Security Testing: Myths, Challenges, and Opportunities - Experiences in Integrating Security Testing...

Security Testing Myths Challenges and OpportunitiesExperiences in Integrating Security Testing ldquoEnd-to-Endrdquo Into the Software Life-Cycle at SAP

Achim D Bruckerachimbruckersapcom httpwwwbruckerch

SAP SE Vincenz-Priessnitz-Str 1 76131 Karlsruhe Germany

SECTEST Keynote6th international Workshop on Security Testing (SECTEST)

Graz Austria April 13 2015


Abstract

Security testing is an important part of any security development lifecycle (SDL) and thus should be a part ofany software (development) lifecycle Still security testing is often understood as an activity done by securitytesters in the time between ldquoend of developmentrdquo and ldquooffering the product to customersrdquoOn the one hand learning from traditional testing that the fixing of bugs is the more costly the later it is donein development security testing should be integrated into the daily development activities On the otherhand developing software for the cloud and offering software in the cloud raises the need for security testingin a ldquoclose-to-productionrdquo or even production environment Consequently we need an end-to-end integrationof security testing into the software lifecycleIn this talk we will report on our experiences on integrating security testing ldquoend-to-endrdquo into SAPrsquos softwaredevelopment lifecycle in general and in particular SAPrsquos Secure Software Development Lifecycle (S2DL)Moreover we will discuss different myths challenges and opportunities in the are security testing

copy 2015 SAP SE All Rights Reserved Page 2 of 27

A Security Testing Taxonomy

Manual

Automated

Black-Box

Black-Box

White-Box

White-Box

Dynamic

Dynamic

Dynamic

Static

Static

Static

Static

Dynamic

Manual Penetration Testing

Manual Binary Analysis


Manual Code Review

Web Vulnerability Scanning

Static Binary Analysis

Runtime Memory Analysis

Static Source Analysis


A Security Testing Taxonomy and a Disclaimer

Manual

Automated

Black-Box

Black-Box

White-Box

White-Box

Dynamic

Dynamic

Dynamic

Static

Static

Static

Static

Dynamic




Manual Code Review





Disclaimer

In this talk security testing refers to all kind of methods that find securityvulnerabilities in systems including (but not limited) to

bull static approaches (eg SAST code reviews)

bull dynamic approaches (eg DAST fuzzing)

bull combined approaches (eg IAST concolic testing)


Agenda

1 SAP in a Nutshell

2 Motivation

3 The Beginning Large Scale Introduction of SAST

4 A Risk-based Security Testing Strategy

5 SAPrsquos Secure Software Development Lifecycle (S2DL)

6 Myths and Lessonrsquos Learned


Die SAP SE

bull Leader in Business Softwarebull Cloudbull Mobilebull On premise

bull Many different technologies and platforms egbull In-memory database and application server (HANA)bull Netweaver for ABAP and Java

bull More than 25 industries

bull 63 of the worldrsquos transaction revenue touches anSAP system

bull approx 68 000 employees worldwide

bull Headquarters Walldorf(close to Heidelberg Germany)


SAPrsquo Security TeamHow SAP Organizes Software Security

De-centralized development modelbull Central security expert team (S2DL owner)

bull Organizes security trainingsbull Defines product standard ldquoSecurityrdquobull Defines risk and threat assessment methodsbull Defines security testing strategybull Selects and provides security testing toolsbull Validates productsbull Defines and executes response process

bull Local security expertsbull Embedded into development teamsbull Organize local security activitiesbull Support developers and architectsbull Support product owners (responsibles)

Product Security

ldquoTraining amp Standardrdquo

Security Training

Security Standard

Merger amp Acquisitions

ldquoSecurity Testing amp

Validationrdquo

Security Enablement

Tools

Validation

ldquoResponserdquo

External Findings

Patch Process

Security Communication (Virtual Team)


My Background

bull I wear two hatsbull Research ExpertArchitectbull (Global) Security Testing Strategist

bull BackgroundSecurity Formal Methods Software Engineering

bull Current work areas

bull Static code analysisbull (Dynamic) Security Testingbull Mobile Securitybull Security Development Lifecyclebull Secure Software Development Lifecycle

httpwwwbruckerch


Agenda

1 SAP in a Nutshell

2 Motivation






Costs of Vulnerabilities (Attacks on IT Systems)

bull TJX Company Inc (2007) $ 250 million

bull Sony (2011) $ 170 million

bull Heartland Payment Systems (2009) $ 41 million

ldquo A hack not only costs a company money but also its reputation and the trust of itscustomers It can take years and millions of dollars to repair the damage that a singlecomputer hack inflicts

(httpfinancialedgeinvestopediacomfinancial-edge0711Most-Costly-Computer-Hacks-Of-All-Timeaspx)


Vulnerability Types of CVE Reports Since 1999

Execute Code 28

Denial of Service 17

Overflow 12

XSS 11

SQL Injection 8

Gain Information 5

Bypass Something 4

Other 15

bull Causes for most vulnerabilities arebull programming errorsbull configuration errors

bull Patchingbull is expensivebull may introduce new bugs

bull How can we help developers to avoid this mistakes

copy 2015 SAP SE All Rights Reserved 0 of 27

Agenda

1 SAP in a Nutshell

2 Motivation






How We Started What We Wanted to FindProgramming Patterns That May Cause Security Vulnerabilities

Mainly two patternsLocal issues (no data-flow dependency) eg

bull Insecure functions

1 var x = Mathrandom()

bull Secrets stored in the source code

1 var password = rsquosecretrsquo

Data-flow related issues eg

bull Cross-site Scripting (XSS)

1 var docref = documentlocationhref2 var input = docrefsubstring(3 docrefindexOf(default=)+8)4 var fake = function (x) return x5 var cleanse = function (x) 6 return rsquohello worldrsquo7 documentwrite(fake(input))8 documentwrite(cleanse(uinput))


1 var foo = rsquosecretrsquo2 var x = decrypt(foodata)













We trust our developers ie we are

focusing on finding ldquoobviousrdquo bugs


SAST at SAP

ABAP

Java

C

JavaScript

Others

bull Since 2010 mandatory for all SAP products

bull Multiple billions lines analyzed

bull Constant improvement of tool configuration

bull SAST tools used at SAP

Language Tool Vendor

ABAP CVA (SLIN_SEC) SAPJavaScript Checkmarx CxSAST Checkmarx

CC++ Coverity CoverityOthers Fortify HP

bull Further detailsDeploying Static Application Security Testing on a LargeScale In GI Sicherheit 2014 Lecture Notes in Informatics228 pages 91-101 GI 2014


So Everything is Secure Now Right

ldquo Our tool reports all vulnerabilities in your software ndash you only need to fix them and youare secure

Undisclosed sales engineer from a SAST tool vendor

Yes this tools exists It is called Code Assurance Tool (cat)bull The cat tool reports each line that might contain a vulnerability

bull It supports also a mode that reports no false positives





Yes this tools exists It is called Code Assurance Tool (cat)

bull The cat tool reports each line that might contain a vulnerability












Yes this tools exists It is called Code Assurance Tool (cat)bull The cat tool reports each line that might contain a vulnerabilitybull It supports also a mode that reports no false positives


Agenda

1 SAP in a Nutshell

2 Motivation






Combining Multiple Security Testing Methods and Tools

Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

bull Risks of only using only SASTbull Wasting effort that could be used more wisely

elsewherebull Shipping insecure software

bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack



Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Checkmarx (JavaScript)

Fortify (Java) Coverity (CC++)






Client Application

Web Browser

Server Application

Runtime Container

Backend Systems


Fortify (Java)

DO

Min

ato

r

Coverity (CC++)

HP

We

bIn

sp

ect

IB

M A

pp

Sca

n






Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Checkmarx

Fortify (Java)

DO

Min

ato

r

HP

We

bIn

sp

ect

IB

M A

pp

Sca

n





A Risk-based Test Plan

Select from a list of

predefined application

types

Implementation detaos eg programming languages frameworks

Priority of SAP Security

Requirements

Security Test Plan

RISK ASSESMENT

(eg SECURIM Threat Modelling OWASP ASVS) bull Combines multiple security testing methods eg

code scans dynamic analysis manual penetrationtesting or fuzzing

bull Selects the most efficient test tools and test casesbased on the risks and the technologies used in theproject

bull Re-adjusts priorities of test cases based on identifiedrisks for the project

bull Monitors false negative findings in the results of riskassessment


Agenda

1 SAP in a Nutshell

2 Motivation






SAPrsquo Secure Software Development Lifecycle (S2DL)

Figure SAP SSDLcopy 2015 SAP SE All Rights Reserved Page 19 of 27

SAPrsquo Secure Software Development Lifecycle (S2DL)Security Testing Plan and Security Testing Report

7

Security Test

Plan

Security

Validation Report

Start of development Shipment decision

Training Risk

Identification Plan Security

Measures Secure

development Security testing

Security Validation

Security Response

Security Test

Report

Security Measure Plan

Security Testing Plan

bullBased on Security Risk Identification and Mitigation Report (Threat Modelling SECURIM)

bullDescribes planned security testing activities

bullCompleteness and plausibility check by validation or security enablement team

Security Measure Report

Security Testing Report

bullResult of executed security testing activities (eg code scan report)

bullDescribes deviations from plan

bullInput for validation and operation (cloud)

Figure SAP SSDL


Agenda

1 SAP in a Nutshell

2 Motivation






Continuously Measure Your Work and Improve Your SetupBut How to Measure and What to Expect

What we dobull Externally reported vulnerabilitiesfound by validation check why we missed it earlierbull Potential reasons for missing a vulnerability (and actions)

bull Vulnerability not detected by our tools (strategy)bull could be detected in principle by our tools

rArr analyze necessary changes (with tool vendor) and decide if risk justifies effort for enhancing toolbull cannot be detected in principle by our tools

rArr research for suitable tools and and decide if risk justifies effort for introducing new toolbull Vulnerability can be detected by our tools

bull With recent configuration but not configuration at release daterArr no immediate actions necessary

bull With configuration at release daterArr analyze why it was not detected and take further actions

What we expectbull Issues not covered by current tool configuration should increase (ideally to 100)

What we observebull Increase of logic-based flaws


Penetration Tests at the End of Development testensure the security of the developed product right

Main purpose of penetration tests at end of development is

bull to check for ldquoflawsrdquo in the the S2DL (and not the product)

bull Ideally they only findbull no issues that can be fixeddetected earlier (eg configuration)

Note penetration tests in productive environments are different

bull They test the actual configuration

bull They test the productive environment (eg cloudhosting)


False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them

bull What needs to be audited

bull What needs to be fixedbull as security issue

(response effort)bull quality issue

bull Different rules forbull old codebull new code




















Listen to Your Developers Development AwarenessDevelopers Should be the Best Friends of Security Experts (not Their Enemies)

We are often talking about a lack of security awarenessand by that forget the problem oflacking development awareness

Always keep in mindBuilding a a secure system more difficult than finding a successful attack

We need

bull Easier to use security APIs

bull More tools that make it easy to implement system securely

bull Frameworks that make it hard to implement insecure systems

bull

And btw this also holds for DevOps (Cloud)


Thank you

httpxkcdcom327

Related Publications

Ruediger Bachmann and Achim D Brucker

Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014

Achim D Brucker Lukas Bruumlgger and Burkhart Wolff

Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014

Achim D Brucker and Uwe Sodan

Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014

Achim D Brucker and Burkhart Wolff

On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012


copy 2015 SAP SE All rights reserved

No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries

Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages


SAP in a Nutshell

Motivation

The Beginning Large Scale Introduction of SAST

A Risk-based Security Testing Strategy

SAPs Secure Software Development Lifecycle (Smath text inlined[fg]math text inlinedfg2DL)

Myths and Lessons Learned


Abstract

Security testing is an important part of any security development lifecycle (SDL) and thus should be a part ofany software (development) lifecycle Still security testing is often understood as an activity done by securitytesters in the time between ldquoend of developmentrdquo and ldquooffering the product to customersrdquoOn the one hand learning from traditional testing that the fixing of bugs is the more costly the later it is donein development security testing should be integrated into the daily development activities On the otherhand developing software for the cloud and offering software in the cloud raises the need for security testingin a ldquoclose-to-productionrdquo or even production environment Consequently we need an end-to-end integrationof security testing into the software lifecycleIn this talk we will report on our experiences on integrating security testing ldquoend-to-endrdquo into SAPrsquos softwaredevelopment lifecycle in general and in particular SAPrsquos Secure Software Development Lifecycle (S2DL)Moreover we will discuss different myths challenges and opportunities in the are security testing

copy 2015 SAP SE All Rights Reserved of 27


Manual

Automated

Black-Box

Black-Box

White-Box

White-Box

Dynamic

Dynamic

Dynamic

Static

Static

Static

Static

Dynamic




Manual Code Review







Manual

Automated

Black-Box

Black-Box

White-Box

White-Box

Dynamic

Dynamic

Dynamic

Static

Static

Static

Static

Dynamic




Manual Code Review





Disclaimer






Agenda

1 SAP in a Nutshell

2 Motivation






Die SAP SE












Product Security


Security Training

Security Standard



Validationrdquo

Security Enablement

Tools

Validation

ldquoResponserdquo

External Findings

Patch Process



My Background





httpwwwbruckerch


Agenda

1 SAP in a Nutshell

2 Motivation














Execute Code 28


Overflow 12

XSS 11

SQL Injection 8

Gain Information 5

Bypass Something 4

Other 15





Agenda

1 SAP in a Nutshell

2 Motivation
































SAST at SAP

ABAP

Java

C

JavaScript

Others


































Agenda

1 SAP in a Nutshell

2 Motivation







Client Application

Web Browser

Server Application

Runtime Container

Backend Systems






Client Application

Web Browser

Server Application

Runtime Container

Backend Systems








Client Application

Web Browser

Server Application

Runtime Container

Backend Systems


Fortify (Java)

DO

Min

ato

r

Coverity (CC++)

HP

We

bIn

sp

ect

IB

M A

pp

Sca

n






Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Checkmarx

Fortify (Java)

DO

Min

ato

r

HP

We

bIn

sp

ect

IB

M A

pp

Sca

n








types



Requirements

Security Test Plan

RISK ASSESMENT







Agenda

1 SAP in a Nutshell

2 Motivation









7

Security Test

Plan

Security

Validation Report


Training Risk


Measures Secure


Security Validation

Security Response

Security Test

Report











Figure SAP SSDL


Agenda

1 SAP in a Nutshell

2 Motivation



















































We need




bull



Thank you

httpxkcdcom327















SAP in a Nutshell

Motivation






Manual

Automated

Black-Box

Black-Box

White-Box

White-Box

Dynamic

Dynamic

Dynamic

Static

Static

Static

Static

Dynamic




Manual Code Review







Manual

Automated

Black-Box

Black-Box

White-Box

White-Box

Dynamic

Dynamic

Dynamic

Static

Static

Static

Static

Dynamic




Manual Code Review





Disclaimer






Agenda

1 SAP in a Nutshell

2 Motivation






Die SAP SE












Product Security


Security Training

Security Standard



Validationrdquo

Security Enablement

Tools

Validation

ldquoResponserdquo

External Findings

Patch Process



My Background





httpwwwbruckerch


Agenda

1 SAP in a Nutshell

2 Motivation














Execute Code 28


Overflow 12

XSS 11

SQL Injection 8

Gain Information 5

Bypass Something 4

Other 15





Agenda

1 SAP in a Nutshell

2 Motivation
































SAST at SAP

ABAP

Java

C

JavaScript

Others


































Agenda

1 SAP in a Nutshell

2 Motivation







Client Application

Web Browser

Server Application

Runtime Container

Backend Systems






Client Application

Web Browser

Server Application

Runtime Container

Backend Systems








Client Application

Web Browser

Server Application

Runtime Container

Backend Systems


Fortify (Java)

DO

Min

ato

r

Coverity (CC++)

HP

We

bIn

sp

ect

IB

M A

pp

Sca

n






Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Checkmarx

Fortify (Java)

DO

Min

ato

r

HP

We

bIn

sp

ect

IB

M A

pp

Sca

n








types



Requirements

Security Test Plan

RISK ASSESMENT







Agenda

1 SAP in a Nutshell

2 Motivation









7

Security Test

Plan

Security

Validation Report


Training Risk


Measures Secure


Security Validation

Security Response

Security Test

Report











Figure SAP SSDL


Agenda

1 SAP in a Nutshell

2 Motivation



















































We need




bull



Thank you

httpxkcdcom327















SAP in a Nutshell

Motivation






Manual

Automated

Black-Box

Black-Box

White-Box

White-Box

Dynamic

Dynamic

Dynamic

Static

Static

Static

Static

Dynamic




Manual Code Review





Disclaimer






Agenda

1 SAP in a Nutshell

2 Motivation






Die SAP SE












Product Security


Security Training

Security Standard



Validationrdquo

Security Enablement

Tools

Validation

ldquoResponserdquo

External Findings

Patch Process



My Background





httpwwwbruckerch


Agenda

1 SAP in a Nutshell

2 Motivation














Execute Code 28


Overflow 12

XSS 11

SQL Injection 8

Gain Information 5

Bypass Something 4

Other 15





Agenda

1 SAP in a Nutshell

2 Motivation
































SAST at SAP

ABAP

Java

C

JavaScript

Others


































Agenda

1 SAP in a Nutshell

2 Motivation







Client Application

Web Browser

Server Application

Runtime Container

Backend Systems






Client Application

Web Browser

Server Application

Runtime Container

Backend Systems








Client Application

Web Browser

Server Application

Runtime Container

Backend Systems


Fortify (Java)

DO

Min

ato

r

Coverity (CC++)

HP

We

bIn

sp

ect

IB

M A

pp

Sca

n






Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Checkmarx

Fortify (Java)

DO

Min

ato

r

HP

We

bIn

sp

ect

IB

M A

pp

Sca

n








types



Requirements

Security Test Plan

RISK ASSESMENT







Agenda

1 SAP in a Nutshell

2 Motivation









7

Security Test

Plan

Security

Validation Report


Training Risk


Measures Secure


Security Validation

Security Response

Security Test

Report











Figure SAP SSDL


Agenda

1 SAP in a Nutshell

2 Motivation



















































We need




bull



Thank you

httpxkcdcom327















SAP in a Nutshell

Motivation





Agenda

1 SAP in a Nutshell

2 Motivation






Die SAP SE












Product Security


Security Training

Security Standard



Validationrdquo

Security Enablement

Tools

Validation

ldquoResponserdquo

External Findings

Patch Process



My Background





httpwwwbruckerch


Agenda

1 SAP in a Nutshell

2 Motivation














Execute Code 28


Overflow 12

XSS 11

SQL Injection 8

Gain Information 5

Bypass Something 4

Other 15





Agenda

1 SAP in a Nutshell

2 Motivation
































SAST at SAP

ABAP

Java

C

JavaScript

Others


































Agenda

1 SAP in a Nutshell

2 Motivation







Client Application

Web Browser

Server Application

Runtime Container

Backend Systems






Client Application

Web Browser

Server Application

Runtime Container

Backend Systems








Client Application

Web Browser

Server Application

Runtime Container

Backend Systems


Fortify (Java)

DO

Min

ato

r

Coverity (CC++)

HP

We

bIn

sp

ect

IB

M A

pp

Sca

n






Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Checkmarx

Fortify (Java)

DO

Min

ato

r

HP

We

bIn

sp

ect

IB

M A

pp

Sca

n








types



Requirements

Security Test Plan

RISK ASSESMENT







Agenda

1 SAP in a Nutshell

2 Motivation









7

Security Test

Plan

Security

Validation Report


Training Risk


Measures Secure


Security Validation

Security Response

Security Test

Report











Figure SAP SSDL


Agenda

1 SAP in a Nutshell

2 Motivation



















































We need




bull



Thank you

httpxkcdcom327















SAP in a Nutshell

Motivation





Die SAP SE












Product Security


Security Training

Security Standard



Validationrdquo

Security Enablement

Tools

Validation

ldquoResponserdquo

External Findings

Patch Process



My Background





httpwwwbruckerch


Agenda

1 SAP in a Nutshell

2 Motivation














Execute Code 28


Overflow 12

XSS 11

SQL Injection 8

Gain Information 5

Bypass Something 4

Other 15





Agenda

1 SAP in a Nutshell

2 Motivation
































SAST at SAP

ABAP

Java

C

JavaScript

Others


































Agenda

1 SAP in a Nutshell

2 Motivation







Client Application

Web Browser

Server Application

Runtime Container

Backend Systems






Client Application

Web Browser

Server Application

Runtime Container

Backend Systems








Client Application

Web Browser

Server Application

Runtime Container

Backend Systems


Fortify (Java)

DO

Min

ato

r

Coverity (CC++)

HP

We

bIn

sp

ect

IB

M A

pp

Sca

n






Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Checkmarx

Fortify (Java)

DO

Min

ato

r

HP

We

bIn

sp

ect

IB

M A

pp

Sca

n








types



Requirements

Security Test Plan

RISK ASSESMENT







Agenda

1 SAP in a Nutshell

2 Motivation









7

Security Test

Plan

Security

Validation Report


Training Risk


Measures Secure


Security Validation

Security Response

Security Test

Report











Figure SAP SSDL


Agenda

1 SAP in a Nutshell

2 Motivation



















































We need




bull



Thank you

httpxkcdcom327















SAP in a Nutshell

Motivation









Product Security


Security Training

Security Standard



Validationrdquo

Security Enablement

Tools

Validation

ldquoResponserdquo

External Findings

Patch Process



My Background





httpwwwbruckerch


Agenda

1 SAP in a Nutshell

2 Motivation














Execute Code 28


Overflow 12

XSS 11

SQL Injection 8

Gain Information 5

Bypass Something 4

Other 15





Agenda

1 SAP in a Nutshell

2 Motivation
































SAST at SAP

ABAP

Java

C

JavaScript

Others


































Agenda

1 SAP in a Nutshell

2 Motivation







Client Application

Web Browser

Server Application

Runtime Container

Backend Systems






Client Application

Web Browser

Server Application

Runtime Container

Backend Systems








Client Application

Web Browser

Server Application

Runtime Container

Backend Systems


Fortify (Java)

DO

Min

ato

r

Coverity (CC++)

HP

We

bIn

sp

ect

IB

M A

pp

Sca

n






Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Checkmarx

Fortify (Java)

DO

Min

ato

r

HP

We

bIn

sp

ect

IB

M A

pp

Sca

n








types



Requirements

Security Test Plan

RISK ASSESMENT







Agenda

1 SAP in a Nutshell

2 Motivation









7

Security Test

Plan

Security

Validation Report


Training Risk


Measures Secure


Security Validation

Security Response

Security Test

Report











Figure SAP SSDL


Agenda

1 SAP in a Nutshell

2 Motivation



















































We need




bull



Thank you

httpxkcdcom327















SAP in a Nutshell

Motivation





My Background





httpwwwbruckerch


Agenda

1 SAP in a Nutshell

2 Motivation














Execute Code 28


Overflow 12

XSS 11

SQL Injection 8

Gain Information 5

Bypass Something 4

Other 15





Agenda

1 SAP in a Nutshell

2 Motivation
































SAST at SAP

ABAP

Java

C

JavaScript

Others


































Agenda

1 SAP in a Nutshell

2 Motivation







Client Application

Web Browser

Server Application

Runtime Container

Backend Systems






Client Application

Web Browser

Server Application

Runtime Container

Backend Systems








Client Application

Web Browser

Server Application

Runtime Container

Backend Systems


Fortify (Java)

DO

Min

ato

r

Coverity (CC++)

HP

We

bIn

sp

ect

IB

M A

pp

Sca

n






Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Checkmarx

Fortify (Java)

DO

Min

ato

r

HP

We

bIn

sp

ect

IB

M A

pp

Sca

n








types



Requirements

Security Test Plan

RISK ASSESMENT







Agenda

1 SAP in a Nutshell

2 Motivation









7

Security Test

Plan

Security

Validation Report


Training Risk


Measures Secure


Security Validation

Security Response

Security Test

Report











Figure SAP SSDL


Agenda

1 SAP in a Nutshell

2 Motivation



















































We need




bull



Thank you

httpxkcdcom327















SAP in a Nutshell

Motivation





Agenda

1 SAP in a Nutshell

2 Motivation














Execute Code 28


Overflow 12

XSS 11

SQL Injection 8

Gain Information 5

Bypass Something 4

Other 15





Agenda

1 SAP in a Nutshell

2 Motivation
































SAST at SAP

ABAP

Java

C

JavaScript

Others


































Agenda

1 SAP in a Nutshell

2 Motivation







Client Application

Web Browser

Server Application

Runtime Container

Backend Systems






Client Application

Web Browser

Server Application

Runtime Container

Backend Systems








Client Application

Web Browser

Server Application

Runtime Container

Backend Systems


Fortify (Java)

DO

Min

ato

r

Coverity (CC++)

HP

We

bIn

sp

ect

IB

M A

pp

Sca

n






Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Checkmarx

Fortify (Java)

DO

Min

ato

r

HP

We

bIn

sp

ect

IB

M A

pp

Sca

n








types



Requirements

Security Test Plan

RISK ASSESMENT







Agenda

1 SAP in a Nutshell

2 Motivation









7

Security Test

Plan

Security

Validation Report


Training Risk


Measures Secure


Security Validation

Security Response

Security Test

Report











Figure SAP SSDL


Agenda

1 SAP in a Nutshell

2 Motivation



















































We need




bull



Thank you

httpxkcdcom327















SAP in a Nutshell

Motivation













Execute Code 28


Overflow 12

XSS 11

SQL Injection 8

Gain Information 5

Bypass Something 4

Other 15





Agenda

1 SAP in a Nutshell

2 Motivation
































SAST at SAP

ABAP

Java

C

JavaScript

Others


































Agenda

1 SAP in a Nutshell

2 Motivation







Client Application

Web Browser

Server Application

Runtime Container

Backend Systems






Client Application

Web Browser

Server Application

Runtime Container

Backend Systems








Client Application

Web Browser

Server Application

Runtime Container

Backend Systems


Fortify (Java)

DO

Min

ato

r

Coverity (CC++)

HP

We

bIn

sp

ect

IB

M A

pp

Sca

n






Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Checkmarx

Fortify (Java)

DO

Min

ato

r

HP

We

bIn

sp

ect

IB

M A

pp

Sca

n








types



Requirements

Security Test Plan

RISK ASSESMENT







Agenda

1 SAP in a Nutshell

2 Motivation









7

Security Test

Plan

Security

Validation Report


Training Risk


Measures Secure


Security Validation

Security Response

Security Test

Report











Figure SAP SSDL


Agenda

1 SAP in a Nutshell

2 Motivation



















































We need




bull



Thank you

httpxkcdcom327















SAP in a Nutshell

Motivation





Agenda

1 SAP in a Nutshell

2 Motivation
































SAST at SAP

ABAP

Java

C

JavaScript

Others


































Agenda

1 SAP in a Nutshell

2 Motivation







Client Application

Web Browser

Server Application

Runtime Container

Backend Systems






Client Application

Web Browser

Server Application

Runtime Container

Backend Systems








Client Application

Web Browser

Server Application

Runtime Container

Backend Systems


Fortify (Java)

DO

Min

ato

r

Coverity (CC++)

HP

We

bIn

sp

ect

IB

M A

pp

Sca

n






Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Checkmarx

Fortify (Java)

DO

Min

ato

r

HP

We

bIn

sp

ect

IB

M A

pp

Sca

n








types



Requirements

Security Test Plan

RISK ASSESMENT







Agenda

1 SAP in a Nutshell

2 Motivation









7

Security Test

Plan

Security

Validation Report


Training Risk


Measures Secure


Security Validation

Security Response

Security Test

Report











Figure SAP SSDL


Agenda

1 SAP in a Nutshell

2 Motivation



















































We need




bull



Thank you

httpxkcdcom327















SAP in a Nutshell

Motivation































SAST at SAP

ABAP

Java

C

JavaScript

Others


































Agenda

1 SAP in a Nutshell

2 Motivation







Client Application

Web Browser

Server Application

Runtime Container

Backend Systems






Client Application

Web Browser

Server Application

Runtime Container

Backend Systems








Client Application

Web Browser

Server Application

Runtime Container

Backend Systems


Fortify (Java)

DO

Min

ato

r

Coverity (CC++)

HP

We

bIn

sp

ect

IB

M A

pp

Sca

n






Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Checkmarx

Fortify (Java)

DO

Min

ato

r

HP

We

bIn

sp

ect

IB

M A

pp

Sca

n








types



Requirements

Security Test Plan

RISK ASSESMENT







Agenda

1 SAP in a Nutshell

2 Motivation









7

Security Test

Plan

Security

Validation Report


Training Risk


Measures Secure


Security Validation

Security Response

Security Test

Report











Figure SAP SSDL


Agenda

1 SAP in a Nutshell

2 Motivation



















































We need




bull



Thank you

httpxkcdcom327















SAP in a Nutshell

Motivation





























Agenda

1 SAP in a Nutshell

2 Motivation







Client Application

Web Browser

Server Application

Runtime Container

Backend Systems






Client Application

Web Browser

Server Application

Runtime Container

Backend Systems








Client Application

Web Browser

Server Application

Runtime Container

Backend Systems


Fortify (Java)

DO

Min

ato

r

Coverity (CC++)

HP

We

bIn

sp

ect

IB

M A

pp

Sca

n






Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Checkmarx

Fortify (Java)

DO

Min

ato

r

HP

We

bIn

sp

ect

IB

M A

pp

Sca

n








types



Requirements

Security Test Plan

RISK ASSESMENT







Agenda

1 SAP in a Nutshell

2 Motivation









7

Security Test

Plan

Security

Validation Report


Training Risk


Measures Secure


Security Validation

Security Response

Security Test

Report











Figure SAP SSDL


Agenda

1 SAP in a Nutshell

2 Motivation



















































We need




bull



Thank you

httpxkcdcom327















SAP in a Nutshell

Motivation










Agenda

1 SAP in a Nutshell

2 Motivation







Client Application

Web Browser

Server Application

Runtime Container

Backend Systems






Client Application

Web Browser

Server Application

Runtime Container

Backend Systems








Client Application

Web Browser

Server Application

Runtime Container

Backend Systems


Fortify (Java)

DO

Min

ato

r

Coverity (CC++)

HP

We

bIn

sp

ect

IB

M A

pp

Sca

n






Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Checkmarx

Fortify (Java)

DO

Min

ato

r

HP

We

bIn

sp

ect

IB

M A

pp

Sca

n








types



Requirements

Security Test Plan

RISK ASSESMENT







Agenda

1 SAP in a Nutshell

2 Motivation







Figure SAP SSDLcopy 2015 SAP SE All Rights Reserved of 27


7

Security Test

Plan

Security

Validation Report


Training Risk


Measures Secure


Security Validation

Security Response

Security Test

Report











Figure SAP SSDL


Agenda

1 SAP in a Nutshell

2 Motivation



















































We need




bull



Thank you

httpxkcdcom327















SAP in a Nutshell

Motivation





Agenda

1 SAP in a Nutshell

2 Motivation







Client Application

Web Browser

Server Application

Runtime Container

Backend Systems






Client Application

Web Browser

Server Application

Runtime Container

Backend Systems








Client Application

Web Browser

Server Application

Runtime Container

Backend Systems


Fortify (Java)

DO

Min

ato

r

Coverity (CC++)

HP

We

bIn

sp

ect

IB

M A

pp

Sca

n






Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Checkmarx

Fortify (Java)

DO

Min

ato

r

HP

We

bIn

sp

ect

IB

M A

pp

Sca

n








types



Requirements

Security Test Plan

RISK ASSESMENT







Agenda

1 SAP in a Nutshell

2 Motivation









7

Security Test

Plan

Security

Validation Report


Training Risk


Measures Secure


Security Validation

Security Response

Security Test

Report











Figure SAP SSDL


Agenda

1 SAP in a Nutshell

2 Motivation



















































We need




bull



Thank you

httpxkcdcom327















SAP in a Nutshell

Motivation






Client Application

Web Browser

Server Application

Runtime Container

Backend Systems






Client Application

Web Browser

Server Application

Runtime Container

Backend Systems








Client Application

Web Browser

Server Application

Runtime Container

Backend Systems


Fortify (Java)

DO

Min

ato

r

Coverity (CC++)

HP

We

bIn

sp

ect

IB

M A

pp

Sca

n






Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Checkmarx

Fortify (Java)

DO

Min

ato

r

HP

We

bIn

sp

ect

IB

M A

pp

Sca

n








types



Requirements

Security Test Plan

RISK ASSESMENT







Agenda

1 SAP in a Nutshell

2 Motivation









7

Security Test

Plan

Security

Validation Report


Training Risk


Measures Secure


Security Validation

Security Response

Security Test

Report











Figure SAP SSDL


Agenda

1 SAP in a Nutshell

2 Motivation



















































We need




bull



Thank you

httpxkcdcom327















SAP in a Nutshell

Motivation






Client Application

Web Browser

Server Application

Runtime Container

Backend Systems








Client Application

Web Browser

Server Application

Runtime Container

Backend Systems


Fortify (Java)

DO

Min

ato

r

Coverity (CC++)

HP

We

bIn

sp

ect

IB

M A

pp

Sca

n






Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Checkmarx

Fortify (Java)

DO

Min

ato

r

HP

We

bIn

sp

ect

IB

M A

pp

Sca

n








types



Requirements

Security Test Plan

RISK ASSESMENT







Agenda

1 SAP in a Nutshell

2 Motivation









7

Security Test

Plan

Security

Validation Report


Training Risk


Measures Secure


Security Validation

Security Response

Security Test

Report











Figure SAP SSDL


Agenda

1 SAP in a Nutshell

2 Motivation



















































We need




bull



Thank you

httpxkcdcom327















SAP in a Nutshell

Motivation






Client Application

Web Browser

Server Application

Runtime Container

Backend Systems


Fortify (Java)

DO

Min

ato

r

Coverity (CC++)

HP

We

bIn

sp

ect

IB

M A

pp

Sca

n






Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Checkmarx

Fortify (Java)

DO

Min

ato

r

HP

We

bIn

sp

ect

IB

M A

pp

Sca

n








types



Requirements

Security Test Plan

RISK ASSESMENT







Agenda

1 SAP in a Nutshell

2 Motivation









7

Security Test

Plan

Security

Validation Report


Training Risk


Measures Secure


Security Validation

Security Response

Security Test

Report











Figure SAP SSDL


Agenda

1 SAP in a Nutshell

2 Motivation



















































We need




bull



Thank you

httpxkcdcom327















SAP in a Nutshell

Motivation






Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Checkmarx

Fortify (Java)

DO

Min

ato

r

HP

We

bIn

sp

ect

IB

M A

pp

Sca

n








types



Requirements

Security Test Plan

RISK ASSESMENT







Agenda

1 SAP in a Nutshell

2 Motivation









7

Security Test

Plan

Security

Validation Report


Training Risk


Measures Secure


Security Validation

Security Response

Security Test

Report











Figure SAP SSDL


Agenda

1 SAP in a Nutshell

2 Motivation



















































We need




bull



Thank you

httpxkcdcom327















SAP in a Nutshell

Motivation








types



Requirements

Security Test Plan

RISK ASSESMENT







Agenda

1 SAP in a Nutshell

2 Motivation









7

Security Test

Plan

Security

Validation Report


Training Risk


Measures Secure


Security Validation

Security Response

Security Test

Report











Figure SAP SSDL


Agenda

1 SAP in a Nutshell

2 Motivation



















































We need




bull



Thank you

httpxkcdcom327















SAP in a Nutshell

Motivation





Agenda

1 SAP in a Nutshell

2 Motivation









7

Security Test

Plan

Security

Validation Report


Training Risk


Measures Secure


Security Validation

Security Response

Security Test

Report











Figure SAP SSDL


Agenda

1 SAP in a Nutshell

2 Motivation



















































We need




bull



Thank you

httpxkcdcom327















SAP in a Nutshell

Motivation








7

Security Test

Plan

Security

Validation Report


Training Risk


Measures Secure


Security Validation

Security Response

Security Test

Report











Figure SAP SSDL


Agenda

1 SAP in a Nutshell

2 Motivation



















































We need




bull



Thank you

httpxkcdcom327















SAP in a Nutshell

Motivation





Agenda

1 SAP in a Nutshell

2 Motivation



















































We need




bull



Thank you

httpxkcdcom327















SAP in a Nutshell

Motivation


















































We need




bull



Thank you

httpxkcdcom327















SAP in a Nutshell

Motivation





Thank you

httpxkcdcom327















SAP in a Nutshell

Motivation



















SAP in a Nutshell

Motivation





Security Testing: Myths, Challenges, and Opportunities - Experiences in Integrating Security Testing...

Software

Transcript of Security Testing: Myths, Challenges, and Opportunities - Experiences in Integrating Security Testing...