How to master SAP code vulnerabilities in legacy coding?
Chapters
Share Article
After reading the title, you’re probably thinking – Why should legacy code be handled differently than new coding? Well, let’s draw up a real-life scenario to illustrate the challenges:
The fictitious company HappyLife Ltd. has introduced the SecurityBridge Platform. With SecurityBridge, they can access a best-of-breed ABAP/4 Code vulnerability scanner, which provides multiple features. Developers can check their newly introduced coding using the well-known SAP IDE because you can start the CVA from all development transactions like SE80, SE24, SE37, and even Eclipse for ABAP/4. Transport request contents can be verified using the quality gate introduced by the platform.
This was done to cover it in case a developer forgets about fixing a coding flaw or a threat actor person tries to introduce malicious coding into the SAP Transport Management System.
However, this article will mainly focus on the findings revealed when we scanned for vulnerabilities in the full scope of the customer’s code base.
Do not boil the ocean
When scanning your systems for the first time, it may be the ABAP Code Vulnerability Analyzer digs out many hundreds of custom code vulnerabilities. Fixing all these will be nearly impossible if you cannot access unlimited development resources. Additionally, we can’t neglect the required testing effort before deploying a correction in production environments.
First things first – where to start?
Ignoring severe findings in the legacy coding can cause a considerable risk unacceptable for the executive leaders of the board.
Although any security measure is better than no security measure, those who follow a planned approach have a strategic advantage. It is especially beneficial that the SecurityBridge Code Vulnerability Analyzer can help you implement many industry best practices.
Remember that achieving perfection is impossible, even if you invest time and money in your company’s security. You should benchmark every measure and investment you take against the effort, complexity, and impact on your security posture.
We recommend our customers first address the issues that are simple and easy to achieve and that simultaneously have the largest impact.
Knowing where to start requires some preparation time. Confronted with the initial scan result, we review the findings to prioritize and categorize. While the priority will help you specify an action sequence, categorization is vital to group similar problems since those typically also have an identical solution.
SecurityBridge customers have this simplified since all findings have a severity (Low, Medium, High, Very High) and a vulnerability category (Backdoor, Insufficient, or discriminated authorization check, Access to password hashes, etc.).
Define the Cleanup-Methodology
Equipped with this information, we must define the cleanup methodology. Based on our experience, it is particularly important to keep the approach simple since it will have to be adopted by your development teams.
The most effective and accepted methodology is not to create a big code cleansing project to eliminate all findings at once. Better define your approach to get into the established development cycle.
Finding the best way can be very individual to your situation. For example, some development teams still organize their work in a project mode, leading to stressful phases followed by stabilization periods. The development isn’t loaded in the later phase, which sometimes can mean that some developers need to leave the project team until a new project starts. This causes a loss of valuable knowledge and creates an opportunity for your cleanup initiative.
What should you consider for SAP Legacy Coding?
Choosing the right approach will help you gradually reduce the severe vulnerabilities existing in the legacy coding while ensuring that no new vulnerabilities get introduced.
Approach the legacy findings:
Leverage the priority and category of findings to come up with a “must-fix,” “can-fix,” and “don’t touch” methodology to introduce a simple rule system for your dev teams. No need to explain “must-fix.” You should fix those findings, or else the coding cannot pass the established quality gate at the SAP transport release. The “can-fix” findings fall into the responsibility of the individual developer. In case the situation allows for a correction, it can be done. For example, if project time constraints exist or the correction’s impact is too big, it may be done, at a better time.
Analyze the usage of legacy code:
It is vital to analyze whether the code is still used. If you find fragments not in use anymore, it is better to eliminate the code. This helps you reduce the attack surface of your SAP S/4HANA significantly. Expert Tip: You may want to keep the coding for reference later, then you can comment it out.
Introduce code security during the development process:
Enable developers to write secure code by design. The SecurityBridge Code Vulnerability Analyzer can easily integrate with SAP Code Inspector and the ABAP Test Cockpit.
Secure the release and deployment:
To ensure the security rating of your code base naturally improves over time (mainly due to the integration of security validation within the development process), it is vital to ensure that you aren’t introducing any new vulnerabilities. New vulnerabilities may originate from customs or third-party code.
SecurityBridge Code Vulnerability Analyzer introduces a gatekeeper that checks ABAP/4 transport requests before you can release them into the deployment track. Transport requests that contain vulnerabilities will be blocked
Setting the target high
Once you equip the development toolkit and processes with efficient measures, it is only a matter of time before your security posture improves. However, this does not mean you can forget about security since securing SAP is a continuous effort that demands it to be managed and controlled. We recommend your customers define their goals and build a roadmap that contains important milestones on the road to a secure SAP environment. This also applies to the section of SAP Code Vulnerability Analysis. SecurityBridge helps you to define and document the goal and run reoccurring scans to assess the progress.
Additional protection layers
After reading this entire article, you probably noticed that eliminating all vulnerabilities in the ABAP/4 code repository isn’t the goal. Unfortunately, this also means that there is always a residual risk of exploitation. Therefore, the monitoring of exploitation is an elementary part of SecurityBridge.
Your monitoring should include more than just programs with vulnerabilities. You must secure ways that bypass your gatekeepers. If code injection is possible, this could also be given. SecurityBridge Threat Detection can also monitor this. Learn more about this in this article.
Conclusion
Even though Legacy Code Vulnerabilities may seem daunting and complex at first, you should not be intimidated. You can achieve significant improvement with little effort by using effective tools and an appropriate strategy. By following the steps described in this article, you will come closer to achieving your goal of cyber resilience.