How the U.S. Department of Defense Secures Its Custom ABAP Code
1 like1,489 views
The document discusses how the U.S. Department of Defense (DoD) secures its custom ABAP code within the Theater Enterprise Wide Logistics System (TEWLS). It highlights the challenges faced in ensuring code security and compliance, particularly the limitations of existing scanning tools, and presents the solution of using Virtual Forge's Codeprofiler for accurate scanning and remediation. Best practices are recommended for maintaining code quality and security, emphasizing the need for automated testing to mitigate risks in custom code.
How the U.S. Department of Defense Secures Its Custom ABAP Code
- 1. /* How the U.S. Department of Defense Secures Its Custom ABAP Code */ #SAPtd
- 2. How the U.S. Department of Defense Secures Its Custom ABAP Code Christine Warring TEWLS Sustainment Project Manager, JMLFDC CACI Contractor © 2015, Virtual Forge, Inc. All rights reserved.
- 3. Agenda SAP TEWLS @ Department of Defense Challenges Custom ABAP Best Practices
- 4. SAP TEWLS @ Dept of Defense
- 5. SAP TEWLS @ Dept of Defense Custom ABAP Applications Theater Enterprise Wide Logistics System (TEWLS) SAP-based Enterprise Resource Planning Supports theater-level medical logistics Developed by US Army to replace TAMMIS Single shared data environment Developed in ABAP 5
- 6. SAP TEWLS @ Dept of Defense Custom ABAP Applications What is TEWLS? Enterprise-level total life cycle management of medical assemblages Development Production Fielding Sustainment Theater Intermediate-Level Medical Logistics: Acquisition & life-cycle management Strategic programs for mobilization & deployment of materials Theater Supply Chain Management to include full storage and distribution capabilities for Medical Materials (TLAMM) Compliance with Federal Financial Management Improvement Act (FFMIA); Standard Financial Information Structure (SFIS); Federal Information System Controls Audit Manual (FISCAM) 6
- 7. Challenges
- 8. Challenges Passing the Test Department of Defense Adopted TEWLS TEWLS to be used for all armed forces Required to prove that ABAP code was secure and compliant The Problem Static code scanning required Code scanning solution that DOD mandated did not produce accurate results Unable to go live without Authority to Operate (ATO)! 8
- 9. Challenges The Problem Limitations with existing tools Many false findings Inconsistent results (even with same code base) Developers could not use day to day Limited test scope No help with remediation! Impact Used valuable resource time working through false results Unable to prove that the code was secure and compliant to finalize DOD ATO Annoyed developers Late feedback for developers 9
- 10. Challenges The Solution ABAP Scanning with CodeProfiler Accurate results with prioritized findings Comprehensive testing Developers can correct and learn while the work Detailed remediation instructions and auto correction Results Able to scan and remediate vulnerabilities quickly Reduced number of code corrections required Improved developer skills Reduced effort and time spent on code reviews Ensured ALL code meets security and compliance requirements 10
- 11. Custom ABAP Are your custom applications compliant? ATO (Authority To Operate) PII (Personally Identifiable Information) PIA (Privacy Impact Assessment) PCI-DSS (Payment Card Industry Data Security Standard) Internal standards 11
- 12. Best Practices
- 13. Best Practices Recommended Testing Security and compliance Performance Stability and robustness Maintainability 13
- 14. Best Practices Code Reviews Top 11 Most Dangerous Security Vulnerabilities: 1. ABAP Command Injection 2. OS Command Injection 3. Native SQL Injection 4. Improper Authorization Checks 5. Directory Traversal 6. Direct Database Modifications 7. Cross-Client Database Access 8. Open SQL Injection 9. Generic Module Execution 10. Cross-Site Scripting 11. Hidden ABAP code 14
- 15. Best Practices Lessons Learned/Recommendations Custom code can be a source of risk to SAP systems. Automated testing is necessary to ensure code security and quality. All solutions are not alike – Compare! Start now. Don’t wait for an incident to occur. 15
- 16. Virtual Forge CodeProfiler Free Risk Assessment Offer! How good is your SAP system? Visit www.virtualforge.com ü Summary of findings ü Priorization and classification of vulnerabilities ü Specific examples of findings ü Code and system metrics Quality Compliance Security SAP- System Risk Assessment / Penetration Test • SAP configuration • Custom code Free 16
- 18. Disclaimer © 2015 Virtual Forge Inc. All rights reserved. SAP, R/3, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG. All other product and service names mentioned are the trademarks of their respective companies. Information contained in this publication is subject to change without prior notice. It is provided by Virtual Forge and serves informational purposes only. Virtual Forge is not liable for errors or incomplete information in this publication. Information contained in this publication does not imply any further liability. Virtual Forge Terms and Conditions apply. See www.virtualforge.com for details.