Powered by Virtual Forge Solutions:

Integrate Security into the Development of SAP HANA Applications

Introduction

Product Owner and Developer of CodeProfiler for HANA

Many years of practical experience in security engineering and software

development

High performance computing and distributed systems

Practical cryptographic systems

Secure programming in Java and C

2

Dr. Yun Ding

Developing SAP HANA applications is challenging

New programming languages: SQLScript, XSJS JavaScript, SAPUI5,

Node.js…

New development environments: SAP HANA Studio, Web IDE, …

CodeProfiler for SAP HANA (CP4H)

Detects software errors in early stages of development:

reduces cost to repair defects

Integrates into different stages of development lifecycle

Currently scans SQLScript and XSJS JavaScript

Integrated into Eclipse and SAP HANA Studio

3

Poll question 1

Which languages are most important for your HANA applications?

o SQLScript

o XSJS JavaScript

o SAPUI5

o Node.js

o Others

4

Poll question 2

Which development environment do you use?

o Eclipse + SAP HANA Tools

o SAP HANA Studio

o SAP HANA Web-based Development Workbench

o SAP Web IDE Personal Edition

o SAP Web IDE for SAP HANA

5

Components of CodeProfiler 4 HANA

6

Implementation Testing Transition Requirement Maintenance Design

Batch Scanner Eclipse plugin Finding Manager

Transport Management

System Integration

7

Architecture

Eclipse Plugin

Batch Scanner

HANA Server

export HANA packages

Finding Manager

upload scan results

TMS Integration

query scan results

CP4H Eclipse Plugin

“Spell check” in Eclipse editor (Luna, Mars, Neon)

8

Automatically scans

single files

Instant feedback

Recursively scans

multiple complete

HANA packages

Creates PDF reports

CP4H Batch Scanner

9

Repeated scanning of large number of HANA systems in the console

GUI for building the configuration file

Exports scan results in PDF, XML, CSV, …

Uploads scan results to Finding Manager

CP4H Batch Scanner

HTTPS connections to HANA servers

10

CP4H Batch Scanner

11

Encrypts plaintext credentials in the configuration with password

based encryption (PBKDF2)

Finding Manager

12

Client side: browser based, SAPUI5 application

Server side: persists findings and audit trail in SAP HANA database,

XSJS JavaScript

Role-based access control for auditing of findings

Workflow of CP4H TMS Integration

13

Quality OK?

Target HANA System (QA/Production)

Source HANA System (Development)

1. Release transport

CTS+ with CP4H TMS Integration

2. Automatic scan by CP4H

3a. Yes: allow transport

3b. No: reject transport

QA

CP4H TMS Integration

Releases or blocks transport requests based on scan status

14

ADMIN

ADMIN

ADMIN

CP4H Scan Service

Scanner JCO

Enhancements of the CTS+ Transport Organizer

Asynchronous processing of scan requests

Queuing, multiple parallel running CP4H scanners

Enhancement of Transport Organizer

15

Thank you!

16

Virtual Forge

info@virtualforge.com

www.virtualforge.com

@VIRTUAL_FORGE

Disclaimer

© 2017 Virtual Forge GmbH. All rights reserved.

Information contained in this publication is subject to change without prior notice.

These materials are provided by Virtual Forge and serve only as information.

SAP, ABAP and other named SAP products and services as well as their respective logos are trademarks or

registered trademarks of SAP AG in Germany and other countries worldwide.

All other names of products and services are trademarks of their respective companies.

Virtual Forge accepts no liability or responsibility for errors or omissions in this publication. From the

information contained in this publication, no further liability is assumed. No part of this publication may be

reproduced or transmitted in any form or for any purpose without the express permission of Virtual Forge

GmbH, Germany or Virtual Forge Inc. The General Terms and Conditions of Virtual Forge apply.