Securing self developed ABAP programs, BSP pages, and DynPros is a difficult task for large organizations. Without the presence of automated tools, it is almost impossible to accomplish.
We believe that in any system where development is done, secure software life-cycle models must be implemented, regular SAP security audits should be extended to include ABAP security reviews and business processes must be aligned considering security development life-cycle best practices. Typically companies mostly apply ABAP performance review activities and ignore the security part.
We help companies by offering them our ABAP code security solution that covers most critical aspects of ABAP security including BSP security. Any code that needs to go to production can be easily tested and critical security issues such as ABAP injection or privilege escalation can be addressed before any incident takes place.
ESNC Code Security (also referred as ESNC Security Suite – C01 – ABAP Code Security Assessment & Correction Module)
)is a static source code security checker tool which can be used for detecting vulnerabilities such as (but not limited to):
-
SQL Injection, ABAP Injection, Remote Command Execution, Directory Traversal
-
Missing Authorizations, Authorization Bypass, Privilege Escalation via ABAP
-
Direct Modification of Critical Tables
-
Cross Site Scripting
-
SAPGUI related attacks and SAPGUI exploits
-
Data Loss Prevention (DLP) related issues such as (but not limited to):
-
Extracting Credit Card – Cardholder Information
-
Extracting HR Salary Data
-
Extracting SAP User Password Hashes
-
ESNC Code Security for ABAP includes many checks related to reliability, performance, maintainability and quality too! A few examples to these checks are:
-
Performance related checks e.g. using nested loops; using star(*)-selects; select, modify, updates inside loops; usage of wait commands; Queries bypassing table buffer; missing where clauses
- Quality and compliance checks e.g. logic based on hard-coded usernames or system ids, usage of proper code commenting, proper usage of company’s defined naming conventions for classes, reports, functions and other program types
- Naming requirements are fully customizable based on e.g. program type, developer and date program is created
ESNC Code Security – Securing your ABAP development objects
We support many scenarios for manual or automated scanning based issue detection and mitigation.
Scenario I: Periodic Scanning ABAP Code
For simplicity in detecting and resolving code related issues, periodic scans can be executed from a single location. The target systems can be all systems including DEV, QA and PROD. Reports can be manually reviewed, prioritized an distributed to developers.
At this phase, we also support our customers with our services focusing on prioritization of the issues and mitigation strategies.
Scenario II: Mandatory Code Scan Before Releasing a Transport
On certain systems, it is not desired that the developer releases a transport which doesn’t adhere company’s security policies. ESNC Code Security can be used to enforce such policies. In this case, developer’s code must pass all mandatory checks, otherwise transport is not released. For flexibility, companies can include “nice to have” checks which are not mandatory, in this case the developer is only notified of such defects, they are not enforced.
Scenario III: Integrating ABAP Code Security with Business Processes, ChaRM and SDL
ESNC Code Security allows approval processes to be implemented. This allows better handling cases where exceptions to the enforced rules are desired.
Scenario IV: Broad Coverage
ABAP code can be changed in a variety of ways including tools like RS_REPAIR_SOURCE programs or maliciously via ABAP rootkits/backdoors. To ensure that the developed code is running on the productive system without any malicious changes, we recommend configuring ESNC Code Security on all of the SAP systems in the landscape and enabling code difference verification feature. With this feature, you will be alerted when a code released for transport is later directly changed in other systems e.g. the production system. The rules for this checks can be configured based on the customers’ requirements.
ESNC Code Security – Additional Features
Flow Analysis for ABAP
ESNC Code Security Analysis Engine includes code flow analysis for detecting SAP ABAP security threats that span to multiple ABAP reports, functions or classes.
Flexible Rule Engine
ESNC Code Security Analysis Engine allows easy implementation of custom rules for ABAP security reviews. This powerful feature allows customers to build up their ABAP security and ABAP performance related rules. It is possible to specify criticality and weight of the rules and whether they should appear on the final report as well.
The rule logic is only limited by the available memory and processing power.
ABAP Performance and Compliance Checks
ESNC Code Security includes rules for checking code quality, performance and compliance related issues of your ABAP code.
Differential Scans
ESNC Code security allows comparing applications on different times. Based on the result of the initial findings, the improvements or newly introduced issues can easily be determined. This feature can also be used to compare code in two different systems.
Accepting Risks/Eliminating False Positives
ESNC Code Security allows accepting the risks or marking desired findings as false positive. These issues do not appear at later scans (until they expire), increasing the quality of the findings each time a scan is performed.