SAP Code Security is a critical component of the SAP Cybersecurity Strategy. The manufacturer, SAP, and its customers must take action to secure the customer’s ABAP/4 and JAVA developments.
The core products from the SAP product portfolio shine through their versatility and flexibility. SAP S4/HANA applications, and their predecessor, SAP NetWeaver, can be customized extensively. Thanks to the open architecture, we can carry out an efficient and automated data exchange between software applications under consideration of SAP interface security. Rarely do customers use the configuration of SAP solutions as they come off the shelf. It is often necessary to extend the standard by developing customer-specific ABAP/4 applications.
To underline the need for SAP Code Vulnerability Management, one must look at the fixes released by the vendor during SAP Security Patch Day. The category “Program error” has most of the patches under it.
What risks can arise from vulnerabilities in the ABAP/4 source code? As with all programming languages, the developer must fix known vulnerabilities. Otherwise, threat actors can exploit them. These include the classics such as SQL injection, directory traversals, backdoors, insufficient authorization checks, and many more. If an attacker exploited existing vulnerabilities, he could access and modify data without being noticed. Additionally, this could result in a loss of integrity of the digital information in the SAP database.
The terms SAP Code Security and SAP Code Vulnerability Management are synonymous. They refer to methods, processes, and actions necessary to ensure the customer’s development.
They consider three areas:
During development, the developer should be able to code scanners that identify and assess ABAP vulnerabilities. It is also helpful to perform an additional scan before exporting SAP transport for deployment into an SAP production system. At the same time, they must check the legacy code regularly since, in the SAP context, there is also the possibility of source code injection or generation. To initiate continuous improvement, we recommend training the SAP development teams with a focus on secure development.
The integrated development environment (IDE) for ABAP offers the ABAP Test Cockpit (ATC) the possibility to check the quality of the developments regarding runtime, scalability, and best practices. Unfortunately, the vulnerability analysis is represented minimally in the standard. Thus, this could be because SAP SE also offers the SAP Code Vulnerability Scanner, a product subject to a charge.
Without an efficient ABAP Code Vulnerability Scanner, developers are often flying blind. We have seen that even with adequate training and guidelines, human error can lead to overlooking severe vulnerabilities. You should therefore address the issue promptly.
Code Vulnerability Analysis is a core component of the SecurityBridge Platform and enables organizations to identify and eliminate malicious or vulnerable coding that exists in a production environment
A strategic approach is required to address the identified vulnerabilities in the legacy source code. After all, you cannot simply modify programs used productively and bring them back into the production system. The corrected artifacts must also be approved as part of a functional test to prevent unwanted side effects. It is sometimes not advisable to set the objective of eliminating all vulnerabilities at once; instead, it is more efficient to strive for targeted mitigation. In addition to remediation, you can also use targeted threat monitoring to achieve this goal.
Our team of SAP security experts regularly reviews patch releases as part of SAP Security Patch Day. It is clear the manufacturer also must correct many missing or insufficient authorization checks. It is a specialty of the ABAP programming language to provide for and validate authorization checks.
The SAP Code Inspector is a code analysis tool available in the SAP standard, now replaced by the ABAP Test Cockpit (ATC) in the newer S/4HANA and SAP NetWeaver 7.50 versions. However, detecting code vulnerabilities is limited and insufficient to ensure a secure ABAP code.
A CVA tool is a code vulnerability analyzer. This is a tool with which you can examine source code for vulnerabilities. For each development language, there are unique solutions adapted to the respective characteristics of the language. The same applies to the ABAP/4 programming language to extend critical SAP business applications.
SAP programming is a powerful tool that has evolved over the years. The 4 main types of vulnerabilities are:
Statistically, you can expect one severe security vulnerability for every 1,000 lines of code.
