SAP NetWeaver Application Server, add-on for code ...€¦ · SAP NetWeaver Application Server, add-on for code vulnerability analysis Jürgen Adolf, Product Management Security SAP

SAP NetWeaver Application Server,

add-on for code vulnerability analysis

Jürgen Adolf, Product Management Security SAP SE, July 2016

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 2 Customer

The information in this presentation is confidential and proprietary to SAP and may not be disclosed without the

permission of SAP. This presentation is not subject to your license agreement or any other service or subscription

agreement with SAP. SAP has no obligation to pursue any course of business outlined in this document or any related

presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation

and SAP's strategy and possible future developments, products and or platforms directions and functionality are all

subject to change and may be changed by SAP at any time for any reason without notice. The information in this

document is not a commitment, promise or legal obligation to deliver any material, code or functionality. This

document is provided without a warranty of any kind, either express or implied, including but not limited to, the implied

warranties of merchantability, fitness for a particular purpose, or non-infringement. This document is for informational

purposes and may not be incorporated into a contract. SAP assumes no responsibility for errors or omissions in this

document, except if such damages were caused by SAP´s willful misconduct or gross negligence.

All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ

materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements,

which speak only as of their dates, and they should not be relied upon in making purchasing decisions.

Legal disclaimer


Software security vulnerability situation today

Your software is everywhere

How can you be sure that these highly accessible applications are also highly

secure?

Grown over the years

Complex

Built on changing requirements

Created based on different development

paradigms

Optimized for performance

Extended but not reinvented

Today's business applications have a history


The challenge of security

In order to secure an application, all of its components, functions, infrastructure and

the related threats must be understood.

In order to break an application, only one flaw in any of its components/functions or

the infrastructure may be enough.

Problem

• Each new technology adds the risk of new vulnerabilities.

• Firewalls, intrusion detection systems, signatures and encryption are not sufficient

to make applications secure.


Security failures create big problems

Security failures can result in:

• Negative publicity

• Brand damage

• Lost revenue

• Legal consequences

• Penalties

http://www.informationisbeautiful.net/v

isualizations/worlds-biggest-data-

breaches-hacks/

A significant number of application security breaches

are occurring each month around the globe.

http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/












$ We convince and pay

developers to fix it

4 $ $

Approach today: expensive + reactive

Breach or pen

test proves our

code is bad

3

Somebody builds

insecure software 1

In-house Outsourced Commercial Open source

IT deploys the

insecure software

2


Application security testing solutions at SAP

Manual Source

Code Review

DAST Dynamic Application Security Testing

Find vulnerabilities in the

running application

Find vulnerabilities analyzing

the sources

SAP NetWeaver Application Server, add-on

for code vulnerability analysis

&

SAP Fortify by HPE

Manual Application

Penetration Testing

Automated Application

Vulnerability Scanning

Automated Source

Code Analysis

SAST Static Application Security Testing


Enterprise application security best practice from SAP

SAP Development runs security tests on

all SAP applications and code

delivered by SAP.

SAP performs analysis on approximately

178 million lines of non-ABAP code

using SAP Fortify by HPE.

SAP Development uses SAP CVA to

scan more than 500 million lines of

ABAP code before delivery to our

customers.

SAP cloud

development

systems ~500

SAP internal

business

systems ~40 SAP SE

SAP on-premise

software

development

systems ~8,500

SAP ABAP test framework ABAP Test Cockpit


ABAP Test Cockpit

ABAP Test Cockpit

(ATC)

SA

P C

od

e V

uln

era

bility

An

aly

ze

r

(SLIN

_S

EC

)

SA

P C

od

e In

sp

ecto

r (SC

I)

Exte

nd

ed

Pro

gra

m C

he

ck

(SL

IN)

Syn

tax C

he

ck (C

he

ck , S

E8

0)

Benefits

• Single point of entry for all static code check tools

• Integration in ABAP development workbench with high usability for

developers and quality experts

• Support essential QA techniques like Q-Gates and regression testing

in a consolidation system

• Transport control via check-runs before transport

• Exemption process to handle findings effectively

• Prioritization of automated test-cases


ATC configuration

Using ATC Configuration, you can

define

• The ATC master system

• The checks to be used as a default

• Enable or disable exemptions

• Configure the behavior of the

transport subsystem in case of

failing ATC checks of transports.


ABAP Test Cockpit integrated into the ABAP IDE


Example for a development landscape

Development System 1

Consolidation System

Development System 2

Q-experts run mass checks and distribute the results

i Use ONE quality

standard for Q-Gates

Developers run static/unit/scenario tests on their objects

Periodic check runs to validate the code of a development team

Quality-Gate:

Check during

transport release

Quality-Gate:

Check during

transport release

Quality-Gate:

Mass check run and

consolidation test


Features for developers

ATC features

Start ATC within different ABAP workbench tools: SE80, SE24, SE38, SE11…

ATC automatically runs during release of transport requests

Easy access to central ATC results in the development systems

User-centric display of ATC results - incl. powerful filter, navigation, re-check…

Checks code during development and transport release

Corrects bugs

Requests exemptions for false-positives


Features for quality experts

ATC features

Exemption approval process

E-mail ATC result to “responsible” contact person

Statistics showing aggregation of ATC findings using different criteria

Execution of ABAP Unit tests

Defines commonly used check variant

Monitors quality of the whole code base

Approves exemptions


ATC administration

ATC features

Powerful parallelization engine to run mass tests very effectively

Restart capability in case of a canceled/crashed ATC run

Possibility to schedule regular ATC runs

Powerful monitoring tool and flexible logging

Distribute ATC results to multiple target systems (e.g. from consolidation to dev. systems)

Configures ATC in development and consolidation systems

Monitors execution of ATC check runs and regular jobs

Application security testing SAP NetWeaver AS, add-on for code vulnerability analysis


SAP NetWeaver AS, add-on for code vulnerability analysis features

Increased

security for your

applications

Integrated into standard ABAP development infrastructure

Extensive documentation to

support developers in fixing issues

found

Priority of each check can be

adjusted to match the requirements

Exemption workflows to ease handling of false

positives Reduced false-positive rate by

data flow analysis

Remote scans with SAP NW AS ABAP

7.50

Integration with other scanning

tools

Supports automation

requirements of quality assurance

teams



Increased

security for your

applications




found





data flow analysis


7.50


tools

Supports automation


teams


Integrated into standard developer tools

• Based on the integration into the ABAP

Test Cockpit, the code checks can

easily be launched from most

developer tools like SE80, SE38 and

more.

• You can not only launch checks for

single objects but also for groups of

objects



Increased

security for your

applications




found





data flow analysis


7.50


tools

Supports requirements of

quality assurance teams


Requirements of quality assurance teams

• Scheduled runs of automated tests

• Automated test runs on transport requests

• Automatic notifications sent on test failure

• Aggregated check results including trend analysis



Increased

security for your

applications




found





data flow analysis


7.50


tools

Supports automation


teams


Priority of each check can be adjusted to match the requirements

• Ability to control the priority of every single

finding

• Take into account your own risk and

security requirements.

• Possibility of a phased approach, enabling

security checks over time to have a higher

acceptance by developers.



Increased

security for your

applications




found





data flow analysis


7.50


tools

Supports automation


teams


Supporting the developer in fixing his code

• Detailed documentation of detected

issues

• Explaination on the nature of the

weakness

• Information on how to avoid and fix

the findings

• Support direct navigation to

the location in the sources

the related documentation

the workflow to create an

exemption



Increased

security for your

applications




found





data flow analysis


7.50


tools

Supports automation


teams


Reduced false-positive rate by data flow analysis

• Are there input parameters available?

• Analysis on the level of a compilation unit

Global class

Function group

Program



Increased

security for your

applications




found





data flow analysis


7.50


tools

Supports automation


teams


Exemption workflows to ease handling of false positives

1357345



Increased

security for your

applications




found





data flow analysis


7.50


tools

Supports automation


teams


Remote security checks

Central Check System

(SAP_BASIS ≥ 7.50)

CVA

ATC

Analyzed System

(planned:

SAP_BASIS ≥ 7.00)

Stub ABAP

Repository

• Configuration of checks and administration of check runs takes place in the central check system

• The stub can be installed through SAP note. No upgrade, no SP prerequisite in analyzed systems

• Recommendation: Use the central check system for CVA only

No dependencies to other software components

You can easily implement support packages and upgrades

Easy consumption of new or enhanced security checks



Increased

security for your

applications




found





data flow analysis


7.50


tools

Supports automation


teams


Integration with other code scanning tools

• Interface to export findings to reporting tools

• Integration with SAP Fortify by HPE

Complements and extends SAP NetWeaver Application Server, add-on for code vulnerability

analysis

Works with other SAP Quality Assurance Solutions to optimize your current investment

Supports various programming languages


Architecture overview

ABAP Workbench

ABAP Developer

R

ABAP Workbench

ABAP Editors

ABAP Developer

ABAP Source

Code

R

ABAP Workbench

ABAP Editors

ABAP Developer

ABAP Test Cockpit (ATC)

ABAP Source

Code

R

R

ABAP Workbench

ABAP Editors

Code Inspector

Checks

ABAP Developer


ABAP Source

Code

R

R

R

ABAP Workbench

ABAP Editors

Code Inspector

Checks

SLIN Security

Checks

ABAP Developer


ABAP Source

Code

R

R

R

R

ABAP Workbench

ABAP Editors

Code Inspector

Checks

SLIN Security

Checks

ABAP Developer


Check

ResultsExemptions

ABAP Source

Code

R

R

R

R

ABAP Workbench

ABAP Editors

Code Inspector

Checks

SLIN Security

Checks

Transport Management

ABAP Developer


Check

ResultsExemptions

ABAP Source

Code

R R

R

R

R

ABAP Workbench

ABAP Editors

Code Inspector

Checks

SLIN Security

Checks

Transport Management

ABAP Developer Quality Expert


Check

ResultsExemptions

ABAP Source

Code

R R

R

R

R R


Introductory example: SQL Injection

...

SET STREET = 'xyz'

salary = '1500'

Input for street:

xyz' salary = '1500

set_expr:

STREET = 'xyz'

salary = '1500'


How the code analysis works

2. There is a potentially

dangerous statement

3. There is a data flow between

the input field and the

dangerous statement

1. There is an input field

The Code Analyzer is searching for potentially vulnerable statements, where the input comes from

untrusted sources. Only such occurrences are reported!


Corrected program

This method adds ' ' around

the value of street and

escapes every ' within the

value.

Note: phone is an integer

type and does not need to

be escaped.

Security checks in detail Overview of available checks


OWASP top 10 coverage

• A1 Injection

• A2 Broken Authentication and Session Management

• A3 Cross Site Scripting

• A4 Insecure Direct Object References

• A5 Security Misconfiguration

• A6 Sensitive Data Exposure

• A7 Missing Functional Level Access

• A8 Cross Site Request Forgery ( CSRF)

• A9 Using Known Vulnerable Component

• A10 Invalidated Redirects and Forwards

Yes

Handled by applications

Yes

Yes

Handled by configuration validation

Yes

Yes

Yes

Yes

Yes

Link: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project


BIZEC APP11 coverage

• APP-01 ABAP command Injection

• APP-02 OS command Injection

• APP-03 Native SQL Injection

• APP-04 Improper Authorizations

• APP-05 Directory Traversal

• APP-06 Direct Database Modifications

• APP-07 Cross-Client Database Access

• APP-08 Open SQL Injection

• APP-09 Generic Module Execution

• APP-10 Cross-Site Scripting

• APP-11 Obscure ABAP Code

Link: http://www.bizec.org/wiki/BIZEC_APP11

Yes

Yes

Yes

Yes

Yes

Yes

Yes, Code Inspector check

Yes

Yes

Yes

Yes


Overview of available checks

Security Checks

SQL Injection

(Open SQL)

Call Injection

Code Injection

(ABAP)

Directory

Traversal

OS Command

Injection

Backdoors &

Authorizations

Web

Exploitability

SQL Injection

(ADBC)


Overview of the available checks

- SQL Injection (Open SQL) -

Manipulation of dynamic Open SQL

• Potential manipulation of the dynamic WHERE condition (1101)

• Potential manipulation of a dynamic WHERE condition using the parameter I_FILTER of the object

services method CREATE_QUERY (1122)

• Potential manipulation of the SET clause in the statement UPDATE (1112)

• Potential read performed on an illegal database table in a SELECT statement (1118)

• Potential read performed on an illegal database table in a modifying OpenSQL statement (1120)

• Potential read performed using an invalid secondary database connection in an Open SQL

statement (1121)

• Potential read performed on invalid table columns (1114)

• Potential use of illegal columns in a dynamic GROUP BY clause (1116)

• Potential use of illegal columns in a dynamic HAVING clause (1117)



- SQL Injection (ADBC) -

Manipulation of SQL statements

• Potential injection of harmful SQL statements of clauses in execution of DDL statements in ADBC

(1128)

• Potential injection of harmful SQL statements of clauses in execution of DML statements in ADBC

(1130)

• Potential injection of malicious SQL statements or clauses when calling an appropriate API (11D1)



- Code Injection (ABAP) -

Manipulation of ABAP code created dynamically

• Potential injection of harmful code in the statements INSERT REPORT and GENERATE

SUBROUTINE POOL (1108)

• Potential manipulation of the dynamic WHERE condition in an internal table (1190)

• Potential injection of harmful code when the RFC-enabled function module

RFC_ABAP_INSTALL_AND_RUN was called (1109)



- Call Injection -

Manipulation in dynamic calls

• Dynamic CALL TRANSACTION without whitelist check and or without authorization check (1142 /

114E / 114F / 114G )

• Potential call of an unwanted transaction using the statement LEAVE TO TRANSACTION (1143)

• Potential call of an illegal program using the statement SUBMIT (1141)

• Potential call of invalid function module using RFC (1140)

• UI-driven or RFC-driven dynamic call of a function module (1144)

• Static CALL TRANSACTION without whitelist check and or without authorization check (114A /

114B / 114C / 114D )

• C function call with names as potential user input (1171)

• Statement COMMUNICATION used (11C1)



- OS Command Injection -

Injections of operating system commands

• Statement CALL 'SYSTEM' used (1170)

• Potential manipulation in the FILTER addition of the statement OPEN DATASET (1106)

• FILTER addition of the statement OPEN DATASET used (1107)



- Directory Traversal -

Access to illegal directories and files

• Potential manipulation of the file name in the statement OPEN DATASET or DELETE DATASET

(1104)

• Potential manipulation of the file name in the method CREATE_UTF8_FILE_WITH_BOM of the

class CL_ABAP_FILE_UTILITIES (1124)

• Non-secure parameter of the function module FILE_GET_NAME or FILE_VALIDATE_NAME used

(1126)



- Backdoors & Authorizations -

Weak authorization checks or user administration bypassed

• Hard-coded user name, possibly from undeleted test code or an indication of a back door (0821)

• Hard-coded host name sy-host, possibly from undeleted test code or an indication of a back door (11S1)

• Hard-coded system ID sy-sysid, possibly from undeleted test code or an indication of a back door (11S2)

• Hard-coded client sy-mandt, possibly from undeleted test code or an indication of a back door (11S3)

• System variable sy-xxxx compared with a hard-coded value from forgotten test code or that could indicate a

back door (11S4).

• SY-SUBRC not evaluated after the statement AUTHORITY-CHECK (1160)

• SY-SUBRC not evaluated after switchable authorization check (1161)

• AUTHORITY-CHECK with explicit user name (1180)

• AUTHORITY-CHECK with explicitly specified user name sy-uname (1181)

• SY-SUBRC not handled after a security-relevant function was called (1165)

• Static CALL TRANSACTION without or with possibly insufficient authorization

check (114A, 114B, 114C, 114D)

• FILTER addition of the statement OPEN DATASET used (1107)



- Web Exploitability -

Possible attacks using Web technologies

• Obsolete escape method used (1150)

• Potential risk of cross-site scripting (1132)

• Potential unvalidated URL redirect (11P1)

• Missing Content Check During HTTP Upload (11F1)

Checks special for Business Server Pages

• forceEncode="enabled" not specified for htmlb:content (1151)

• Obsolete design or no design specified for htmlb:content (1152)

• The BSP application is not protected against XSRF (11RF).

Release - Availability


• ATC is the standard ABAP check frame work at SAP

• The ABAP Test Cockpit (ATC) is a tool for doing static and dynamic quality checks

of ABAP code and associated repository objects

• ATC is based on Code Inspector Very easy migration:

Just re-use your current global Code Inspector check variant

• ATC is available as part of:

SAP NetWeaver AS ABAP 7.0 EhP2 Support Package 12



SAP NetWeaver AS ABAP 7.4

ABAP Test Cockpit


• Developed by the team creating the ABAP language

• Tightly integrated into standard ABAP development & testing infrastructure

• Since years successfully used in the SAP Standard Software Development

• Successfully piloted and used by customers

• SAP NetWeaver AS, add-on for code vulnerability analysis is available as of:




SAP NetWeaver AS ABAP 7.4 Support Package 05 and later releases

SAP NetWeaver AS ABAP 7.5 including the new remote check framework

SAP NetWeaver AS, Add-on for Code Vulnerability Analysis

Summary


Recommendations

• Always have security in mind when developing software!

It‘s best practice to build good software in the first place. Repairing later is far more expensive.

And after all: you don‘t want to put insecure software into productive use.

• Move sanitizations as close as possible to the critical statement!

The critical statement and the sanitization often depends on the deployed technology.

Moreover, the sanitization is automatically reused when the code is reused.

• Use a static code analyzer. Use it every time you change your code!

Using a static code analyzer is a quick win. Many security problems can be detected just after the code has been written.

• Don’t forget dynamic security tests!

It might be tempting, but you can‘t rely on static checks alone. There are security issues which a static code checker

cannot find, e. g. missing encryption or virus check.

• Train your developers!

If they don‘t know of the possible security problems they can‘t avoid them. The ABAP keyword documentation can serve as

a starting point, and has been enhanced for critical statements.


Further Information

SAP NetWeaver Application Server, add-on for code vulnerability analysis

http://wiki.scn.sap.com/wiki/display/ABAP/SAP+NetWeaver+Application+Server%2C+add-on+for+code+vulnerability+analysis

Roadmap presentation: https://service.sap.com/~sapidb/011000358700000256742014E.pdf

ABAP Test and Analysis Tools

http://wiki.sdn.sap.com/wiki/display/ABAP/ABAP+Test+and+Analysis+Tools


http://wiki.sdn.sap.com/wiki/display/ABAP/ABAP+Test+Cockpit

SAP Community

http://scn.sap.com/community/security

http://scn.sap.com/community/abap/testing-and-troubleshooting

http://wiki.scn.sap.com/wiki/display/ABAP/SAP+NetWeaver+Application+Server,+add-on+for+code+vulnerability+analysis



https://service.sap.com/~sapidb/011000358700000256742014E.pdf

http://wiki.sdn.sap.com/wiki/display/ABAP/ABAP+Test+and+Analysis+Tools

http://wiki.sdn.sap.com/wiki/display/ABAP/ABAP+Test+Cockpit

http://scn.sap.com/community/security






Thank you

Jürgen Adolf

SAP Product Management Security, SAP SE

[email protected]

mailto:[email protected]


© 2016 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate

company) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices.

Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.

National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or its

affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or SAP affiliate company products and

services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as

constituting an additional warranty.

In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop

or release any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future

developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time

for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-

looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place

undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.

http://global12.sap.com/corporate-en/legal/copyright/index.epx



Documents

SAP NetWeaver Application Server, add-on for code ...€¦ · SAP NetWeaver Application Server, add-on for code vulnerability analysis Jürgen Adolf, Product Management Security SAP