Case Study: ABAP Development Life Cycle and Governance at THE GLOBE AND MAIL (SAPTechEd)

Dr. Markus Schumacher

CD208: Automating Code Reviews for Custom ABAP
PPT Masterfolie
zur Erstellung von Präsentationen
Applications to Reduce Risk and Lower TCO

© 2012 Virtual Forge Inc | www.virtualforge.com | rights reserved.
2013
| www.virtualforge.com | All All rights reserved.

Who we are
PPT Masterfolie
Joby Joseph

SAP Functional / Security Lead
The Globe and Mail | Toronto | Canada

Dr. Markus Schumacher
CEO of Virtual Forge
Heidelberg | Weimar | Philadelphia
Twitter: @virtual_forge | Questions: #safercode

© 2012 Virtual Forge Inc || www.virtualforge.com || All rights reserved.
© 2012 Virtual Forge Inc www.virtualforge.com All rights reserved.

Agenda
PPT Masterfolie
•zur Erstellung von Präsentationen
SAP @ Globe and Mail

• Development life cycle @ Globe and Mail
• Potential Risks from Bad ABAP Code
• ABAP Firewall: Automatic Code Scanning
• Summary


SAP @ The Globe and Mail
• PPT Masterfolie
The Company

• Media company headquartered in Toronto, Canada
•
•

Handles distribution of several other products in Canada,
including The New York Times

•

•

Produces and distributes nationally in Canada

Largest circulation national newspaper which heavily focuses on
business, current affairs and lifestyle coverage

•

The one and only Canadian customer of SAP’s IS‐Media

•

Implemented SAP in 2002 – 2007

•

Modules IS‐MSD, IS‐MAM, SD, FICA, FI‐CO, HR, BW, BO

•

Heavily customized code in IS‐MSD due to the North American
media subscription model with contract accounting

•

Highly “custom ABAP” dependent implementation


• PPT Masterfolie
Highly customized development of Industry Solution for Media

• Lots n’ lots of Customer Development
•

Internal and External Development Staff
•
•

•

Independent ABAP consultants
Off‐shore developments

Users are both internal and external
•
•

Subscribers and Retail Customers

•

Telemarketers

•

•

Internal Functional users

Vendors

Interfaces to Public Facing Websites
•

Strict interface standards (PCI‐DSS)

•

Customer sensitive applications

•

Real‐time Java and .Net apps interfacing to SAP through custom RFCs

•

File based asynchronous interfaces from multiple web applications


PPT Masterfolie
•zur Erstellung von Präsentationen
SAP @ Globe and Mail

• Development life cycle @ Globe and Mail
• Potential Risks from Bad ABAP Code
• ABAP Firewall: Automatic Code Scanning
• Summary


Conflicting Project Goals
• Goals of project / implementation teams:
PPT Masterfolie

• Project budget and go‐live date
zur• Erstellung von Präsentationen
Delivered product must work at point of hand‐over
• Satisfy the “direct customers“ (e.g. new site)
• Minimize coordination effort where ever possible
(with the customer as well as team‐/supplier internally)
• Minimize regression tests
• Scope reductions (classic “not part of our job / contract” discussions)
• Low cost / offshore

• Goals of system owners:
•
•
•
•
•
•

Long term maintainability
Harmonized processes and “templates”
Avoiding redundancies
Low operating costs
Secure environment
Quality, Sustainability & no surprises in coding


Conflicting Project Goals
• Goals of project / implementation teams:
PPT Masterfolie

Approaches
• Project budget and go‐live date
• Clone existing ABAP code instead of extending or reusing
zur• Erstellung von Präsentationen
Delivered product must work at point of hand‐over
existing functionality
• Satisfy the “direct customers“ (e.g. new site)
• Ignore template, rather clone legacy system where ever
possible
• Minimize coordination effort where ever possible
• Quick & dirty, hard‐coded
(with the customer as well as team‐/supplier internally)
• Cheap resources instead of experienced staff
• Minimize regression tests
• Delay progress in order to force customer to accept
• Scope reductions (classic “not part of our job / contract” discussions)
unsatisfactory solutions to keep time line
• Low cost / offshore • …

Have you ever wondered, where all the vulnerabilities are
• Goals of system owners:

•
•
•
•
•
•

coming from?
Long term maintainability
Harmonized processes and “templates”
Avoiding redundancies
As system owners, we have to combine two contradicting
Low operating costs goals to make a project really successful:
Secure environment • Support and manage the project
• “Defend” the system against the above short cuts
Quality, Sustainability & no surprises in coding


Automated Code Reviews
Static Code Scanning

PPT Masterfolie
• Code Reviews – Why not manual reviews?
• Managing change process from ticket creation to Prod release
• Tight integration with SAP
• Tracking changes, approvals, create/release transports, etc.
• Ensures compliance (PCI DSS, SOX, ITIL, internal, etc.)
• ‘ABAP Firewall’ ‐ static code analysis of ABAP application code
and changes


Virtual Forge CodeProfiler
ABAP Firewall

PPT Masterfolie
• zur Erstellung von Präsentationen and SAP
Tightly integrated with Change Process

•

Tests all domains: Security, Compliance, Performance,
Maintainability and Robustness

•
•
•
•
•

On-line scanning with Best Coding Practices documentation
Automatic Correction
Very low False Positive rate (<5%)
Fast scan rate for high volume scanning (>20k loc/sec)
Integrated ABAP WB, Eclipse, SAP TMS, ATC, Solution
Manager, etc.


The Evolution of ABAPTM

Circa 2011

PPT Masterfolie


More sophisticated Attackers
– Script Kiddies

PPT Masterfolie
• Minor knowledge
• Works with „copy & paste“ and uses public information, programs,
tools, etc. in order to attack / damage computer systems
• Random targets
• Motivation: usually  reputation


More sophisticated Attackers
- Professional Attackers

PPT Masterfolie
• Highly skilled
• Almost unlimited time and money resources
• Targeted attacks (e.g. Stuxnet)
• Often internal attackers
• Motivation: Industrial espionage, sabotage, …


The Forgotten Layer
Application Runtime

PPT Masterfolie
zur Erstellung von
• SAP security must be Präsentationen
addressed holistically
• Business Run‐time Apps
must properly enforce
Business Logic security
• GRC & SoD are only
effective if they are
enforced within the
applications


Front-end/Business Logic
Business Runtime
Database
Operating System

ABAPTM Quality Benchmarks
Powered by CodeProfiler

PPT Masterfolie
Metric
Average
Source Code Lines (LOC)

Total

1,862,418

156,443,087

Average

Per KLOC
(Average)

1,475

0.79

Compliance (Critical only)

270

0.14

Performance (Critical only)

1,171

0.63

415

0.22

1,586

0.85

(without comments and empty lines)

Domain
Security (Critical only)

Maintainability (High prio only)
Robustness (Critical only)
Totals

4,917

ABAPTM Quality Benchmarks
Powered by CodeProfiler

PPT Masterfolie
The average SAP customer system has:
•

.93 Critical Security/Compliance errors per 1,000 LOC

•

50% probability of an ABAP Command Injection vulnerability

•

93% probability of a Directory Traversal vulnerability

•

100% probability of defective Authorization Checks

Source: Initial scan of 156,443,087 Lines of custom ABAP code from 88 SAP customers (status: July 2013)

Regulatory Compliance
PPT Masterfolie
 PCI‐DSS (Payment Card Industry Data Security Standard)
CodeProfiler provides more than 30 test cases in order to test for PCI DSS compliance (PCI
DSS Requirements and Security Assessment Procedures, Version 2.0)

 PII (Personally Identifiable Information)
To protect the PII, CodeProfiler has test cases related to the disclosure of critical data
("assets").
Exit points for this domain exist in the following classifications: SAP GUI, HTTP/HTML, FTP,
GUI Download, Files, Return values of RFC enabled function modules. Main purpose of
this test domain is to identify data leaks.

 SOX
CodeProfiler provides more than 30 test cases in order to test for SOX /SOX‐EUR
compliance (Sarbanes‐Oxley Act). SOX audits rely on IT General Controls (ITGC) to provide
a sound technical basis for the reliability and accountability of business processes. Custom
development is relevant for Change Management, which is in turn relevant for ITGC.
Therefore, any changes to program logic are SOX relevant, if they introduce a potential
security issue. ABAP coding practices and standards must ensure that ITGC are not
bypassed by insecure coding. SOX audits must check that appropriate controls are in place
that make sure no relevant security defects exist in ABAP code.

Custom Development
Cost of Defects

PPT Masterfolie
Custom ABAP Development Facts
Cost of Defects



$100

$1,000
$10,000
$$$$$


to correct defect during development

to correct defect found in QA testing

to correct defect in production

Cost of attack or system down

Code Governance & Control
Built into the Process

PPT Masterfolie


Data and Control Flow Analysis
Shows only finding that matter
Input (SAP GUI, BSP, RFC, ...)
PPT Masterfolie

Software

Dangerous Statement


CodeProfiler
Comprehensive Test Scope

PPT Masterfolie
Security
zur Erstellung von Präsentationen Data Loss Prevention
ABAP™ Command Injection

Disclosure of Critical Data

OS Command Execution
SQL Injection
Broken Authority Checks
Hard‐Coded Usernames
...

Performance
Usage of WAIT Command
Usage of SELECT*

s

Security Tests

Maintenance of sensitive data
…

CodeProfiler
PATENTED
all rights
reserved

Maintainability & Robustness

QA Tests

Naming Conventions
Nested Macro Calls

Nested Loop

Hard‐coded Org Units

Incomplete Index

Insufficient Error Handling

...

Security

Disclosure of Source Code

...

Performance


Quality

ABAP Code Scanning ‐ Benefits
Lower Risk
PPT Masterfolie
– Detects and support mediation of vulnerabilities
•
•
•
•

Cyberattacks
System Failures
Data theft/Fraud
Industrial Espionage

– Tests in‐/out‐sourced development and 3rd party add‐ons.
• Enforces standards for all development deliverables
• Clear and enforceable definition of programming standards

– Ensures all ABAP code changes meet Compliance and
Audit requirements

ABAP Code Scanning ‐ Benefits
Lower TCO
PPT Masterfolie
• Problems are found earlier in SDLC
= Lower cost to mediate defect

• better quality code (maintainability, performance, robustness)

= Lower test and maintenance costs
• Reduced review & testing times

= Faster delivery of new applications
• Automated scanning

= Less use of (expensive) development resources
• Online scan & mediation support for faster resolution

= Less time for corrections and repair
• Better quality code

= Less SAP production system issues


ABAP Security in Context
PPT Masterfolie

Internal Control Systems ‐Structure in the ERP Environment
IT General Controls (ITGC)
Change Management

ABAP Application Code
Business Rules Enforcement
Authentication, Encryption, Authorization,
Logging, Interfaces, Audit…


Custom Development
Source of Defects
PPT Masterfolie
Custom ABAP Development Facts
Source of Defects



Little/no technical specifications

Manual/Basic code reviews

Testing focused on functional aspects

External/3rd Party development

Limited/no code change monitoring


Custom Development
Business Risks
PPT Masterfolie
Business Risks
Due to Security Defects



Cyberattacks

Data theft/Fraud

Industrial espionage

Loss of image

System failures


ABAP Static Code Scanning
PPT Masterfolie

Benefits of Static Code Scanning
Increase

Decrease

 Security and compliance of
SAP® applications

 Business risks

 Performance

 Maintenance efforts

 System stability

 Test and correction efforts

 Quality standards of internal and external
software development

 Operating costs


PPT Masterfolie
THANK YOU FOR PARTICIPATING

Please provide feedback on this session by
completing a short survey via the event mobile
application.
SESSION CODE: CD208
For ongoing education on this area of focus,
visit www.ASUG.com

Meet Joby and Markus at the Virtual Forge Booth 159

Case Study: ABAP Development Life Cycle and Governance at THE GLOBE AND MAIL (SAPTechEd)

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a Case Study: ABAP Development Life Cycle and Governance at THE GLOBE AND MAIL (SAPTechEd)

Similar a Case Study: ABAP Development Life Cycle and Governance at THE GLOBE AND MAIL (SAPTechEd) (20)

Más de Virtual Forge

Más de Virtual Forge (20)

Último

Último (20)

Case Study: ABAP Development Life Cycle and Governance at THE GLOBE AND MAIL (SAPTechEd)