Column | Security Strategies

This article appeared in the Jan Feb Mar 2017 issue

of SAPinsider (www.SAPinsiderOnline.com) and appears
here with permission from the publisher, WIS Publishing.

Jrgen Adolf
(juergen.adolf@sap.com)
has been working in the
Secure Your ABAP
security space since
2003. Since 2013, he
has been a Product
Code Against Attack
Manager for Security
at SAP SE. His focuses Whats New with the 7.51 Release of SAP NetWeaver
include identity manage-
ment, access logging,
Application Server, Add-On for Code Vulnerability Analysis
source code security,
Modern business landscapes are increasingly large, heterogeneous, and complex. This trend
RFC security, and
SAP Enterprise Threat has made securing enterprise software a challenging endeavor. Adding to this challenge is
Detection. the need to quickly adjust to rapidly changing business requirements. To meet new needs as
they arise, many organizations use custom code to extend the functionality of their business
software, such as SAP Business Suite, which increases the amount, and complexity, of the
code that needs to be tested and secured.
The stakes are high SAP systems hold valuable data, and insecure software is a common
cause of cyberattacks, which can have dire consequences, including negative publicity, penal-
ties, and lost revenue. Unfortunately, many organizations become aware of vulnerabilities
only after a breach has occurred. Securing custom code after the fact is extremely expensive
according to studies, it costs 30 times more to fix security issues after a breach than to
build security into your code at the beginning of the design process.1
To prevent cyberattacks and avoid costly remediation, organizations must adopt reliable
methods for testing new or altered code during development, before a breach occurs. To
help with this task, SAP provides customers with a powerful, integrated tool as part of SAP
NetWeaver Application Server (SAP NetWeaver AS) ABAP that scans ABAP source code for
vulnerabilities: SAP NetWeaver AS, add-on for code vulnerability analysis.
This article looks at how SAP NetWeaver AS, add-on for code vulnerability analysis lever-
ages integration into the ABAP development infrastructure to make it easy to scan, analyze,
and secure your ABAP source code, and then examines the latest enhancements delivered
with SAP NetWeaver AS ABAP 7.51 including remote code analysis and baseline function-
ality to help you minimize risks and errors and ensure overall quality in productive system
landscapes. You will also get a sneak peek at some upcoming features for addressing evolving
threats to your code.

An Integrated Approach to Securing Custom Code

SAP NetWeaver AS, add-on for code vulnerability analysis analyzes user input and data flow
in source code to find vulnerabilities that can cause issues down the road, and provides guid-
ance on how to address identified issues. Originally created by the SAP development team for
internal testing, the tool was released to SAP customers in September 2013 (see the sidebar
Software Testing at SAP on the next page for more on how SAP secures its application

Alan Pearson, Why Its Important To Squash Vulnerabilities Early In The Software Development Lifecycle,
1

TheSecurity Innovation Europe Blog, March 6, 2014, http://bit.ly/2fVblmo.

Subscribe today. Visit SAPinsiderOnline.com.

 source code). SAP NetWeaver AS, add-on for code
vulnerability analysis is a separately licensed tool
that is available for use with SAP NetWeaver AS
ABAP.2
SAP NetWeaver AS, add-on for code vulnerability
analysis is seamlessly integrated into the ABAP Test
Cockpit, which is a central, extensible infrastructure
for performing functional, performance, and secu-
rity code checks on ABAP development objects.
Based on the Code Inspector, and integrated into
the ABAP development environment, the ABAP
Test Cockpit comprises a set of check variants that
run smoothly alongside one another (see Figure 1).
SAP NetWeaver AS, add-on for code vulnerabil-
ity analysis is used via the ABAP Test Cockpit and
has access to all ABAP Test Cockpit features, such as
new features included in SAP NetWeaver AS ABAP
7.51. It allows developers to take advantage of the
2
The tool is available for use with the following releases: SAP
NetWeaver AS ABAP 7.0, enhancement package 2, support
package 14; SAP NetWeaver AS ABAP 7.0, enhancement
package 3, support package 09; SAP NetWeaver AS ABAP
7.3, enhancement package 1, support package 09; SAP
NetWeaver AS ABAP 7.4, support package 05 and later;
and SAP NetWeaver AS ABAP 7.51.
Software Testing at SAP
To ensure that ABAP-based SAP applications and code are
delivered to customers free of vulnerabilities, SAP standard
software is developed using standard software testing pro-
cedures and various SAP tools that are also available to SAP
customers.
One procedure used at SAP is to perform dynamic applica-
tion testing (DAST), an outside-in approach in which you look
at the installed application to identify potential vulnerabilities
and then ensure the code is secure using various agile test-
ing methods, such as exploratory testing. DAST tools analyze
applications in real time while the application is running. This
testing technique is typically performed as a gateway accep-
tance layer in the run-up to production deployment. SAPs
development team primarily uses WebInspect Enterprise by
HPE to perform dynamic scans during application development.
Another approach is to perform static application security test-
ing (SAST), an inside-out approach in which you examine the
source code for security issues during development and then
use agile testing methods, such as pair programming, and
Subscribe today. Visit SAPinsiderOnline.com.
ABAP Test Cockpits streamlined quality assur-
ance processes and tight integration with ABAP
development tools. This tight integration enables
developers to easily launch code checks includ-
ing the security checks provided by SAP NetWeaver
AS, add-on for code vulnerability analysis from
tools such as the ABAP Workbench (transaction
SE80), the ABAP Editor (transaction SE38), and
the Eclipse-based ABAP development tools for SAP
NetWeaver (ABAP in Eclipse).
SAP NetWeaver AS, add-on for code vulnerabil-
ity analysis provides a range of features for secur-
ing source code. Developers can launch checks for
single objects or groups of objects. Quality assurance
teams can schedule automated test runs, enable
automatic test failure notifications, and aggregate
test results for analysis. Developers can also adjust
the priority of each check to meet test run or risk
policy requirements, or to follow a phased approach
to enabling checks, which can help increase accep-
tance and use of the checks. Once an issue is found,
developers can navigate directly to documentation
that explains how to fix it and avoid it in the future
(see Figure 2), or to workflow functionality to
static testing tools included in the ABAP development environ-
ment to ensure secure code. These tools test the source code
line by line to expose weaknesses in the software before it is
deployed. By detecting flaws in the code early in the process,
weaknesses can be fixed before hackers detect them and they
become true vulnerabilities for an organization.
These static testing tools, which are available to SAP customers
as part of SAP NetWeaver Application Server (SAP NetWeaver
AS) ABAP, are offered via a testing framework called the
ABAP Test Cockpit. In the ABAP Test Cockpit, developers can
execute static checks and unit tests for their development
objects using SAP tools such as the Code Inspector for check-
ing repository objects, the Extended Program Check (trans-
action SLIN) for running in-depth syntax checks, checks for
ensuring a successful SAP HANA or SAP S/4HANA migration,*
and SAP NetWeaver AS, add-on for code vulnerability analysis
for scanning source code for vulnerabilities.
* For more on the checks used for SAP HANA and SAP S/4HANA migrations,
see the article Making the Move to SAP S/4HANA by Karl Kessler on page
66 of this issue of SAPinsider.
 ABAP Test Cockpit

Syntax checks These checks are used to ensure correct syntax of ABAP code
they verify that the syntax used follows the rules that define correctly
written ABAP code.

Standard Code Inspector checks These checks evaluate static ABAP coding and Data Dictionary
objects essentially all objects of the Object Repository for
functional correctness, performance, security, reliability, and
statistical information.

ABAP unit tests These tests are used for test-driven development. They verify the
intended program behavior.

Security checks (SAP NetWeaver These checks perform data-flow analysis to find security flaws in the
Application Server, add-on for evaluated ABAP code.
code vulnerability analysis)

Extended Program Check Transaction SLIN performs a complete check that includes the
(transaction SLIN) interfaces of external procedures called from the program for
example, checking whether the number and type of the interface
parameters in an external procedure call is correct. SLIN also
contains static security tests.

SAP HANA checks These checks, which are included in the Code Inspector check
variant FUNCTIONAL_DB, ensure a smooth migration of ABAP code
to SAP HANA and SAP S/4HANA.

Customer-specific checks The extensibility of the ABAP Test Cockpit allows the development of
custom checks for customer-specific needs.

Figure 1 The ABAP Test Cockpit comprises a set of testing tools including SAP NetWeaver AS, add-on for code
vulnerability analysis for performing checks on ABAP development objects

Figure 2 Once SAP NetWeaver AS, add-on for code vulnerability analysis identifies an issue, developers can navigate
directly to recommendations for how to address it

Subscribe today. Visit SAPinsiderOnline.com.

create an exemption. The tools sophisticated data
flow analysis, performed at the compilation unit
level, combined with the exemption feature ensures
minimal false positives.
A previous SAPinsider article provided a detailed
introduction to SAP NetWeaver AS, add-on for code
vulnerability analysis and how it works3 here, we
explore some of the new features delivered with
SAP NetWeaver AS ABAP 7.51 that enhance the
capabilities of this tool.
Whats New with 7.51?
SAP NetWeaver AS ABAP 7.51 delivers several new
features for testing ABAP source code with the
ABAP Test Cockpit, two of which are particularly
useful when performing security checks with SAP
NetWeaver AS, add-on for code vulnerability analy-
sis the ability to perform remote code analysis
and to define baselines for test runs. Lets take a
closer look at how these features can help you
secure your code.
Remote Code Analysis
Remote code analysis is a key new feature deliv-
ered with SAP NetWeaver AS ABAP 7.51 for the
ABAP Test Cockpit. This functionality enables
you to use the latest checks available in 7.51,
including the security checks of SAP NetWeaver
AS, add-onfor code vulnerability analysis, to
analyze custom-developed code in older SAP
NetWeaver systems a critical capability in the
face of increasingly sophisticated and frequent
cyberattacks. Prior to 7.51, code checks had to be
performed locally on the system containing the
code, meaning that each and every system had to
be upgraded to the latest SAP release or support
package level in order to use the latest checks and
functionalities for testing. This led to significant
administrative overhead.
With the new remote code analysis feature
delivered with 7.51, you need only set up one SAP
NetWeaver AS ABAP system, running SAP_BASIS
751 only, in your SAP system landscape to serve as a
central check system. From this central system, you
can run checks via the ABAP Test Cockpit on any
For an introduction to SAP NetWeaver AS, add-on for
3 feature enables customers that have legacy debts in
code vulnerability analysis, see the article Start Your ABAP
Applications on Solid Ground by Patrick Hildenbrand
in the October-December 2013 issue of SAPinsider
(SAPinsiderOnline.com).
Subscribe today. Visit SAPinsiderOnline.com.
SAP NetWeaver AS system in your landscape that
is running SAP_BASIS 700 or higher there is no
need to upgrade every single system to 7.51 to take
advantage of the latest security checks. In addition to
reducing administrative overhead and saving time,
this capability provides access to the features cus-
tomers with older systems need to ensure the quality
of their custom code and comply with increasingly
complex corporate security requirements.
So how exactly does a remote check scenario
work? Administrators simply deploy a remote
stub to each system to be checked (see SAP Note
2270689), which the central check system accesses
via a remote function call (RFC) connection (see
Figure 3). These remote stubs return a model
of the custom code to the central check system,
where it is then analyzed using the checks pro-
vided for potential security vulnerabilities. The
check variant used to perform the checks, which
are RFC-enabled, is maintained by administrators
in the central check system.4
In addition to providing a means to apply the
latest checks to older systems, a remote code
analysis scenario offers several other advantages. It
enables a centralized approach to checking multi-
ple SAP systems and applying one quality standard
across the entire system landscape, regardless of the
release used in local development systems. It is also
a low-effort, low-impact installation that will not
affect existing business processes.
The remote code analysis functionality included
with 7.51 is a valuable tool for quality assurance
teams working in the central check system going
forward, SAPs development team is working on
making this functionality available to developers
working in remote systems as well. This capabil-
ity will enable developers to execute checks, view
and correct findings, request exemptions, and check
transports before release, all in the local develop-
ment system.
Baseline Functionality
Another new feature delivered with 7.51 that adds
valuable functionality when using SAP NetWeaver
AS, add-on for code vulnerability analysis is the abil-
ity to configure a baseline for static code analysis. This
4
Additional details on configuring remote security checks with
ABAP 7.51 are available from the SAP Help Portal site at
http://bit.ly/RemoteChecks.
 Central Check System (SAP_BASIS 751)

ABAP Test Cockpit

RFC RFC RFC

Remote Stub Remote Stub Remote Stub

Checked Checked Checked

System A System B System C
(700) (700) (700)

Customer Code Customer Code Customer Code

Figure 3 Remote code analysis is performed from a central check system via an RFC connection

their existing code to ignore these expected findings
and instead focus their test runs on new or recently
changed code. This enables customers to start their
testing with clean code and create a separate project
to work on the findings from their legacy coding. It
also allows for the development of new functional-
ities without an overload of code corrections.
The baseline functionality enables the ABAP
Test Cockpit to isolate errors found during the exe-
cution of a check variant and exclude them from
subsequent test run results by adding them to the
baseline, where they are treated as a special kind
of exemption. This approach helps developers
improve the efficiency of their testing processes
by isolating the code that is most in need of atten-
tion, which is particularly useful when you need to
secure business-critical applications against poten-
tial cyberattacks.
The baseline feature is accessed via the ABAP
Test Cockpit administration tool (transaction ATC),
which displays a list of results of executed checks. To
add a check result to the baseline, you simply select
it from the list of results and then specify the han-
dling for those results during subsequent test runs.
You can choose to suppress the findings (exclude
all findings from the check results list); exempt the
findings (include the findings in the check results
list, marked as exempted); or assign a low priority to
the findings (the findings will appear lower in the
check results list).
Figure 4 on the next page shows the handling
options for a check result being added to the
baseline; Figure 5 on the next page shows the check
results list with the baseline selections reflected
in this case, added to the baseline with the findings
exempted.5
The baseline is effective as long as the related
code sections remain unchanged. If the code does
change, you will need to correct the coding and the
check will automatically become active again for
the modified code section. You also have the option
of adding or removing individual findings from the
baseline as your needs change (if the immediate
removal of all SQL injection flaws becomes a high
priority, for instance) or even deleting the baseline
entirely and resetting the test system to its origi-
nal state (if the overall security testing concept is
renewed, for example).
Looking Ahead: New Security Checks
Regardless of how robust your security tools are, pro-
tecting against cyberattacks is a moving target that
requires new ways of securing your code, and SAP
continues to add new features to support you in this
task. Support package 1 for SAP NetWeaver AS 7.51,
due for release in January 2017, includes a variety of
new security checks for use with SAP NetWeaver AS,
add-on for code vulnerability analysis.
Here is a look at a few of the planned features
that will help keep your code safe from evolving
threats:
5
Additional details on the baseline functionality delivered with
ABAP 7.51 are available from the SAP Help Portal site at
http://bit.ly/BaselineFeature.

Subscribe today. Visit SAPinsiderOnline.com.

 Figure 4 Select a check result to add to the baseline and specify its handling
Figure 5 Rerunning the check shows the results of the baseline selections
Potential abuse of URL redirect: Vulnerabilities
are introduced wherever external data (such as
user input) is used as a source for URL redirects.
This check evaluates the potential for attackers to
direct victims to other websites.
Missing content check during HTTP
upload: This checks if the method IF_HTTP_
REQUEST~GET_DATA( ) is called without the
parameter VSCAN_SCAN_ALWAYS, which can
lead to cross-site-scripting (XSS) attacks via file
upload (MIME sniffing). More detail is available
in the SAP NetWeaver Security Guide and in SAP
Note 1714836.
Potential infiltration of harmful SQL state-
ments or conditions when calling a specific
method: Security problems can occur when
external data, such as user input, is processed
unchecked. This check evaluates whether input
validation is performed before data is processed.
SAP Note 1852318 provides further information
about how to protect against SQL injections.
Read access to sensitive database tables: This
checks if there is read access to database tables
that are declared as sensitive.
Write access to sensitive database tables: This
checks if there is write access to database tables
that are declared as sensitive.
Subscribe today. Visit SAPinsiderOnline.com.
Call of a procedure with a hard-coded pass-
word: This checks if a method or function is
called with a hard-coded password, which can
compromise system security anyone who can
access the source code has access to the hard-
coded password.
These are just some of the security checks
planned for future release. SAP is continuously
monitoring the security landscape and working to
ensure that customers have the tools they need to
ensure the security of their software.
Summary
While technology that provides a competitive edge
is a business imperative, vulnerable software is a
prime entry point for compromising an enterprise.
With SAP NetWeaver AS, add-on for code vulnera-
bility analysis, and the powerful new features for the
ABAP Test Cockpit delivered with SAP NetWeaver
AS ABAP 7.51, you can continue to develop innova-
tive and effective software without worrying about
introducing security risks to your organization.
Learn more about how to ensure secure ABAP
code in your SAP business systems with SAP
NetWeaver AS, add-on for code vulnerability analysis
at https://wiki.scn.sap.com/wiki/display/Security/
SAP+NetWeaver+Application+Server%2C+Add-
On+for+Code+Vulnerability+Analysis.