Is your SAP system vulnerable to cyber attacks?
0 likes1,255 views
This document outlines critical security risks associated with custom ABAP applications in SAP systems, highlighting the most dangerous vulnerabilities and providing best practices for safeguarding ABAP code. It emphasizes the importance of continuous testing and monitoring, as well as the financial implications of security breaches. The session aims to equip developers with the knowledge to enhance code security and comply with industry standards.
Is your SAP system vulnerable to cyber attacks?
- 1. Produced by Wellesley Information Services, LLC, publisher of SAPinsider. © 2015 Wellesley Information Services. All rights reserved. Is Your SAP System Vulnerable to Cyber Attacks? Critical Tactics to Safeguard Your ABAP Applications Stephen Lamy Virtual Forge
- 2. 1 In This Session • You will learn about specific risks that custom ABAP can introduce into an SAP system and get proven advice to minimize ABAP security risks. • You will: Learn about the most dangerous ABAP security vulnerabilities View demonstrations to see how an SAP system can be exploited via ABAP vulnerabilities Get insight into the best practices for developing secure and compliant ABAP code, such as: Implementing internal coding guidelines and standards Automatically testing all code changes before release
- 3. 2 What We’ll Cover • Risks from custom ABAP code • The realities of ABAP development • Best practices for ABAP code for security and quality • Wrap-up
- 5. 4 The Challenges with Custom ABAP Development • Espionage or cyber attack • Application failure • System performance • High development costs
- 6. 5 APP/11: The Most Dangerous Security Vulnerabilities 1. ABAP command injection 2. OS command injection 3. Native SQL injection 4. Improper authorization checks 5. Directory traversal 6. Direct database modifications 7. Cross-client database access 8. Open SQL injection 9. Generic module execution 10. Cross-site scripting 11. Obscure ABAP Code Source: BIZEC APP/11: www.bizec.org
- 7. 6 The Average SAP Customer System Analyzed Has … • 1.03 Critical Security/Compliance errors per 1,000 LOC • 51% probability of an ABAP Command Injection vulnerability • 70% probability of an open SQL injection vulnerability • 86% probability of a Directory Traversal vulnerability • 100% probability of defective Authorization Checks Source: CodeProfiler scan of 453 Million lines of custom ABAP® code from 217 SAP systems (status: Oct 2014)
- 8. 7 Security/Compliance Testing Test Case Probability per Scan Per x LOC Sec: Missing AUTHORITY-CHECK before CALL TRANS 97% 4,066 Sec: Missing AUTHORITY-CHECK in Reports 96% 6,154 Com: Hard-coded User Name (sy-uname) 91% 8,998 Sec: Directory Traversal (Write Access) 86% 8,960 Sec: Missing AUTHORITY-CHECK in RFC-Enabled Funct 94% 14,347 Com: Cross-Client Access to Business Data 83% 15,254 Sec: Directory Traversal (Read Access) 86% 23,254 Com: Direct Database Modifications 86% 35,016 Source: CodeProfiler scan of 453 Million lines of custom ABAP® code from 217 SAP systems (status: Oct 2014)
- 9. 8 ABAP Risk Assessment Benchmark Results Metric Average Total Source Code Lines (LOC) (without comments or empty lines) 2,087,618 453,013,210 Domain – Critical Only Average Per LOC Security/Compliance 2,150 1.03 Performance 2,463 1.18 Maintainability 2,108 1.01 Robustness 6,618 3.17 Total 13,339 6.39 Source: CodeProfiler scan of 453 Million lines of custom ABAP® code from 217 SAP systems (status: Oct 2014)
- 10. 9 Cyber-Attacks and System Downtimes Are Key Business Risks Caused by Custom Changes • Performance • Robustness • Maintainability • Security • Compliance • Data Loss Prevention … can lead to key business risks: Cyber-attacks $7.2 million cost per case in average Fraud 5% loss in revenue p.a. per typical company System downtimes 14hrs p.a. per company avg. Sources: Cost of Cyber Crime Study (Poneomon Institute, 2013), Global Fraud Study (ACFE, 2014), The Avoidable Cost of Downtime (CA Technologies, 2010) Custom ABAP Apps … Custom ABAP Code Third-Party ABAP add-ons Testing Needed
- 11. 10 Costs of Correcting a Single Defect to correct defect during development$100 to correct defect during development$100 to correct defect found during QA testing$1,000 to correct defect found during QA testing$1,000 to correct defect in production$10,000 cost of attack or system down$$$ The earlier the code is repaired, the lower the cost
- 13. 12 What We’ll Cover • Risks from custom ABAP code • The realities of ABAP development • Best practices for ABAP code for security and quality • Wrap-up
- 14. 13 The Evolution of SAP and ABAP Technology Past Today Future • Simple, isolated systems • Fewer users • Less data • Less custom development • Regular but rare releases • Complex and open systems • More users • More data • More custom development • Frequent release cycles • Reduced staff • More complex and open • Even more users • Even more data • Even more development • Higher frequency releases • Even smaller staff
- 15. 14 Attack Surface of SAP – 1997 Direct UIs External Systems SAP ABAP® System
- 16. 15 Attack Surface of SAP – Since 2011 Indirect UIs External Systems Direct UIs SAP ABAP® System
- 17. 16 SAP Security – A Holistic View • SAP security and quality must be addressed holistically – including custom code • Custom code can lead to: System failure Hacker access Slow performance • Business apps must properly enforce Business Logic (rules) • GRC and SoD are only effective if they are enforced within application code Business Logic Business Runtime Database Operating System
- 18. 17 Sources of Flaws in ABAP Code • Manual code reviews/basic testing • QA testing focused on functional aspects • Inability to enforce technical coding standards • External development/third-party add-ons • Limited/no code change monitoring (during emergencies)
- 19. 18 What We’ll Cover • Risks from custom ABAP code • The realities of ABAP development • Best practices for ABAP code for security and quality • Wrap-up
- 20. 19 Best Practices • Ensure ABAP code quality and security through … Online scanning and correction during development Testing of all delivered code (you are responsible for outsourced and third-party code too!) Automatic scanning of all ABAP changes
- 21. 20 Best Practices: Static Online Scanning • Static code scanning and correction during development • Define clear code standards and enforce results • Give developers the tools they need to test during development Faster feedback means lower cost Provide recommended remediation approach • Apply automated corrections for larger clean-up projects Stop believing that manual reviews are all you need!
- 22. 21 Best Practices: Testing All Delivered Code • Testing all code (including outsourced and third-party products) Communicate and enforce SLAs Let everyone know that you will be testing Test all deliverables before beginning functional testing Don’t waste time with user testing of inferior code Plan for issues! Test immediately! Is this code safe enough for your DEV?
- 23. 22 Best Practices: Automatic Code Scanning • Automatically scan all SAP ABAP code changes Scan all Transport Requests upon release Stop Transport Requests with critical issues Store test results as for compliance audit trail PCI, PII, SOX, FDA, Basil II, etc. Be ready for emergency corrections Enable override of tests with approval Track who approved exceptions
- 24. 23 Continuous Monitoring of ABAP Code Changes PRDDEV Development Test/QA ProductionRequirement SICHERE SAP PROGRAMMIERUNG ABAP Guideline Java Guideline ABAP Spezifikation Java Spezifikation Generelle Guideline Interne Entwicklung Externe Entwicklung Automatic Testing QA Exception Approval?
- 25. 24 Recommended Testing • Security • Compliance • Data Loss Prevention • Performance • Robustness • Maintainability
- 26. 25 What We’ll Cover • Risks from custom ABAP code • The realities of ABAP development • Best practices for ABAP code for security and quality • Wrap-up
- 28. 27 Where to Find More Information • www.bizec.org/wiki/Main_Page The Business Application Security Initiative (BIZEC) is a non-profit organization with a focus on security defects in business applications • www.virtualforge.com/en/library/white-papers/whitepaper-the-abap- underverse.html Andreas Wiegenstein, “The ABAP Underverse” (BlackHat Briefings, 2011). A Virtual Forge whitepaper on application and ABAP security • www.virtualforge.com/en/resources/presentations/ensuring-the-security- of-custom-abap-code.html Chris Warring and Stephen Lamy, “Best Practices for Ensuring the Security of Custom ABAP Code” (SAP TechEd && d-code, 2014).
- 29. 28 7 Key Points to Take Home • Companies are responsible for their own custom code • If you can’t enforce code quality and security standards consistently, it won’t happen • It’s not possible to accurately assess the security of ABAP code through manual reviews alone • Implementing best practices and corresponding tools early in the development process will lower risk and result in lower TCO
- 30. 29 7 Key Points to Take Home (cont.) • Do not wait until it’s too late! Tighten ABAP security while you can • Don’t forget the 11 most dangerous security vulnerabilities and how testing during development can protect you • Provide your developers a way to test and correct code easily while they develop
- 31. 30 Your Turn! How to contact me: Stephen Lamy Stephen.Lamy@virtualforge.com @virtual_forge Please remember to complete your session evaluation
- 32. 31 Disclaimer SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies. Wellesley Information Services is neither owned nor controlled by SAP SE.