Case Study: ABAP Development Life Cycle and Governance at THE GLOBE AND MAIL (SAPTechEd)
-
Upload
virtual-forge -
Category
Technology
-
view
716 -
download
0
description
Transcript of Case Study: ABAP Development Life Cycle and Governance at THE GLOBE AND MAIL (SAPTechEd)
PPT Masterfolie zur Erstellung von Präsentationen
© 2012 Virtual Forge Inc | www.virtualforge.com | All rights reserved.
Dr. Markus Schumacher
© 2013 Virtual Forge | www.virtualforge.com | All rights reserved.
CD208: Automating Code Reviews for Custom ABAP Applications to Reduce Risk and Lower TCO
PPT Masterfolie zur Erstellung von Präsentationen
© 2012 Virtual Forge Inc | www.virtualforge.com | All rights reserved.© 2012 Virtual Forge Inc | www.virtualforge.com | All rights reserved.
Who we are
Dr. Markus SchumacherCEO of Virtual ForgeHeidelberg | Weimar | Philadelphia
Twitter: @virtual_forge | Questions: #safercode
Joby JosephSAP Functional / Security LeadThe Globe and Mail | Toronto | Canada
PPT Masterfolie zur Erstellung von Präsentationen
© 2012 Virtual Forge Inc | www.virtualforge.com | All rights reserved.© 2012 Virtual Forge Inc | www.virtualforge.com | All rights reserved.
• SAP @ Globe and Mail
• Development life cycle @ Globe and Mail
• Potential Risks from Bad ABAP Code
• ABAP Firewall: Automatic Code Scanning
• Summary
Agenda
PPT Masterfolie zur Erstellung von Präsentationen
© 2012 Virtual Forge Inc | www.virtualforge.com | All rights reserved.© 2012 Virtual Forge Inc | www.virtualforge.com | All rights reserved.
• SAP @ Globe and Mail
• Development life cycle @ Globe and Mail
• Potential Risks from Bad ABAP Code
• ABAP Firewall: Automatic Code Scanning
• Summary
Agenda
PPT Masterfolie zur Erstellung von Präsentationen
© 2012 Virtual Forge Inc | www.virtualforge.com | All rights reserved.© 2012 Virtual Forge Inc | www.virtualforge.com | All rights reserved.
SAP @ The Globe and Mail
• The Company• Media company headquartered in Toronto, Canada • Produces and distributes nationally in Canada • Handles distribution of several other products in Canada,
including The New York Times • Largest circulation national newspaper which heavily focuses on
business, current affairs and lifestyle coverage
• SAP @ The Globe and Mail• The one and only Canadian customer of SAP’s IS‐Media• Implemented SAP in 2002 – 2007 • Modules IS‐MSD, IS‐MAM, SD, FICA, FI‐CO, HR, BW, BO• Heavily customized code in IS‐MSD due to the North American
media subscription model with contract accounting• Highly “custom ABAP” dependent implementation
PPT Masterfolie zur Erstellung von Präsentationen
© 2012 Virtual Forge Inc | www.virtualforge.com | All rights reserved.© 2012 Virtual Forge Inc | www.virtualforge.com | All rights reserved.
SAP @ The Globe and Mail
• Highly customized development of Industry Solution for Media• Lots n’ lots of Customer Development
• Internal and External Development Staff• Independent ABAP consultants• Off‐shore developments
• Users are both internal and external• Internal Functional users• Subscribers and Retail Customers• Telemarketers• Vendors
• Interfaces to Public Facing Websites• Strict interface standards (PCI‐DSS)• Customer sensitive applications• Real‐time Java and .Net apps interfacing to SAP through custom RFCs• File based asynchronous interfaces from multiple web applications
PPT Masterfolie zur Erstellung von Präsentationen
© 2012 Virtual Forge Inc | www.virtualforge.com | All rights reserved.© 2012 Virtual Forge Inc | www.virtualforge.com | All rights reserved.
• SAP @ Globe and Mail
• Development life cycle @ Globe and Mail
• Potential Risks from Bad ABAP Code
• ABAP Firewall: Automatic Code Scanning
• Summary
PPT Masterfolie zur Erstellung von Präsentationen
© 2012 Virtual Forge Inc | www.virtualforge.com | All rights reserved.© 2012 Virtual Forge Inc | www.virtualforge.com | All rights reserved.
Conflicting Project Goals
• Goals of project / implementation teams:• Project budget and go‐live date• Delivered product must work at point of hand‐over• Satisfy the “direct customers“ (e.g. new site)• Minimize coordination effort where ever possible
(with the customer as well as team‐/supplier internally)• Minimize regression tests• Scope reductions (classic “not part of our job / contract” discussions)• Low cost / offshore
• Goals of system owners:• Long term maintainability• Harmonized processes and “templates”• Avoiding redundancies• Low operating costs • Secure environment• Quality, Sustainability & no surprises in coding
PPT Masterfolie zur Erstellung von Präsentationen
© 2012 Virtual Forge Inc | www.virtualforge.com | All rights reserved.© 2012 Virtual Forge Inc | www.virtualforge.com | All rights reserved.
Conflicting Project Goals
• Goals of project / implementation teams:• Project budget and go‐live date• Delivered product must work at point of hand‐over• Satisfy the “direct customers“ (e.g. new site)• Minimize coordination effort where ever possible
(with the customer as well as team‐/supplier internally)• Minimize regression tests• Scope reductions (classic “not part of our job / contract” discussions)• Low cost / offshore
• Goals of system owners:• Long term maintainability• Harmonized processes and “templates”• Avoiding redundancies• Low operating costs • Secure environment• Quality, Sustainability & no surprises in coding
Approaches• Clone existing ABAP code instead of extending or reusing
existing functionality• Ignore template, rather clone legacy system where ever
possible• Quick & dirty, hard‐coded• Cheap resources instead of experienced staff • Delay progress in order to force customer to accept
unsatisfactory solutions to keep time line• …Have you ever wondered, where all the vulnerabilities are coming from?
As system owners, we have to combine two contradicting goals to make a project really successful:• Support and manage the project• “Defend” the system against the above short cuts
PPT Masterfolie zur Erstellung von Präsentationen
© 2012 Virtual Forge Inc | www.virtualforge.com | All rights reserved.© 2012 Virtual Forge Inc | www.virtualforge.com | All rights reserved.
Automated Code ReviewsStatic Code Scanning
• Code Reviews – Why not manual reviews?
• Managing change process from ticket creation to Prod release
• Tight integration with SAP
• Tracking changes, approvals, create/release transports, etc.
• Ensures compliance (PCI DSS, SOX, ITIL, internal, etc.)
• ‘ABAP Firewall’ ‐ static code analysis of ABAP application code and changes
PPT Masterfolie zur Erstellung von Präsentationen
© 2012 Virtual Forge Inc | www.virtualforge.com | All rights reserved.© 2012 Virtual Forge Inc | www.virtualforge.com | All rights reserved.
ABAP Firewall
• Tightly integrated with Change Process and SAP
• Tests all domains: Security, Compliance, Performance, Maintainability and Robustness
• On-line scanning with Best Coding Practices documentation
• Automatic Correction
• Very low False Positive rate (<5%)
• Fast scan rate for high volume scanning (>20k loc/sec)
• Integrated ABAP WB, Eclipse, SAP TMS, ATC, Solution Manager, etc.
Virtual Forge CodeProfiler
PPT Masterfolie zur Erstellung von Präsentationen
© 2012 Virtual Forge Inc | www.virtualforge.com | All rights reserved.© 2012 Virtual Forge Inc | www.virtualforge.com | All rights reserved.
• SAP @ Globe and Mail
• Development life cycle @ Globe and Mail
• Potential Risks from Bad ABAP Code
• ABAP Firewall: Automatic Code Scanning
• Summary
Agenda
PPT Masterfolie zur Erstellung von Präsentationen
© 2012 Virtual Forge Inc | www.virtualforge.com | All rights reserved.© 2012 Virtual Forge Inc | www.virtualforge.com | All rights reserved.
Circa 2011The Evolution of ABAPTM
PPT Masterfolie zur Erstellung von Präsentationen
© 2012 Virtual Forge Inc | www.virtualforge.com | All rights reserved.© 2012 Virtual Forge Inc | www.virtualforge.com | All rights reserved.
More sophisticated Attackers – Script Kiddies
• Minor knowledge
• Works with „copy & paste“ and uses public information, programs,
tools, etc. in order to attack / damage computer systems
• Random targets
• Motivation: usually reputation
PPT Masterfolie zur Erstellung von Präsentationen
© 2012 Virtual Forge Inc | www.virtualforge.com | All rights reserved.© 2012 Virtual Forge Inc | www.virtualforge.com | All rights reserved.
More sophisticated Attackers- Professional Attackers
• Highly skilled
• Almost unlimited time and money resources
• Targeted attacks (e.g. Stuxnet)
• Often internal attackers
• Motivation: Industrial espionage, sabotage, …
PPT Masterfolie zur Erstellung von Präsentationen
© 2012 Virtual Forge Inc | www.virtualforge.com | All rights reserved.© 2012 Virtual Forge Inc | www.virtualforge.com | All rights reserved.
The Forgotten LayerApplication Runtime
• SAP security must be addressed holistically
• Business Run‐time Apps must properly enforce Business Logic security
• GRC & SoD are only effective if they are enforced within the applications
Operating SystemOperating SystemOperating System
DatabaseDatabaseDatabase
Business RuntimeBusiness RuntimeBusiness Runtime
Front-end/Business Logic
PPT Masterfolie zur Erstellung von Präsentationen
© 2012 Virtual Forge Inc | www.virtualforge.com | All rights reserved.© 2012 Virtual Forge Inc | www.virtualforge.com | All rights reserved.
Domain Average Per KLOC (Average)
Security (Critical only) 1,475 0.79
Compliance (Critical only) 270 0.14
Performance (Critical only) 1,171 0.63
Maintainability (High prio only) 415 0.22
Robustness (Critical only) 1,586 0.85
Totals 4,917
Metric Average Total Source Code Lines (LOC)(without comments and empty lines) 1,862,418 156,443,087
ABAPTM Quality BenchmarksPowered by CodeProfiler
PPT Masterfolie zur Erstellung von Präsentationen
© 2012 Virtual Forge Inc | www.virtualforge.com | All rights reserved.© 2012 Virtual Forge Inc | www.virtualforge.com | All rights reserved.
ABAPTM Quality BenchmarksPowered by CodeProfiler
The average SAP customer system has:
• .93 Critical Security/Compliance errors per 1,000 LOC
• 50% probability of an ABAP Command Injection vulnerability
• 93% probability of a Directory Traversal vulnerability
• 100% probability of defective Authorization Checks
Source: Initial scan of 156,443,087 Lines of custom ABAP code from 88 SAP customers (status: July 2013)
PPT Masterfolie zur Erstellung von Präsentationen
© 2012 Virtual Forge Inc | www.virtualforge.com | All rights reserved.© 2012 Virtual Forge Inc | www.virtualforge.com | All rights reserved.
Regulatory Compliance
PCI‐DSS (Payment Card Industry Data Security Standard)CodeProfiler provides more than 30 test cases in order to test for PCI DSS compliance (PCI DSS Requirements and Security Assessment Procedures, Version 2.0)
PII (Personally Identifiable Information)To protect the PII, CodeProfiler has test cases related to the disclosure of critical data ("assets"). Exit points for this domain exist in the following classifications: SAP GUI, HTTP/HTML, FTP, GUI Download, Files, Return values of RFC enabled function modules. Main purpose of this test domain is to identify data leaks.
SOXCodeProfiler provides more than 30 test cases in order to test for SOX /SOX‐EUR compliance (Sarbanes‐Oxley Act). SOX audits rely on IT General Controls (ITGC) to provide a sound technical basis for the reliability and accountability of business processes. Custom development is relevant for Change Management, which is in turn relevant for ITGC. Therefore, any changes to program logic are SOX relevant, if they introduce a potential security issue. ABAP coding practices and standards must ensure that ITGC are not bypassed by insecure coding. SOX audits must check that appropriate controls are in place that make sure no relevant security defects exist in ABAP code.
PPT Masterfolie zur Erstellung von Präsentationen
© 2012 Virtual Forge Inc | www.virtualforge.com | All rights reserved.© 2012 Virtual Forge Inc | www.virtualforge.com | All rights reserved.
Custom Development Cost of Defects
Custom ABAP Development Facts
Cost of Defects
Cost of attack or system down$$$$$
to correct defect in production$10,000
to correct defect found in QA testing$1,000
to correct defect during development$100
PPT Masterfolie zur Erstellung von Präsentationen
© 2012 Virtual Forge Inc | www.virtualforge.com | All rights reserved.© 2012 Virtual Forge Inc | www.virtualforge.com | All rights reserved.
• SAP @ Globe and Mail
• Development life cycle @ Globe and Mail
• Potential Risks from Bad ABAP Code
• ABAP Firewall: Automatic Code Scanning
• Summary
Agenda
PPT Masterfolie zur Erstellung von Präsentationen
© 2012 Virtual Forge Inc | www.virtualforge.com | All rights reserved.© 2012 Virtual Forge Inc | www.virtualforge.com | All rights reserved.
Code Governance & Control Built into the Process
PPT Masterfolie zur Erstellung von Präsentationen
© 2012 Virtual Forge Inc | www.virtualforge.com | All rights reserved.© 2012 Virtual Forge Inc | www.virtualforge.com | All rights reserved.
Data and Control Flow Analysis Shows only finding that matter
Input (SAP GUI, BSP, RFC, ...)
Dangerous Statement
Software
PPT Masterfolie zur Erstellung von Präsentationen
© 2012 Virtual Forge Inc | www.virtualforge.com | All rights reserved.© 2012 Virtual Forge Inc | www.virtualforge.com | All rights reserved.
CodeProfilerComprehensive Test Scope
s
Security TestsSecurity Tests
QA TestsQA Tests
Security
ABAP™ Command Injection
OS Command Execution
SQL Injection
Broken Authority Checks
Hard‐Coded Usernames
...
Performance
Usage of WAIT Command
Usage of SELECT*
Nested Loop
Incomplete Index
...
Data Loss Prevention
Disclosure of Critical Data
Disclosure of Source Code
Maintenance of sensitive data
…
Maintainability & Robustness
Naming Conventions
Nested Macro Calls
Hard‐coded Org Units
Insufficient Error Handling
...
CodeProfilerPATENTEDall rights reserved
CodeProfilerPATENTEDall rights reserved
Security Performance Quality
PPT Masterfolie zur Erstellung von Präsentationen
© 2012 Virtual Forge Inc | www.virtualforge.com | All rights reserved.© 2012 Virtual Forge Inc | www.virtualforge.com | All rights reserved.
ABAP Code Scanning ‐ Benefits
Lower Risk – Detects and support mediation of vulnerabilities
• Cyberattacks• System Failures • Data theft/Fraud• Industrial Espionage
– Tests in‐/out‐sourced development and 3rd party add‐ons. • Enforces standards for all development deliverables • Clear and enforceable definition of programming standards
– Ensures all ABAP code changes meet Compliance and Audit requirements
PPT Masterfolie zur Erstellung von Präsentationen
© 2012 Virtual Forge Inc | www.virtualforge.com | All rights reserved.© 2012 Virtual Forge Inc | www.virtualforge.com | All rights reserved.
Lower TCO• Problems are found earlier in SDLC
= Lower cost to mediate defect• better quality code (maintainability, performance, robustness)
= Lower test and maintenance costs • Reduced review & testing times
= Faster delivery of new applications • Automated scanning
= Less use of (expensive) development resources• Online scan & mediation support for faster resolution
= Less time for corrections and repair• Better quality code
= Less SAP production system issues
ABAP Code Scanning ‐ Benefits
PPT Masterfolie zur Erstellung von Präsentationen
© 2012 Virtual Forge Inc | www.virtualforge.com | All rights reserved.© 2012 Virtual Forge Inc | www.virtualforge.com | All rights reserved.
• SAP @ Globe and Mail
• Development life cycle @ Globe and Mail
• Potential Risks from Bad ABAP Code
• ABAP Firewall: Automatic Code Scanning
• Summary
Agenda
PPT Masterfolie zur Erstellung von Präsentationen
© 2012 Virtual Forge Inc | www.virtualforge.com | All rights reserved.© 2012 Virtual Forge Inc | www.virtualforge.com | All rights reserved.
Internal Control Systems ‐Structure in the ERP Environment
IT General Controls (ITGC)
Change Management
ABAP Application Code
Business Rules EnforcementAuthentication, Encryption, Authorization, Logging, Interfaces, Audit…
ABAP Security in Context
PPT Masterfolie zur Erstellung von Präsentationen
© 2012 Virtual Forge Inc | www.virtualforge.com | All rights reserved.© 2012 Virtual Forge Inc | www.virtualforge.com | All rights reserved.
Custom DevelopmentSource of Defects
Custom ABAP Development Facts
Source of DefectsLittle/no technical specifications
Manual/Basic code reviews
Testing focused on functional aspects
External/3rd Party development
Limited/no code change monitoring
PPT Masterfolie zur Erstellung von Präsentationen
© 2012 Virtual Forge Inc | www.virtualforge.com | All rights reserved.© 2012 Virtual Forge Inc | www.virtualforge.com | All rights reserved.
Business Risks
Due to Security DefectsCyberattacks
Data theft/Fraud
Industrial espionage
Loss of image
System failures
Custom DevelopmentBusiness Risks
PPT Masterfolie zur Erstellung von Präsentationen
© 2012 Virtual Forge Inc | www.virtualforge.com | All rights reserved.© 2012 Virtual Forge Inc | www.virtualforge.com | All rights reserved.
ABAP Static Code Scanning
Security and compliance of SAP® applications
Performance
System stability
Quality standards of internal and external software development
Benefits of Static Code Scanning
Business risks
Maintenance efforts
Test and correction efforts
Operating costs
Increase Decrease
PPT Masterfolie zur Erstellung von Präsentationen
© 2012 Virtual Forge Inc | www.virtualforge.com | All rights reserved.© 2012 Virtual Forge Inc | www.virtualforge.com | All rights reserved.
THANK YOU FOR PARTICIPATING
Please provide feedback on this session by completing a short survey via the event mobile
application.
SESSION CODE: CD208
For ongoing education on this area of focus,visit www.ASUG.com
Meet Joby and Markus at the Virtual Forge Booth 159