how the u.s. department of defense secures its custom abap code
TRANSCRIPT
How the U.S. Department of Defense Secures Its Custom ABAP Code
Christine Warring TEWLS Sustainment Project Manager, JMLFDC CACI Contractor © 2015, Virtual Forge, Inc.
All rights reserved.
SAP TEWLS @ Dept of Defense Custom ABAP Applications
Theater Enterprise Wide Logistics System (TEWLS)
SAP-based Enterprise Resource Planning
Supports theater-level medical logistics
Developed by US Army to replace TAMMIS
Single shared data environment
Developed in ABAP
5
SAP TEWLS @ Dept of Defense Custom ABAP Applications
What is TEWLS? Enterprise-level total life cycle management of medical assemblages
Development Production Fielding Sustainment
Theater Intermediate-Level Medical Logistics: Acquisition & life-cycle management Strategic programs for mobilization & deployment of materials Theater Supply Chain Management to include full storage and distribution capabilities for
Medical Materials (TLAMM) Compliance with Federal Financial Management Improvement Act (FFMIA); Standard Financial
Information Structure (SFIS); Federal Information System Controls Audit Manual (FISCAM)
6
Challenges Passing the Test
Department of Defense Adopted TEWLS TEWLS to be used for all armed forces
Required to prove that ABAP code was secure and compliant
The Problem Static code scanning required
Code scanning solution that DOD mandated did not produce accurate results
Unable to go live without Authority to Operate (ATO)!
8
Challenges The Problem
Limitations with existing tools Many false findings Inconsistent results (even with same code base) Developers could not use day to day Limited test scope No help with remediation!
Impact Used valuable resource time working through false results Unable to prove that the code was secure and compliant to finalize DOD ATO Annoyed developers Late feedback for developers
9
Challenges The Solution
ABAP Scanning with CodeProfiler Accurate results with prioritized findings Comprehensive testing
Developers can correct and learn while the work
Detailed remediation instructions and auto correction
Results Able to scan and remediate vulnerabilities quickly
Reduced number of code corrections required
Improved developer skills
Reduced effort and time spent on code reviews
Ensured ALL code meets security and compliance requirements
10
Custom ABAP Are your custom applications compliant?
ATO (Authority To Operate)
PII (Personally Identifiable Information)
PIA (Privacy Impact Assessment)
PCI-DSS (Payment Card Industry Data Security Standard)
Internal standards
11
Best Practices Recommended Testing
Security and compliance
Performance
Stability and robustness
Maintainability
13
Best Practices Code Reviews
Top 11 Most Dangerous Security Vulnerabilities: 1. ABAP Command Injection 2. OS Command Injection 3. Native SQL Injection 4. Improper Authorization Checks 5. Directory Traversal 6. Direct Database Modifications 7. Cross-Client Database Access 8. Open SQL Injection 9. Generic Module Execution 10. Cross-Site Scripting 11. Hidden ABAP code
14
Best Practices Lessons Learned/Recommendations
Custom code can be a source of risk to SAP systems.
Automated testing is necessary to ensure code security and quality.
All solutions are not alike – Compare!
Start now. Don’t wait for an incident to occur.
15
Virtual Forge CodeProfiler Free Risk Assessment Offer!
How good is your SAP system? Visit www.virtualforge.com
ü Summary of
findings
ü Priorization and
classification of
vulnerabilities
ü Specific examples
of findings
ü Code and system
metrics Quality
Compliance
Security
SAP- System
Risk Assessment / Penetration Test
• SAP configuration • Custom code
Free
16
Disclaimer
© 2015 Virtual Forge Inc. All rights reserved.
SAP, R/3, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG. All other product and service names mentioned are the trademarks of their respective companies.
Information contained in this publication is subject to change without prior notice. It is provided by Virtual Forge and serves informational purposes only. Virtual Forge is not liable for errors or incomplete information in this publication. Information contained in this publication does not imply any further liability.
Virtual Forge Terms and Conditions apply. See www.virtualforge.com for details.