Information Security, ABAP Security and RBE Plus
Certification of RBE Plus technology as per BIZEC APP/11 and RBE Plus analysis as per ISO 27001
Would you let a stranger take a peek under the hood of your car? Or would you rather leave that task to your trusted mechanic?
If you will, complex business software systems are no more than the engine of an organization. SAP systems like SAP ERP control critical business processes and are responsible for storing all relevant data – the true capital of business activities. It used to be enough to merely limit access to this essential data and assign authorizations. But today’s sweeping interconnections, the incorporation of this data into complex landscapes and connection to external systems demand much more in the way of security. Meanwhile the use of web servers or web applications connected to the internet is commonplace. Unfortunately the boost to functionality comes at the price of heightened risk.
Backdoors are everywhere – because of vulnerabilities in system architecture, remissness in authorization assignment or holes in security, and programming errors, regardless of whether they occur in company-specific developments or in third-party add-on products. Unauthorized users are attracted to all sensitive data, whether personnel, customer or financial or other data.
Public awareness has been raised as a result of the far-reaching consequences of security loopholes. For example, the press has publicized the following announcement:
- SAP security: Virtual Forge alerts you to “killer errors” in ABAP customer code (https://www.it-finanzmagazin.de/sap-sicherheit-virtual-forge-warnt-vor-killerfehlern-im-abap-kundencode-27245/ German only)
Recommendations for preventing security risks (BSI) and tightened data protection data protection regulations and systematic management of information security as per ISO 27001 (ISMS)
- Needless to say, user organizations – and by extension our customers – know about these security risks. This is why there is a wide range of regulations for the transport and/or execution of custom and third-party ABAPs in the much less “isolated” SAP systems. Automatic code scans are a thoroughly tried and tested method. So for instance the ABAP Virtual Forge code scan is used by at least two of our customers for our RBE+ ABAPs, both with positive results. For us it is as satisfying as it is important, because analysis services are always a matter of trust. In addition to recommending regular checks of company-specific developments, the best practice guide development of DSAG references the BIZEC APP/11 standard. The aim of the BIZEC consortium is to establish increasingly independent security standards.
|APP-01||ABAP Command Injection||Any ABAP code can be executed dynamically.|
|APP-02||OS Command Injection||Arbitrary OS commands can be executed.|
|APP-03||Native SQL Injection||Any native SQL commands are executed by bypassing every open SQL constraint.|
|APP-04||Improper Authorization (Missing, Broken, Proprietary, Generic)||No / flawed authorization check for critical operations.|
|APP-05||Directory Traversal||Unauthorized access (write/read) to files.|
|APP-06||Direct Database Modifications||Unauthorized write access to tables.|
|APP-07||Cross-Client Database Access||Cross-client access to business data.|
|APP-08||Open SQL Injection||Uses dynamic queries for non-authorized access to data.|
|APP-09||Generic Module Execution||Unregulated execution of SAP standard modules (Reports, function modules, etc.).|
|APP-10||Cross-Site Scripting||Exploits security loopholes in web apps (BSP).|
|APP-11||Obscure ABAP Code||Conceals purpose.|
Adherence to this standard is also recommended by the German Federal Office for Information Security (BSI) and can also be certified for ABAP transactions and reports:
- TOP 20 security risks in ABAP applications (https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Hilfsmittel/Extern/TOP-20_Sicherheitsrisiken-in-ABAP-Anwendungen.pdf German only)
Not least because of this recommendation we focus on certifying our tools. With this in mind, we tasked the analysis of a new RBE+ABAP for data extraction as a transfer order consisting of several ABAPs as per the BIZEC APP/11 standard.
What does the analysis do?
- First, a pre-scan of ABAPs is done to assess time and cost involved in certification. The check is done online via an automated code scan that generates a greatly abridged results protocol.
- Next, the productive analysis was commissioned. The first code scan runs similarly, but in addition to the detailed results protocol, the ABAPs are checked and assessed by experts. The manual sight check includes evaluating automatic findings as “false positive” when they prove non-critical on closer analysis.
Our RBE+ ABAPs were officially certified in early 2017. And in the future we view security as an ongoing process and will continue to incorporate ever stronger security features in our ABAPs. In all, this shows that we continue to evolve our information security. This is also documented by our ISO 27001 certificate, that we have had externally audited every year since 2013. As an IT service provider we assure the adherence to security standards because the responsible handling of our customers’ data is our highest priority.