SAP customers have always worked with SAP partners and ISVs to augment their SAP environment with third-party ABAP add-ons, that customers license directly from SAP partners. The security of these 3
rd party ABAP add-on is becoming more and more a topic of interest in the licensing process. CIOs or project managers have a long check list, on which they always put security on top and as solution provider, the partners are always being asked, “Does your add-on secure and has it been assessed by SAP? “
To help partners address this question, the SAP Integration and Certification Center (SAP ICC) has introduced an optional service ABAP Security Code Scan for any ABAP add-on that partners certify via SAP ICC.
SAP ABAP Security Code Scan will use SAP tool, CVA (Code Vulnerability Analyzer), to scan the code base, reporting issues and propose correction solutions. This aims to support partners troubleshoot their add-ons prior to deployment in a customer environment. However, ultimately customers and partners will always need to verify the add-on in the customer’s individual environment again for full due diligence.
Here some details, what SAP ICC will help partners test in a lab environment. CVA will cover below software security aspects:
- Manipulation of dynamic Open SQL (Open SQL Injection)
- Manipulation of SQL statements (Native SQL Injection)
- Manipulation of dynamically generated ABAP code (ABAP Command Injections)
- Manipulation in dynamic calls (Call Injections)
- Injections of operating system commands
- Potential unauthorized access to directories and files (Directory Traversal)
- Insufficient authorization checks of user administration bypassed
- Potential back doors
- Possible attacks using Web technologies
- Further checks
CVA, as a tool specific for ABAP add-on, has below advantages:
Scan efficiently
- Reduced false-positive rate by dataflow analysis.
- Scanning directly from within the ABAP development environment with broad range of predefined checks
Developer guidance
- Detailed help and explanations to all errors and assistance to find the right location for the fix
- Prioritization of checks. CVA will report the issues by categorize them as Priority 1, Priority 2 and Priority 3 issues.
Integration
- Integrated into standard ABAP check frameworks, SAP transport system and ABAP Test Cockpit (ATC)
SAP CVA report run will depend on the variant delivered by SAP as a standard. Below are the variants for SAP ERP and SAP S/4HANA on Premise.
SAP NetWeaver releases 7.50 SP3 (SAP ECC 6.0 or above)
- Security Analyses in Extended Program Check (SLIN)
- Critical Statements
- Find Specific Critical Statements
- Dynamic and Client-Specific Accesses in SELECT
- Dynamic and Client-Specific Assesses with INSERT, UPDATE, MODIFY, DELET
- Use of ADBC Interface
- Client-Specific Shared Objects methods
SAP S/4HANA on Premise 1809 or above
- DDIC: DB Tables(Logging Check)
- Security Checks for ABAP (CVA)
- Security Checks for BSP (CVA)
- Critical Statements
- Find Specific Critical Statements
- Dynamic and Client-Specific Accesses in SELECT
- Dynamic and Client-Specific Assesses with INSERT, UPDATE, MODIFY, DELET
- Use of ADBC Interface
- Client-Specific Shared Objects methods
- Invalid access to CDS Views
For partners who peruse certification, as you are requested to correct and mitigate Priority 1 and 2 issues reported by CVA, you are highly recommended to finish ABAP Security Code Scan first before you use AAK to assemble your code and start deployment certification. This way will prevent re-work to be happening as much as possible.
In order to start SAP ABAP Security Code Scan, below are the major activities to be performed:
- Partners need to contact SAP ICC to start a service contract
- SAP ICC consultant will schedule kick-off meeting to illustrate the assessment process and activate CVA license
- SAP ICC consultant will provide a Cookbook for partners with step-by-step guide to run the reports
- Partners are required to correct and mitigate Priority 1 and 2 issues reported
- To run CVA report as a final run for validating the result
As a deliverable from SAP ABAP Security Code Scan, SAP ICC will issue an Assessment Report and mark this achievement along with your ABAP deployment certification on
CSD ( Certified Solution Directory).
Note: SAP ICC provides security code scan assessment service for both ABAP and non-ABAP programs. This is blog is only related to 3rd party ABAP program.
For non-ABAP Scans please refer the below blog.
Gain SAP Customers Trust By Making Your Product Secure
For more information related to the Security Code Scan Assessment kindly
refer here
SAP ICC Contact information: icc-info@sap.com
Useful links
SAP note
1855773 - Security checks for customer-specific ABAP programs
Code Vulnerability Analyzer