
developments
  Accurate and resource-saving analysis and
evaluation
  Reduction of security and compliance
risks
  Reduced from from cyber-attack, fraud and
system downtime
  Reduced development costs
  Considerable cost reduction for development
and maintenance by improving program
quality
  Improved availability: faster and safer
programs
  Reduced runtime and hardware utilization
through improved performance
  Minimized system failures and downtime
using selective corrections
This	document	does	not	contain	technical	data	to	the	EAR	or	ITAR.	
16
Results
Today
  Nothing goes through unless ABAP scan is clean
  Big improvements across the entire code review process
  All developers have access to CodeProfiler
  Common process for new and existing development objects
  More consistent code reviews
  Reduce overall code review time by 70%
  Reduce overall cost of review by 65%
  No code-related incidents since implementation
  TMS integration with approval and escalation process
  Continue to automate additional parts of the process and further reduce costs
This	document	does	not	contain	technical	data	to	the	EAR	or	ITAR.	
17
Recommendations
This	document	does	not	contain	technical	data	to	the	EAR	or	ITAR.
Recommendations
  Include automated tools in your reviews in order to lower risk of costly errors
  Provide a solution all developers can use
  Simplify your review process with automated code scanning tools
  Expedite your reviews through automation in order to save time and money
  Use automation to fulfill security, performance and quality requirements
  You cannot fix everything at once. It’s an ongoing process.
This	document	does	not	contain	technical	data	to	the	EAR	or	ITAR.	
19
Hybrid Performance Analysis
This	document	does	not	contain	technical	data	to	the	EAR	or	ITAR.	
20
Automatic Scanning of All Changes
This	document	does	not	contain	technical	data	to	the	EAR	or	ITAR.	
21
Scanning by Developers During Development (ECC)
Online development scans screenshot placeholder
This	document	does	not	contain	technical	data	to	the	EAR	or	ITAR.	
22
Key Takeaways
  CodeProfiler has become an important asset to our quality review process
  Easy to implement and maintain
  Little or no training required for developers
  Quick acceptance by the developers.
  Developers become better developers
  CodeProfiler did not eliminate the need for code reviewers
  The approval process still exists, but CodeProfiler made the process
easier and faster
This	document	does	not	contain	technical	data	to	the	EAR	or	ITAR.	
23
Virtual Forge CodeProfiler
Free Risk Assessment Offer!
How good is your SAP system?
Visit www.virtualforge.com
ü  Summary of
findings
ü  Priorization and
classification of
vulnerabilities
ü  Specific examples
of findings
ü  Code and system
metrics
Quality
Compliance
Security
SAP-
System
Risk Assessment /
Penetration Test
•  SAP configuration
•  Custom code
Free
24
www.virtualforge.com
@Virtual_Forge
Thank you!
Disclaimer
© 2015 Virtual Forge Inc. All rights reserved.
SAP, R/3, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective
logos are trademarks or registered trademarks of SAP AG. All other product and service names mentioned are
the trademarks of their respective companies.
Information contained in this publication is subject to change without prior notice. It is provided by Virtual
Forge and serves informational purposes only. Virtual Forge is not liable for errors or incomplete information in
this publication. Information contained in this publication does not imply any further liability.
Virtual Forge Terms and Conditions apply. See www.virtualforge.com for details.

How Pratt & Whitney Streamlined Their ABAP Security and Quality Code Review Process

  • 1.
    /* How Pratt& Whitney Streamlined Their ABAP Security and Quality Code Review Process */ #SAPtd
  • 2.
    SEC 108 How Pratt& Whitney Streamlined Their ABAP Security and Quality Code Review Process Giovanni Rondinelli SAP Data Management & IT Performance Lead UTC Pratt & Whitney © 2015, Virtual Forge, Inc. All rights reserved. This document does not contain technical data to the EAR or ITAR.
  • 3.
    Agenda  About UTC Pratt& Whitney  Challenges  Solution  Results  Recommendations This document does not contain technical data to the EAR or ITAR. 3
  • 4.
    Your Speaker Giovanni Rondinelli  Responsible for SAP Performance, Data Management, and HANA deployment   20 years of SAP experience   Worked at SAP for 7 years   At Pratt & Whitney for almost 12 years This document does not contain technical data to the EAR or ITAR. 4
  • 5.
    About UTC Pratt& Whitney   Founded in Hartford, Conn., in 1925   A United Technologies Corp. company   World leader in the design, manufacture and service of aircraft engines   Revenues: $14.5 billion (2014)   Operating Profit: $2.0 billion (2014)   More than 11,000 customers around the world   Approximately 33,500 employees worldwide This document does not contain technical data to the EAR or ITAR. 5
  • 6.
  • 7.
    Challenges Limitations Limitations with theexisting process   Complex, slow and expensive review process   Required extensive manpower and heavy time commitment   Cumbersome email-based system with a lot of back-and-forth   Manual process resulting in the inconsistent application of code review standards   Previous performance process tool not available to developers This document does not contain technical data to the EAR or ITAR. 7
  • 8.
    Challenges Limitations Goals   Lower cost  Reduce risk   Streamline and simplify the code review process Requirements   Maintain and improve code security   Improve quality of custom ABAP code   Implement user-friendly, standard tools for all developers $ ! This document does not contain technical data to the EAR or ITAR. 8
  • 9.
    Cost to correctincreases exponentially $100 : $1,000 : $10,000 DEV QAS PRD Average cost of a single code correction UI5/Eclipse SE80 TMS QA/UAT Go Live Time (DEV, QAS, PRD)Development Functional Testing This document does not contain technical data to the EAR or ITAR. 9
  • 10.
    Top 11 ABAPcode security tests ID Vulnerability Descrip2on APP-01 ABAP Command Injec<on Execu<on of arbitrary ABAP Commands APP-02 OS Command Injec<on Execu<on of arbitrary OS Commands APP-03 Na<ve SQL Injec<on Execu<on of arbitrary SQL Commands APP-04 Improper Authoriza<on (Missing, Broken, Proprietary, Generic) Missing or incorrect Authoriza<on Checks APP-05 Directory Traversal Unauthorized write/read access to files (SAP Server) APP-06 Direct Database Modifica<ons Unauthorized Access to SAP Standard Tables APP-07 Cross-Client Database Access Cross-Client Access to Business Data APP-08 Open SQL Injec<on Malicious Manipula<on of OSQL Commands APP-09 Generic Module Execu<on Unauthorized Execu<on of Modules (Reports, FMs, etc.) APP-10 Cross-Site Scrip<ng Manipula<on of the Browser UI, Iden<ty The_ APP-11 Obscure ABAP Code Hidden / untestable ABAP Code This document does not contain technical data to the EAR or ITAR. 10
  • 11.
  • 12.
    Solution Automated Scanning ABAP Scanning  Accurate results with prioritized findings   Comprehensive testing for security, performance and quality   Tightly integrated with SAP and the development process (available to all developers in the entire process)   Detailed remediation instructions for on-the-job training (good for new developers)   Automated audit reports This document does not contain technical data to the EAR or ITAR. 12
  • 13.
    Solution A simple approach:Assess – Safeguard – Optimize Assess: Continually test and correct ABAP code during development. Inspect entire code base regularly. Safeguard: Implement automatic code testing to prevent risky code from reaching your productive systems. Optimize: Continually improve code to close security and quality gaps. SAP Security, Compliance & Quality 1. Assess 2. Safeguard3. Optimize This document does not contain technical data to the EAR or ITAR. 13
  • 14.
    Solution Incorporating into HANARoadmap   HANA Roadmap   Leverage CodeProfiler for code remediation in preparation for ECC on HANA   Hybrid Performance Analysis in ECC This document does not contain technical data to the EAR or ITAR. 14
  • 15.
  • 16.
    Results Benefits Realized   Effectivegovernance: less effort and reduced costs   Quality standards set for internal/external developments   Accurate and resource-saving analysis and evaluation   Reduction of security and compliance risks   Reduced from from cyber-attack, fraud and system downtime   Reduced development costs   Considerable cost reduction for development and maintenance by improving program quality   Improved availability: faster and safer programs   Reduced runtime and hardware utilization through improved performance   Minimized system failures and downtime using selective corrections This document does not contain technical data to the EAR or ITAR. 16
  • 17.
    Results Today   Nothing goesthrough unless ABAP scan is clean   Big improvements across the entire code review process   All developers have access to CodeProfiler   Common process for new and existing development objects   More consistent code reviews   Reduce overall code review time by 70%   Reduce overall cost of review by 65%   No code-related incidents since implementation   TMS integration with approval and escalation process   Continue to automate additional parts of the process and further reduce costs This document does not contain technical data to the EAR or ITAR. 17
  • 18.
  • 19.
    Recommendations   Include automatedtools in your reviews in order to lower risk of costly errors   Provide a solution all developers can use   Simplify your review process with automated code scanning tools   Expedite your reviews through automation in order to save time and money   Use automation to fulfill security, performance and quality requirements   You cannot fix everything at once. It’s an ongoing process. This document does not contain technical data to the EAR or ITAR. 19
  • 20.
  • 21.
    Automatic Scanning ofAll Changes This document does not contain technical data to the EAR or ITAR. 21
  • 22.
    Scanning by DevelopersDuring Development (ECC) Online development scans screenshot placeholder This document does not contain technical data to the EAR or ITAR. 22
  • 23.
    Key Takeaways   CodeProfilerhas become an important asset to our quality review process   Easy to implement and maintain   Little or no training required for developers   Quick acceptance by the developers.   Developers become better developers   CodeProfiler did not eliminate the need for code reviewers   The approval process still exists, but CodeProfiler made the process easier and faster This document does not contain technical data to the EAR or ITAR. 23
  • 24.
    Virtual Forge CodeProfiler FreeRisk Assessment Offer! How good is your SAP system? Visit www.virtualforge.com ü  Summary of findings ü  Priorization and classification of vulnerabilities ü  Specific examples of findings ü  Code and system metrics Quality Compliance Security SAP- System Risk Assessment / Penetration Test •  SAP configuration •  Custom code Free 24
  • 25.
  • 26.
    Disclaimer © 2015 VirtualForge Inc. All rights reserved. SAP, R/3, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG. All other product and service names mentioned are the trademarks of their respective companies. Information contained in this publication is subject to change without prior notice. It is provided by Virtual Forge and serves informational purposes only. Virtual Forge is not liable for errors or incomplete information in this publication. Information contained in this publication does not imply any further liability. Virtual Forge Terms and Conditions apply. See www.virtualforge.com for details.