Globally, SAP has several thousand partners who have their own ABAP add-on deployed among SAP customer install base, and these customized ABAP add-ons have been increased dramatically with SAP S/4HANA release.
SAP customers, on one hand, are more than happy to facilitate their business by using 3rd party ABAP add-on as these add-ons always deliver business and technical know-hows.
However, on the other hand, the security of 3rd party ABAP add-on is becoming more and more concern. CIOs or project managers have a long check list, on which, they always put security on top and as solution provider, the partners are always being asked, “Does your add-on secure and has it been assessed by SAP? “
In fact, 3rd party ABAP add-on with SAP ABAP Security Code Scan is way more competitive to these without it.
SAP ABAP Security Code Scan introduced by SAP ICC is targeting above-mentioned situation.
SAP ABAP Security Code Scan will use SAP tool, CVA (Code Vulnerability Analyzer), to scan the code base, reporting issues and propose correction solutions.
CVA will cover below software security aspects.
- Manipulation of dynamic Open SQL (Open SQL Injection)
- Manipulation of SQL statements (Native SQL Injection)
- Manipulation of dynamically generated ABAP code (ABAP Command Injections)
- Manipulation in dynamic calls (Call Injections)
- Injections of operating system commands
- Potential unauthorized access to directories and files (Directory Traversal)
- Insuffient authorization checks of user administration bypassed
- Potential back doors
- Possible attacks using Web technologies
- Further checks
CVA, as a tool specific for ABAP add-on, has below advantages:
Scan efficiently
- Reduced false-positive rate by dataflow analysis.
- Scanning directly from within the ABAP development environment with broad range of predefined checks
Developer guidance
- Detailed help and explanations to all errors and assistance to find the right location for the fix
- Prioritization of checks. CVA will report the issues by categorize them as Priority 1, Priority 2 and Priority 3 issues.
Integration
- Integrated into standard ABAP check frameworks, SAP transport system and ABAP Test Cockpit (ATC)
SAP CVA report run will depend on the variant delivered by SAP as a standard. Below are the variants for SAP ERP and SAP S/4HANA on Premise.
SAP NetWeaver releases 7.50 SP3 (SAP ECC 6.0 or above)
- Security Analyses in Extended Program Check (SLIN)
- Critical Statements
- Find Specific Critical Statements
- Dynamic and Client-Specific Accesses in SELECT
- Dynamic and Client-Specific Assesses with INSERT, UPDATE, MODIFY, DELET
- Use of ADBC Interface
- Client-Specific Shared Objects methods
SAP S/4HANA on Premise 1809 or above
- DDIC: DB Tables(Logging Check)
- Security Checks for ABAP (CVA)
- Security Checks for BSP (CVA)
- Critical Statements
- Find Specific Critical Statements
- Dynamic and Client-Specific Accesses in SELECT
- Dynamic and Client-Specific Assesses with INSERT, UPDATE, MODIFY, DELET
- Use of ADBC Interface
- Client-Specific Shared Objects methods
- Invalid access to CDS Views
For partners who peruse certification, as you are requested to correct and mitigate Priority 1 and 2 issues reported by CVA, you are highly recommended to finish ABAP Security Code Scan first before you use AAK to assemble your code and start deployment certification. This way will prevent re-work to be happening as much as possible.
In order to start SAP ABAP Security Code Scan, below are the major activities to be performed:
- Partners need to contact SAP ICC to start a service contract
- SAP ICC consultant will schedule kick-off meeting to illustrate the assessment process and activate CVA license
- SAP ICC consultant will provide a Cookbook for partners with step-by-step guide to run the reports
- Partners are required to correct and mitigate Priority 1 and 2 issues reported
- To run CVA report as a final run for validating the result
As a deliverable from SAP ABAP Security Code Scan, SAP ICC will issue an Assessment Report and mark this achievement along with your ABAP deployment certification on CSD ( Certified Solution Directory).
– END –
SAP ICC Contact information: icc-info@sap.com
Useful links
SAP note 1855773 – Security checks for customer-specific ABAP programs
Original Article:
https://blogs.sap.com/2020/03/19/sap-abap-security-code-scan/