case study: ensuring the quality and security of custom sap applications at the department of...
DESCRIPTION
Christine Warring, Sustainment Project Manager, talks about her experience and the requirements which lead to the introduction of Virtual Forge CodeProfiler in the application development of TEWLS. SAP TEWLS (Theater Enterprise Wide Logistics System) is an SAP-based application developed by the US Army and used for all armed forces to support theater-level medical logistics and life cycle management of medical assemblages.TRANSCRIPT
Ensuring the Quality and Security of Custom SAP Applications at the Department of Defense
Chris Warring, Department of Defense Stephen Lamy, Virtual Forge
© 2014, Virtual Forge GmbH. All rights reserved.
Introductions
TEWLS Sustainment Project Manager JMLFDC CACI Contractor
Agenda
q SAP TEWLS @ Department of Defense
q Challenges
q Custom ABAP
q Best Practices
q Virtual Forge CodeProfiler
SAP TEWLS @ Dept of Defense
SAP TEWLS @ Dept of Defense Custom ABAP Applications
Theater Enterprise Wide Logistics System (TEWLS)
q SAP-based Enterprise Resource Planning
q Supports theater-level medical logistics
q Developed by US Army to replace TAMMIS
q Single shared data environment
q Developed in ABAP
SAP TEWLS @ Dept of Defense Custom ABAP Applications
What is TEWLS? q Enterprise-level total life cycle management of medical assemblages
(development, production, fielding, and sustainment) q Materials and assemblage life cycle management q Theater Intermediate-Level Medical Logistics:
q Acquisition & Life Cycle Management q Strategic programs for mobilization & deployment of materials q Theater Supply Chain Management to include full storage and distribution capabilities for
Medical Material (TLAMM) q Compliance with Federal Financial Management Improvement Act (FFMIA), Standard
Financial Information Structure (SFIS), and Federal Information System Controls Audit Manual (FISCAM)
Challenges
Challenges Passing the Test
Department of Defense Adopted TEWLS q TEWLS to be used for all armed forces q Required to prove that ABAP code was secure and compliant
The Problem: q Static code scanning required q Code scanning solution that DOD mandated did not produce accurate result with ABAP code q Precluded the finalization of Authority to Operate (ATO)
Challenges The Problem
Limitations with existing tools q Many false findings
q Inconsistent results (even with same code base)
q Limited test scope
q Not integrated with SAP
q No remediation instructions for developers
Impact q Used valuable resource time working through false results
q Unable to prove that the code was secure and compliance to finalize DOD ATO
q Annoyed developers
q Late feedback for developers
Challenges The Solution
ABAP Scanning with CodeProfiler q Accurate results with prioritized findings q Comprehensive testing q Tightly integrated with SAP q Detailed remediation instructions
Results q Able to scan and remediate vulnerabilities quickly q Reduced number of code corrections required q Improved developer skills q Reduced effort and time spent on code reviews q Ensured ALL code meets security and compliance requirements
Custom ABAP
Custom ABAP The Evolution of SAP®
In the past Today Future
§ Isolated systems § Fewer users § Less data § Less custom
development § Regular but rare releases
§ Open systems § More users § More data § More custom
development § Frequent release cycles § Reduced staff
§ More open systems § Even more users § Even more data § Even more development § Higher frequency
releases § Even smaller staff
Custom ABAP SAP Security – Holistic View
q SAP security and quality must be addressed holistically - including custom code
q Custom code can result in: q system failure q hacker access q slow performance
q Business apps must properly enforce Business Logic (rules)
q GRC & SoD are only effective if they are enforced within application code
Business Logic
Business Run-time
Database
Operating System
Direct UIs
External Systems
SAP ABAP® System
Attack Surface of SAP 1997 – Good old times
Attack Surface of SAP 2002 – Complexity grows
Direct UIs
External Systems
Indirect Uis SAP ABAP® System
Attack Surface of SAP 2007 – and grows
Direct UIs
Indirect UIs
External Systems
SAP ABAP® System
Attack Surface of SAP
Since 2011 – and grows
Indirect UIs
External Systems
Direct UIs
SAP ABAP® System
Custom ABAP Current Situation
The average SAP customer system has:
q .84 Critical Security / Compliance errors per 1,000 LOC
q 50% probability of an ABAP® Command Injection vulnerability
q 88% probability of a Directory Traversal vulnerability
q 99.9% probability of defective Authorization Checks
Source: CodeProfiler of custom ABAP® code from 171 SAP systems (status: May 2014) Total amount of scanned customers coding lines 377Mio
Custom ABAP Costs of correcting a single defect
The earlier the code is repaired, the lower the cost
to correct defect during development $100
to correct same defect when found during QA testing $1,000
to correct same defect found in production $10,000
cost of attack or system down $
Custom ABAP Cost of Correcting Code
1 : 10 : 100 DEV QAS PRD
Cost of Development
Eclipse integration
SE80 integration
TMS Integration Test
Go Live Time (DEV, QAS, PRD)
Custom ABAP Code Scanning Compliance
q DOD Proof of security and compliance
q PCI-‐DSS (Payment Card Industry Data Security Standard)
q PIA (Privacy Impact Assessment)
q PII (Personally IdenHfiable InformaHon)
q Company specific policies
Best Practices
Best Practices Recommended Testing
q Security
q Compliance
q Performance
q Robustness
q Maintainability
Best Practices Code Reviews!
q ABAP Command Injection q OS Command Injection q Native SQL Injection q Improper Authorization Checks q Directory Traversal
q Direct Database Modifications q Cross-Client Database Access q Open SQL Injection q Generic Module Execution q Cross-Site Scripting
Top 10 Most Dangerous Security Vulnerabilities:
Best Practices Lessons Learned/Recommendations !
q Begin static code scanning NOW!
q Test and correct early and often during development
q Set priorities based upon your own code base
q Plan to manage cleanup activities as well as ongoing development
q Don’t wait for an incident to occur
q Manual reviews are ineffective
q Vulnerabilities can be fatal
q Based upon your own code
q Decide what will stop a transport from being released
q Don’t wait until QA
Best Practices Automated Risk and Quality Management !
PRD
DEV
Development Test/QA ProducDon
AutomaDcally scan ALL changes
QA
Approve excepDon?
Virtual Forge CodeProfiler
Virtual Forge CodeProfiler Automated Risk Management
ConHnuous validaHon
Patented intelligent and efficient verificaHon
Minimized effort and total cost of ownership
Flexible and scalable
Comprehensive and powerful
ProacHve protecHon with transparency
Virtual Forge CodeProfiler Finding What Matters
Input (SAP GUI, BSP, RFC, ...)
Dangerous Statement
SoPware
Data Control Flow Analysis
Virtual Forge CodeProfiler Customer Testimonials
Proven success
[ “One of the key requirements was to scan several billions lines of code each week. Together with Virtual Forge we have been able to create a truly unique solution.” ] Michael Brauer, Director of Corporate Automation within the Corporate IT department at Siemens
[ “Applying the Virtual Forge CodeProfiler and the close collaboration helped us to increase the level of security and improved the quality of our business solutions.” ] Ralph Salomon, Vice President IT Security & Risk Office at SAP
[ “With Virtual Forge CodeProfiler tightly integrated into our SAP change and transport management processes, we were able to scan all our custom ABAP® code and identify non-compliant code in no time at all.” ] Joby Joseph, SAP Security Lead at Globe and Mail
Virtual Forge CodeProfiler Free Risk Assessment Offer!
How good is your SAP system? Visit www.virtualforge.com
" Summary of
findings
" Prioritization and
classification of
vulnerabilities
" Specific examples
of findings
" Code and system
metrics
Free
Quality
Compliance
Security SAP®
Risk Assessment Virtual Forge CodeProfiler
and SystemProfiler
Disclaimer
© 2014 Virtual Forge GmbH. All rights reserved. Information contained in this publication is subject to change without prior notice. These materials are provided by Virtual Forge and serve only as information. SAP, ABAP and other named SAP products and services as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries worldwide. All other names of products and services are trademarks of their respective companies. Virtual Forge accepts no liability or responsibility for errors or omissions in this publication. From the information contained in this publication, no further liability is assumed. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of Virtual Forge GmbH, Germany or Virtual Forge Inc., Philadelphia. The General Terms and Conditions of Virtual Forge apply.
More Case Studies To Come … @Virtual_Forge