SAP Third-party software Security

Securing SAP systems by eliminating ABAP code vulnerabilities

By
2 Minute Read

Preventing access to sensitive data by analysing ABAP code to identify and shut off vulnerabilities, once a nice-to-do, is now a must-do.

About 5 or 6 years ago, I saw a Virtual Forge CodeProfiler product demo in Melbourne. During the demo the presenter showed us the Melbourne based SAP systems that were exposed to the internet and proceeded to gain access to one of their login screens. He then told us (not show us) how he could exploit ABAP code vulnerabilities to gain access to data. Disappointing, as it would have been great to see him go further, but his professional hacker's code of conduct prevented it.

However, we did learn that not only is it simple enough for bad actors to access SAP systems, but lots of ABAP code contains vulnerabilities for bad actors to exploit once access is gained.

ABAP code vulnerabilities

Without code quality checks, poor ABAP code may allow for a range of unauthorised actions that allow access to and removal of sensitive data.

These include:

  • SQL Injections
  • ABAP Command Injections
  • Call Injections
  • Injections of operating system commands
  • Potential unauthorized access to directories and files
  • Insufficient authorization checks

Automated ABAP code scanning

Suppose an SAP customer is concerned about data loss and therefore needs to ensure potential ABAP entry points are shut off. Without automation, this would be an impossible task.

For example, during large development periods, e.g., an S/4 HANA transition, manually checking every line of custom code for vulnerabilities is impossible. The same goes for checking code retrospectively, too; then maybe millions of lines of code.

So, what to do then?

Automated code scanning is the answer. By automatically scanning code for specific vulnerabilities retrospectively or during development, SAP teams can be alerted to lines of code that can provide unauthorised access to SAP data.

SAP has its solution, SAP Code Vulnerability Scanner (CVA). However, as with most SAP native solutions, it has its complexities and limitations, and third-party options are available.

Available third-party solutions

Although several third-party ABAP code scanning solutions are available for SAP teams, here are two market-leading options.

Onapsis

www.onapsis.com

At one time, Virtual Forge CodeProfiler was the go-to product to identify ABAP code vulnerabilities automatically. Virtual Forge was acquired by @Onapsis in 2019, and the ABAP CodeProfiler is now available as part of the Onapsis Security Platform.

Among a wide range of functionalities, CodeProfiler provides automated scanning, automated vulnerability detection, and automated remediation.

SecurityBridge

www.securitybridge.com

Unlike Onapsis, which offers its platform to various technologies, SecurityBridge is SAP-specific. Code Vulnerability Analysis is a core component of the SecurityBridge Platform.

The component enables SAP teams to automatically identify and eliminate vulnerable ABAP code during the development process and retroactively.

Final word

Whereas ABAP code security used to be a ‘nice to have’ this is no longer the case for SAP customers seeking to maximise the security of sensitive data. External bad actors have refined their SAP skills and know what vulnerabilities to look for. However, finding them and closing them down is impossible without specialist automation tools.

To learn more about SAP IT automation, see www.legupsoftware.com
Rick Porter

Rick Porter

With over two decades of working within the SAP ecosystem, Rick has met and worked with SAP IT professionals from broad backgrounds and experiences. Rick knows the stresses and strains experienced by those managing SAP systems and enjoys bringing these insights and reflections into conversations.

Author

Recommended For You