Ensuring the Quality and Security of Custom SAP Applications at the Department of Defense

Chris Warring, Department of Defense Stephen Lamy, Virtual Forge

© 2014, Virtual Forge GmbH. All rights reserved.

Introductions

TEWLS Sustainment Project Manager JMLFDC CACI Contractor

Agenda

q  SAP TEWLS @ Department of Defense

q  Challenges

q  Custom ABAP

q  Best Practices

q  Virtual Forge CodeProfiler

SAP TEWLS @ Dept of Defense

SAP TEWLS @ Dept of Defense Custom ABAP Applications

Theater Enterprise Wide Logistics System (TEWLS)

q  SAP-based Enterprise Resource Planning

q  Supports theater-level medical logistics

q  Developed by US Army to replace TAMMIS

q  Single shared data environment

q  Developed in ABAP

SAP TEWLS @ Dept of Defense Custom ABAP Applications

What is TEWLS? q  Enterprise-level total life cycle management of medical assemblages

(development, production, fielding, and sustainment) q  Materials and assemblage life cycle management q  Theater Intermediate-Level Medical Logistics:

q  Acquisition & Life Cycle Management q  Strategic programs for mobilization & deployment of materials q  Theater Supply Chain Management to include full storage and distribution capabilities for

Medical Material (TLAMM) q  Compliance with Federal Financial Management Improvement Act (FFMIA), Standard

Financial Information Structure (SFIS), and Federal Information System Controls Audit Manual (FISCAM)

Challenges

Challenges Passing the Test

Department of Defense Adopted TEWLS q  TEWLS to be used for all armed forces q  Required to prove that ABAP code was secure and compliant

The Problem: q  Static code scanning required q  Code scanning solution that DOD mandated did not produce accurate result with ABAP code q  Precluded the finalization of Authority to Operate (ATO)

Challenges The Problem

Limitations with existing tools q  Many false findings

q  Inconsistent results (even with same code base)

q  Limited test scope

q  Not integrated with SAP

q  No remediation instructions for developers

Impact q  Used valuable resource time working through false results

q  Unable to prove that the code was secure and compliance to finalize DOD ATO

q  Annoyed developers

q  Late feedback for developers

Challenges The Solution

ABAP Scanning with CodeProfiler q  Accurate results with prioritized findings q  Comprehensive testing q  Tightly integrated with SAP q  Detailed remediation instructions

Results q  Able to scan and remediate vulnerabilities quickly q  Reduced number of code corrections required q  Improved developer skills q  Reduced effort and time spent on code reviews q  Ensured ALL code meets security and compliance requirements

Custom ABAP

Custom ABAP The Evolution of SAP®

In  the  past   Today   Future  

§  Isolated  systems  §  Fewer  users  §  Less  data  §  Less  custom  

development  §  Regular  but  rare  releases  

§  Open  systems  §  More  users  §  More  data  §  More  custom  

development    §  Frequent  release  cycles  §  Reduced  staff  

§  More  open  systems  §  Even  more  users  §  Even  more  data  §  Even  more  development    §  Higher  frequency  

releases  §  Even  smaller  staff  

Custom ABAP SAP Security – Holistic View

q  SAP security and quality must be addressed holistically - including custom code

q  Custom code can result in: q  system failure q  hacker access q  slow performance

q  Business apps must properly enforce Business Logic (rules)

q  GRC & SoD are only effective if they are enforced within application code

Business Logic

Business Run-time

Database

Operating System

Direct UIs

External Systems

SAP ABAP® System

Attack Surface of SAP 1997 – Good old times

Attack Surface of SAP 2002 – Complexity grows

Direct UIs

External Systems

Indirect Uis SAP ABAP® System

Attack Surface of SAP 2007 – and grows

Direct UIs

Indirect UIs

External Systems

SAP ABAP® System

Attack Surface of SAP

Since 2011 – and grows

Indirect UIs

External Systems

Direct UIs

SAP ABAP® System

Custom ABAP Current Situation

The average SAP customer system has:

q  .84 Critical Security / Compliance errors per 1,000 LOC

q  50% probability of an ABAP® Command Injection vulnerability

q  88% probability of a Directory Traversal vulnerability

q  99.9% probability of defective Authorization Checks

Source: CodeProfiler of custom ABAP® code from 171 SAP systems (status: May 2014) Total amount of scanned customers coding lines 377Mio

Custom ABAP Costs of correcting a single defect

The earlier the code is repaired, the lower the cost

to correct defect during development $100

to correct same defect when found during QA testing $1,000

to correct same defect found in production $10,000

cost of attack or system down $

Custom ABAP Cost of Correcting Code

1 : 10 : 100 DEV QAS PRD

Cost of Development

Eclipse integration

SE80 integration

TMS Integration Test

Go Live Time (DEV, QAS, PRD)

Custom ABAP Code Scanning Compliance

q  DOD  Proof  of  security  and  compliance  

q  PCI-­‐DSS  (Payment  Card  Industry  Data  Security  Standard)    

q  PIA  (Privacy  Impact  Assessment)  

q  PII  (Personally  IdenHfiable  InformaHon)  

q  Company  specific  policies                        

   

Best Practices

Best Practices Recommended Testing

q  Security

q  Compliance

q  Performance

q  Robustness

q  Maintainability

Best Practices Code Reviews!

q  ABAP Command Injection q  OS Command Injection q  Native SQL Injection q  Improper Authorization Checks q  Directory Traversal

q  Direct Database Modifications q  Cross-Client Database Access q  Open SQL Injection q  Generic Module Execution q  Cross-Site Scripting

Top 10 Most Dangerous Security Vulnerabilities:

Best Practices Lessons Learned/Recommendations !

q  Begin static code scanning NOW!

q  Test and correct early and often during development

q  Set priorities based upon your own code base

q  Plan to manage cleanup activities as well as ongoing development

q  Don’t wait for an incident to occur

q Manual reviews are ineffective

q  Vulnerabilities can be fatal

q  Based upon your own code

q  Decide what will stop a transport from being released

q  Don’t wait until QA

Best Practices Automated Risk and Quality Management !

PRD  

DEV  

Development   Test/QA   ProducDon  

AutomaDcally  scan    ALL  changes    

QA  

Approve  excepDon?  

Virtual Forge CodeProfiler

Virtual Forge CodeProfiler Automated Risk Management

ConHnuous  validaHon  

Patented  intelligent  and  efficient  verificaHon    

Minimized  effort  and  total  cost  of  ownership

Flexible  and  scalable  

Comprehensive  and  powerful  

ProacHve  protecHon  with  transparency    

Virtual Forge CodeProfiler Finding What Matters

Input  (SAP  GUI,  BSP,  RFC,  ...)  

Dangerous  Statement  

SoPware  

Data Control Flow Analysis

Virtual Forge CodeProfiler Customer Testimonials

Proven success

[ “One of the key requirements was to scan several billions lines of code each week. Together with Virtual Forge we have been able to create a truly unique solution.” ] Michael Brauer, Director of Corporate Automation within the Corporate IT department at Siemens

[ “Applying the Virtual Forge CodeProfiler and the close collaboration helped us to increase the level of security and improved the quality of our business solutions.” ] Ralph Salomon, Vice President IT Security & Risk Office at SAP

[ “With Virtual Forge CodeProfiler tightly integrated into our SAP change and transport management processes, we were able to scan all our custom ABAP® code and identify non-compliant code in no time at all.” ] Joby Joseph, SAP Security Lead at Globe and Mail

Virtual Forge CodeProfiler Free Risk Assessment Offer!

How good is your SAP system? Visit www.virtualforge.com

" Summary of

findings

" Prioritization and

classification of

vulnerabilities

" Specific examples

of findings

" Code and system

metrics

Free

Quality

Compliance

Security SAP®

Risk Assessment Virtual Forge CodeProfiler

and SystemProfiler

Disclaimer

© 2014 Virtual Forge GmbH. All rights reserved. Information contained in this publication is subject to change without prior notice. These materials are provided by Virtual Forge and serve only as information. SAP, ABAP and other named SAP products and services as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries worldwide. All other names of products and services are trademarks of their respective companies. Virtual Forge accepts no liability or responsibility for errors or omissions in this publication. From the information contained in this publication, no further liability is assumed. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of Virtual Forge GmbH, Germany or Virtual Forge Inc., Philadelphia. The General Terms and Conditions of Virtual Forge apply.

More Case Studies To Come … @Virtual_Forge