Skip to content

How to master SAP code vulnerabilities in legacy coding? 

Legacy coding

After reading the title, you’re probably thinking – Why should legacy code be handled differently than new coding? Well, let’s draw up a real-life scenario to illustrate the challenges:  

The fictitious company HappyLife Ltd. has introduced the SecurityBridge Platform. With SecurityBridge, they can access a best-of-breed ABAP/4 Code vulnerability scanner, which provides multiple features. Developers can check their newly introduced coding using the well-known SAP IDE because you can start the CVA from all development transactions like SE80, SE24, SE37, and even Eclipse for ABAP/4. Transport request contents can be verified using the quality gate introduced by the platform. 

This was done to cover it in case a developer forgets about fixing a coding flaw or a threat actor person tries to introduce malicious coding into the SAP Transport Management System.  

However, this article will mainly focus on the findings revealed when we scanned for vulnerabilities in the full scope of the customer’s code base. 

Do not boil the ocean

When scanning your systems for the first time, it may be the ABAP Code Vulnerability Analyzer digs out many hundreds of custom code vulnerabilities. Fixing all these will be nearly impossible if you cannot access unlimited development resources. Additionally, we can’t neglect the required testing effort before deploying a correction in production environments. 

First things first – where to start?

Ignoring severe findings in the legacy coding can cause a considerable risk unacceptable for the executive leaders of the board.  

Although any security measure is better than no security measure, those who follow a planned approach have a strategic advantage. It is especially beneficial that the SecurityBridge Code Vulnerability Analyzer can help you implement many industry best practices.  

Remember that achieving perfection is impossible, even if you invest time and money in your company’s security. You should benchmark every measure and investment you take against the effort, complexity, and impact on your security posture.  

We recommend our customers first address the issues that are simple and easy to achieve and that simultaneously have the largest impact.  

Knowing where to start requires some preparation time. Confronted with the initial scan result, we review the findings to prioritize and categorize. While the priority will help you specify an action sequence, categorization is vital to group similar problems since those typically also have an identical solution.  

SecurityBridge customers have this simplified since all findings have a severity (Low, Medium, High, Very High) and a vulnerability category (Backdoor, Insufficient, or discriminated authorization check, Access to password hashes, etc.).  

Define the Cleanup-Methodology

Equipped with this information, we must define the cleanup methodology. Based on our experience, it is particularly important to keep the approach simple since it will have to be adopted by your development teams.  

The most effective and accepted methodology is not to create a big code cleansing project to eliminate all findings at once. Better define your approach to get into the established development cycle.  

Finding the best way can be very individual to your situation. For example, some development teams still organize their work in a project mode, leading to stressful phases followed by stabilization periods. The development isn’t loaded in the later phase, which sometimes can mean that some developers need to leave the project team until a new project starts. This causes a loss of valuable knowledge and creates an opportunity for your cleanup initiative.  

What should you consider for SAP Legacy Coding?

Choosing the right approach will help you gradually reduce the severe vulnerabilities existing in the legacy coding while ensuring that no new vulnerabilities get introduced.  

Approach the legacy findings:

Leverage the priority and category of findings to come up with a “must-fix,” “can-fix,” and “don’t touch” methodology to introduce a simple rule system for your dev teams. No need to explain “must-fix.” You should fix those findings, or else the coding cannot pass the established quality gate at the SAP transport release. The “can-fix” findings fall into the responsibility of the individual developer. In case the situation allows for a correction, it can be done. For example, if project time constraints exist or the correction’s impact is too big, it may be done, at a better time 

Approach the legacy findings:

Leverage the priority and category of findings to come up with a “must-fix,” “can-fix,” and “don’t touch” methodology to introduce a simple rule system for your dev teams. No need to explain “must-fix.” You should fix those findings, or else the coding cannot pass the established quality gate at the SAP transport release. The “can-fix” findings fall into the responsibility of the individual developer. In case the situation allows for a correction, it can be done. For example, if project time constraints exist or the correction’s impact is too big, it may be done, at a better time 

Analyze the usage of legacy code:

It is vital to analyze whether the code is still used. If you find fragments not in use anymore, it is better to eliminate the code. This helps you reduce the attack surface of your SAP S/4HANA significantly. Expert Tip: You may want to keep the coding for reference later, then you can comment it out.  

Introduce code security during the development process:

Enable developers to write secure code by design. The SecurityBridge Code Vulnerability Analyzer can easily integrate with SAP Code Inspector and the ABAP Test Cockpit.  

Secure the release and deployment:

To ensure the security rating of your code base naturally improves over time (mainly due to the integration of security validation within the development process), it is vital to ensure that you aren’t introducing any new vulnerabilities. New vulnerabilities may originate from customs or third-party code.  

SecurityBridge Code Vulnerability Analyzer introduces a gatekeeper that checks ABAP/4 transport requests before you can release them into the deployment track. Transport requests that contain vulnerabilities will be blocked

Setting the target high

Once you equip the development toolkit and processes with efficient measures, it is only a matter of time before your security posture improves. However, this does not mean you can forget about security since securing SAP is a continuous effort that demands it to be managed and controlled. We recommend your customers define their goals and build a roadmap that contains important milestones on the road to a secure SAP environment. This also applies to the section of SAP Code Vulnerability Analysis. SecurityBridge helps you to define and document the goal and run reoccurring scans to assess the progress. 

SecurityBridge Code Vulnerability Analyzer introduces a gatekeeper that checks ABAP/4 transport requests before you can release them into the deployment track. Transport requests that contain vulnerabilities will be blocked

Additional protection layers

After reading this entire article, you probably noticed that eliminating all vulnerabilities in the ABAP/4 code repository isn’t the goal. Unfortunately, this also means that there is always a residual risk of exploitation. Therefore, the monitoring of exploitation is an elementary part of SecurityBridge.  

Your monitoring should include more than just programs with vulnerabilities. You must secure ways that bypass your gatekeepers. If code injection is possible, this could also be given. SecurityBridge Threat Detection can also monitor this. Learn more about this in this article. 

SecurityBridge Code Vulnerability Analyzer introduces a gatekeeper that checks ABAP/4 transport requests before you can release them into the deployment track. Transport requests that contain vulnerabilities will be blocked

Conclusion

Even though Legacy Code Vulnerabilities may seem daunting and complex at first, you should not be intimidated. You can achieve significant improvement with little effort by using effective tools and an appropriate strategy. By following the steps described in this article, you will come closer to achieving your goal of cyber resilience. 

Your monitoring should include more than just programs with vulnerabilities. You must secure ways that bypass your gatekeepers. If code injection is possible, this could also be given. SecurityBridge Threat Detection can also monitor this. Learn more about this in this article. 

SecurityBridge Code Vulnerability Analyzer introduces a gatekeeper that checks ABAP/4 transport requests before you can release them into the deployment track. Transport requests that contain vulnerabilities will be blocked

Posted by

Christoph Nagy

Find recent Security Advisories for SAP©

Looking into securing your SAP landscape? This white-paper tells you the “Top Mistakes to Avoid in SAP Security“. Download it now.

SAP Security Services
SAP Cybersecurity
Ivan Mans

Game changer: Managed SAP Security Services

Many companies have recognized the need for SAP cybersecurity, but many have also realized that they cannot accomplish this alone. There are many reasons for this. It can be due to the internal teams’ workload or due to the employee’s level of knowledge.

However, there is a solution that neither burdens your internal staff nor demands additional knowledge. A specialized managed SAP Security Service allows you to harden mission-critical systems, detect and promptly counteract non-compliance, and implement monitoring with accurate anomaly detection.

Read More »
Patch Management
Press coverage
Patricia Franco

SecurityBridge Releases New One-Click SAP Patch Automation 

SAP security provider SecurityBridge—now
operating in the U.S.—today announced the full integration of its SAP Security Platform with
the Microsoft Sentinel cloud-native Security Information and Event Manager (SIEM) platform
and its membership to MISA. SecurityBridge was nominated to MISA because of the integration
of its SAP Controller to the Microsoft Sentinel dashboard. SecurityBridge is a Smart Data
Adapter that significantly simplifies security monitoring of critical and highly specific business
applications.

Read More »
SAP Security Services
SAP Cybersecurity- Security News
Many companies have recognized the need for SAP cybersecurity, but many have also realized that they cannot accomplish this alone. There are many reasons for this. It can be due to the internal teams' workload or due to the employee's level of knowledge. However, there is a solution that neither burdens your internal staff nor demands additional knowledge. A specialized managed SAP Security Service allows you to harden mission-critical systems, detect and promptly counteract non-compliance, and implement monitoring with accurate anomaly detection.
Patch Management
SAP security provider SecurityBridge—now operating in the U.S.—today announced the full integration of its SAP Security Platform with the Microsoft Sentinel cloud-native Security Information and Event Manager (SIEM) platform and its membership to MISA. SecurityBridge was nominated to MISA because of the integration of its SAP Controller to the Microsoft Sentinel dashboard. SecurityBridge is a Smart Data Adapter that significantly simplifies security monitoring of critical and highly specific business applications.
Angriffserkennung für SAP
SAP Cybersecurity- SAP Identity and Authorization- SAP Threat Monitoring- Security News
Viele unserer Leserinnen und Leser erinnern sich noch an den 25. Mai 2018, Stichtag der bindenden Einführung der Datenschutzgrundverordnung, kurz DSGVO. Verstöße gegen die neue Regelung können seitdem zu drakonischen Strafen führen. Nun steht, zumindest für diejenigen Unternehmen, die zur kritischen Infrastruktur (KRITIS) von Deutschland zählen, ein ähnlicher Termin ins Haus. Am 1. Mai 2023 müssen betroffene Unternehmen ein System zur Angriffserkennung eingeführt haben.
SAP Cybersecurity Risks
SAP Cybersecurity- SAP Security Framework- Security News
Recently, we gave an insight into the known SAP attackers in our blog. Of course, it can already be deduced from this that there are internal and external SAP attackers. That is why today, we want to look at this from an SAP cybersecurity risk perspective.