Christine Warring, Project Manager at the DoD, presented at this year's SAP TechEd, how she and her team managed to successfully pass all tests and audits for a self-developed SAP-based medical logistics system for the armed forces and ultimately to obtain "Authority to Operate" - authorization to start operating. She also gives recommendations for the testing of custom SAP applications.

1. /* How the U.S. Department of Defense
Secures Its Custom ABAP Code */
#SAPtd

2. How the U.S. Department of Defense Secures
Its Custom ABAP Code
Christine Warring
TEWLS Sustainment Project Manager, JMLFDC
CACI Contractor © 2015, Virtual Forge, Inc.
All rights reserved.

3. Agenda
SAP TEWLS @ Department of Defense
Challenges
Custom ABAP
Best Practices

4. SAP TEWLS @ Dept of Defense

5. SAP TEWLS @ Dept of Defense
Custom ABAP Applications
Theater Enterprise Wide Logistics System (TEWLS)
SAP-based Enterprise Resource Planning
Supports theater-level medical logistics
Developed by US Army to replace TAMMIS
Single shared data environment
Developed in ABAP
5

6. SAP TEWLS @ Dept of Defense
Custom ABAP Applications
What is TEWLS?
Enterprise-level total life cycle management of medical assemblages
Development
Production
Fielding
Sustainment
Theater Intermediate-Level Medical Logistics:
Acquisition & life-cycle management
Strategic programs for mobilization & deployment of materials
Theater Supply Chain Management to include full storage and distribution capabilities for
Medical Materials (TLAMM)
Compliance with Federal Financial Management Improvement Act (FFMIA); Standard Financial
Information Structure (SFIS); Federal Information System Controls Audit Manual (FISCAM)
6

7. Challenges

8. Challenges
Passing the Test
Department of Defense Adopted TEWLS
TEWLS to be used for all armed forces
Required to prove that ABAP code was secure and compliant
The Problem
Static code scanning required
Code scanning solution that DOD mandated did not produce accurate results
Unable to go live without Authority to Operate (ATO)!
8

9. Challenges
The Problem
Limitations with existing tools
Many false findings
Inconsistent results (even with same code base)
Developers could not use day to day
Limited test scope
No help with remediation!
Impact
Used valuable resource time working through false results
Unable to prove that the code was secure and compliant to finalize DOD ATO
Annoyed developers
Late feedback for developers
9

10. Challenges
The Solution
ABAP Scanning with CodeProfiler
Accurate results with prioritized findings
Comprehensive testing
Developers can correct and learn while the work
Detailed remediation instructions and auto correction
Results
Able to scan and remediate vulnerabilities quickly
Reduced number of code corrections required
Improved developer skills
Reduced effort and time spent on code reviews
Ensured ALL code meets security and compliance requirements
10

11. Custom ABAP
Are your custom applications compliant?
ATO (Authority To Operate)
PII (Personally Identifiable Information)
PIA (Privacy Impact Assessment)
PCI-DSS (Payment Card Industry Data Security Standard)
Internal standards
11

12. Best Practices

13. Best Practices
Recommended Testing
Security and compliance
Performance
Stability and robustness
Maintainability
13

14. Best Practices
Code Reviews
Top 11 Most Dangerous Security Vulnerabilities:
1. ABAP Command Injection
2. OS Command Injection
3. Native SQL Injection
4. Improper Authorization Checks
5. Directory Traversal
6. Direct Database Modifications
7. Cross-Client Database Access
8. Open SQL Injection
9. Generic Module Execution
10. Cross-Site Scripting
11. Hidden ABAP code
14

15. Best Practices
Lessons Learned/Recommendations
Custom code can be a source of risk to SAP systems.
Automated testing is necessary to ensure code security and quality.
All solutions are not alike – Compare!
Start now. Don’t wait for an incident to occur.
15

16. Virtual Forge CodeProfiler
Free Risk Assessment Offer!
How good is your SAP system?
Visit www.virtualforge.com
ü Summary of
findings
ü Priorization and
classification of
vulnerabilities
ü Specific examples
of findings
ü Code and system
metrics
Quality
Compliance
Security
SAP-
System
Risk Assessment /
Penetration Test
• SAP configuration
• Custom code
Free
16

17. www.virtualforge.com
@Virtual_Forge
Thank you!

18. Disclaimer
© 2015 Virtual Forge Inc. All rights reserved.
SAP, R/3, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective
logos are trademarks or registered trademarks of SAP AG. All other product and service names mentioned are
the trademarks of their respective companies.
Information contained in this publication is subject to change without prior notice. It is provided by Virtual
Forge and serves informational purposes only. Virtual Forge is not liable for errors or incomplete information in
this publication. Information contained in this publication does not imply any further liability.
Virtual Forge Terms and Conditions apply. See www.virtualforge.com for details.