What can be done to check whether programs developed in SAP comply with security standards?
What tools does SAP offer out-of-the-box for secure programming?
Are there already tools included in the SAP suite?
Yes, there are several tools you can use that are already present in SAP S/4HANA (some already in the ECC suite)
- ABAP Test Cockpit (ATC transaction) is the main framework for performing checks on custom developments
- Code Inspector (SCI transaction). It allows to perform checks related to: performance, security (some basic checks), syntax. In this case it should be used for checks during development and in routine maintenance
- Extended Program Check (SLIN transaction). Allows you to perform checks that would normally take much longer if done in normal maintenance
- CVA Code Vulnerability analysis.This is an add on that integrates into the existing tools in SAP. These are additional checks related to the safe development of code
How does it work and what is SAP Code Vulnerability Analysis?
- This is an add on to be activated (subject to license)
- Performs a static analysis of the custom code (i.e., all objects beginning with Z*, Y*, or /*)
- You can use it, once activated in the main SAP transactions already known to developers, e.g. SE38, SE80, SE24, se37 and so on but also from Eclipse
- It can be integrated into existing transport systems in SAP to perform code checking before releasing change requests
How to activate it?
Through the RSLIN_SEC_LICENSE_SETUP report (or SLIN_ADMIN transaction) the Code Vulnerability Analysis add-on can be activated, attention. Activation of this add-on requires payment of a specific license, as mentioned above.
You can also enable a feature to declare tables that contain critical and sensitive data so that they emerge during code testing.
What security SAP checks are carried out?
This SAP blog shows all the security checks that can be performed, among the main categories:
- SQL Injection
- ABAP Command Injections
- Call Injections
- Directory Traversal
- Insufficient authorization checks
- Potential back doors
- Possible attacks using Web technologies
Once triggered, it is possible to have the checks done directly by the developers on their own, or to also add checks as change requests are released. CVA checks can be triggered at that time.
Check of non-SAP code?
In reality, SAP CVA allows only SAP code to be checked. But integration with Fortify software to checks other programming languages is planned and possible.
What are the figures that SAP provides in code check?
There are basically 4 figures planned and suggested:
- Developer. Defines new programs or modifies existing ones, independently performs checks on the various domains, security, quality, robustness of the code
- Quality Manager. Identifies anomalies, plans check campaigns, defines possible "exclusions" or false positives
- ATC administrator, checks campaign logs and configures the tool
What does Baseline mean in this context?
Through CVA, as in other code checking tools, it is possible to analyze a source code in a punctual manner or to analyze one's system or systems overall. In this case, a baseline can be generated, i.e., an initial massive analysis that later allows you to go in and decide how to act on the evidence that will be detected. Also introducing what are called exemptions in the tool.
Topics: secure coding sap, sviluppo codice sicuro, code vulnerability analysis, sap cva, sap developer