SAP Cybersecurity
Taking the Taboo out of S_TABU Authorization Objects
SAP Authorization Objects for SAP NetWeaver AS ABAP technologies are not just blockers They are the ENABLER of access
Prerequisites for an AI-driven SAP Security – Part 3: Custom Code Cleansing
With the evolving success of AI, SAP customers want to understand more about the potential of AI to improve their SAP Security posture. However, some homework needs to be done to unleash the full potential of AI for protecting SAP environments. In the previous parts of this series of articles, we already discussed two prerequisites for AI-driven SAP Security: system patching and hardening. In this article, we will look at vulnerabilities in the ABAP custom code.
How custom code vulnerabilities impact your attack surface
While Patch Management helps you to remediate known vulnerabilities in the SAP system code, your custom applications developed by your organization or externals still contain quite a lot of technical debt. Among these, many code vulnerabilities allow data breaches or provide an easy path for cyber criminals to infiltrate your SAP system.
Too often, SAP teams consider themselves to be on the safe side as most of the custom code is unused. However, even unused code increases the attack surface of the application as it can be processed anytime.
Therefore, SAP customers are facing a large attack surface due to accumulated code vulnerabilities when scanning their custom applications for the first time, leveraging either the SAP Code Inspector or third-party solutions like the SecurityBridge Code Vulnerability Analyzer.
Unfortunately, immediate remediation is not possible as fixing all these vulnerabilities at once will require unlimited development resources. Additionally, the testing effort required before deploying all these corrections at once in production is gigantic. Therefore, we have gathered a set of recommendations for you to consider when approaching those code vulnerabilities.
Recommendations for cleansing code vulnerabilities in SAP custom applications
Start with raising awareness for secure coding practices. It is crucial for your development team to know how to build an ABAP custom application without vulnerabilities. You don’t necessarily need extensive training; the findings of the SecurityBridge Code Vulnerability Analyzer provide explanations and recommendations for secure ABAP statements, as well as aiding in categorizing the findings. Those that “must-be-fixed” are a showstopper for any code deployment into production. Findings that “can-be-fixed” give the developer the flexibility to decide based on project time constraints or application impact.
Note that such an ABAP code cleanup will be a long process. Thus, instead of a big code remediation project, you might want to start with establishing a simple but effective security gateway within your development process. By scanning each transport for vulnerabilities before importing it into test systems, you ensure that you are not introducing new insecure code. SecurityBridge helps your development team to write secure code by design and easily integrates with SAP Code Inspector and the ABAP Test Cockpit. It also scans every SAP transport request for code vulnerabilities before importing it into the system, keeping insecure third-party code away from your SAP environment.
Next, you can work on cleansing existing custom code and reduce the number of vulnerabilities in your legacy applications step by step. Focus on the code that is used. Unused code with vulnerabilities should be ideally eliminated or commented out if you want to keep it as a reference. This ensures that it cannot be executed, consequently preventing impact on your attack surface. In the used code, look for vulnerabilities with a high exploitation risk or findings with a high severity and a big impact. Those that are easy to solve should be at the top of your backlog. Ideally, you could align your remediation work with other application changes to minimize testing effort.
These recommendations will help you improve the security rating of your code base over time while keeping new vulnerabilities away from your SAP landscape. However, if there are critical vulnerabilities in your custom code, ensure that your SAP Security Monitoring informs you when the code with critical findings is executed in your system. This happens automatically with the SecurityBridge Threat Detection, allowing SAP teams to double-check that it is intentional and not a cyberattack.
Interested in learning how we can help you adopt secure ABAP coding and establish a security gateway within your Application Lifecycle Management process?
Contact us and we will be happy to tell you more about our guided approach to SAP Security excellence. For more SAP security-related news, articles, and whitepapers, please follow us on LinkedIn!
Posted by
Holger Huegel
Find recent Security Advisories for SAP©
Looking into securing your SAP landscape? This white-paper tells you the “Top Mistakes to Avoid in SAP Security“. Download it now.
SAP Cybersecurity
5 Steps for Kick-starting Holistic SAP Security in 1 Day
SAP Security teams can kick start a comprehensive security platform and gain significant improvements already within a day What they need is a holistic platform
SAP Patch Management
SAP Vulnerability Management vs SAP Patch Management
This article explores the differences between the 2 processes and how they can help bolster the security of SAP systems
