Check out this much-noticed presentation held at the 2013 ASUG Annual Conference. Attendees were pleased and excited by the content that was presented.

1. GM: Automating Code Reviews for Custom ABAP
Applications to Reduce Risk and Lower TCO
Markus Seibel, GM
Dr. Markus Schumacher, Virtual Forge

2. Who we are
Markus Seibel
SAP Security Lead, Adam Opel AG / GM
Rüsselsheim, Germany
Dr. Markus Schumacher
CEO of Virtual Forge
Heidelberg | Weimar | Philadelphia
Twitter: @virtual_forge | Questions: #safercode

3. • SAP CCOE @ GM EMEA
• CPR - Automated Change Management at GM
• Potential Risks from Bad ABAP Code
• ABAP Firewall: Automatic Code Scanning
• Summary
Agenda

4. SAP CCOE @ GM EMEA
• Strengthen SAP CCoE within Business Functions to drive efficiency and
optimization
• Run in-flight programs
• Contribute to GM Global SAP Initiatives

5. LOCATIONS and SCOPE MANAGED

6. EMEA SAP CCOE plays Global
Engagement within the GM Global SAP Program
 Portfolio
 Template
 Plan / Build / Run convergence
Bill of
IT
Bill of
Process
Shared
Governance
Bill of
IT
Bill of
Process
Shared
Governance

7. • SAP CCOE @ GM EMEA
• CPR - Automated Change Management at GM
• Potential Risks from Bad ABAP Code
• ABAP Firewall: Automatic Code Scanning
• Summary
Agenda

8. Conflicting Project Goals
 Goals of project / implementation teams:
 Project budget and go-live date
 Delivered product must work at point of hand-over
 Satisfy the “direct customers“ (e.g. new site)
 Minimize coordination effort where ever possible
(with the customer as well as team-/supplier internally)
 Minimize regression tests
 Scope reductions (classic “not part of our job / contract” discussions)
 Low cost / offshore
 Goals of customer / system owner / CCoE:
 Long term maintainability
 Harmonized processes and “templates”
 Avoiding redundancies
 Low operating costs
 Secure environment
 Quality, Sustainability & no surprises in coding

9. Conflicting Project Goals
 Goals of project / implementation teams:
 Project budget and go-live date
 Delivered product must work at point of hand-over
 Satisfy the “direct customers“ (e.g. new site)
 Minimize coordination effort where ever possible
(with the customer as well as team-/supplier internally)
 Minimize regression tests
 Scope reductions (classic “not part of our job / contract” discussions)
 Low cost / offshore
 Goals of customer / system owner / CCoE:
 Long term maintainability
 Harmonized processes and “templates”
 Avoiding redundancies
 Low operating costs
 Secure environment
 Quality, Sustainability & no surprises in coding
Approaches
• Clone existing ABAP code instead of extending or reusing
existing functionality
• Ignore template, rather clone legacy system where ever
possible
• Quick & dirty, hard-coded
• Cheap resources instead of experienced staff
• Delay progress in order to force customer to accept
unsatisfactory solutions to keep time line
• …
Have you ever wondered, where all the vulnerabilities are
coming from?
An SAP CCoE has to combine two contradicting
goals to make a project really successful:
• Support and manage the project
• “Defend” the system against the project team (!)

10. Automated Change Management
CPR – GM’s Global SAP Change Management
• Custom GM solution for managing SAP Changes
• Similar functionality to ChaRM
• Manages entire change process from ticket creation to Prod
• Tight integration with SAP
• Tracks changes, approvals, create/release transports, etc.
• Ensures compliance (SOX, ITIL, internal, etc.)
• ‘ABAP Firewall’ - static code analysis of ABAP application code
and changes

11. ABAP Firewall
• Tightly integrated with CPR and SAP
• Tests all domains: Security, Compliance, Performance, and Quality
• Very low False Positive rate (<5%)
• Online scanning for development
• Fast scan rate for high volume scanning (>10k loc/sec)
• Complete reporting and audit detail
• Integrated ABAP WB, Eclipse, SAP TMS, Solution Manager, etc.
Virtual Forge CodeProfiler

12. • SAP CCOE @ GM EMEA
• CPR - Automated Change Management at GM
• Potential Risks from Bad ABAP Code
• ABAP Firewall: Automatic Code Scanning
• Summary
Agenda

13. Increased Complexity and Risk
 The Attack Surface of ABAP1 9 9 7

14.  The Attack Surface of ABAP2 0 0 2
Increased Complexity and Risk

15.  The Attack Surface of ABAPSince 2 0 0 7
Increased Complexity and Risk

16. More sophisticated Attackers
– Script Kiddies
 Minor knowledge
 Works with „copy & paste“ and uses public information, programs,
tools, etc. in order to attack / damage computer systems
 Random targets
 Motivation: usually  reputation

17. More sophisticated Attackers
- Professional Attackers
 Highly skilled
 Almost unlimited time and money resources
 Targeted attacks (e.g. Stuxnet)
 Often internal attackers
 Motivation: Industrial espionage, sabotage, …

18. ABAPTM Quality Benchmark
Average number of findings per scan
Security 7,438 1,571
Compliance 2,404 221
Performance 18,277 1,384
Maintainability 12,954 -
Robustness 9,286 710
Total Findings Critical Findings
– 62.5 % probability of an ABAP Command Injection vulnerability
– 100 % probability of defective authorization checks
– 95.83% probability of a Directory Traversal vulnerability
Anonymized data from 60 ABAP code analysis projects / Ø 1.65 Mio. Lines of Code per scan (status: May 2012)
~ 1 critical
security defect
every 1,000 lines
of ABAP code
TOTAL 50,359 3,886

19. Regulatory Compliance
 PCI-DSS (Payment Card Industry Data Security Standard)
CodeProfiler provides more than 30 test cases in order to test for PCI DSS compliance (PCI DSS
Requirements and Security Assessment Procedures, Version 2.0)
 PII (Personally Identifiable Information)
To protect the PII, CodeProfiler has test cases related to the disclosure of critical data ("assets").
Exit points for this domain exist in the following classifications: SAP GUI, HTTP/HTML, FTP, GUI Download,
Files, Return values of RFC enabled function modules. Main purpose of this test domain is to identify data
leaks.
 SOX
CodeProfiler provides more than 30 test cases in order to test for SOX /SOX-EUR compliance (Sarbanes-
Oxley Act). SOX audits rely on IT General Controls (ITGC) to provide a sound technical basis for the
reliability and accountability of business processes. Custom development is relevant for Change
Management, which is in turn relevant for ITGC. Therefore, any changes to program logic are SOX relevant,
if they introduce a potential security issue. ABAP coding practices and standards must ensure that ITGC are
not bypassed by insecure coding. SOX audits must check that appropriate controls are in place that make
sure no relevant security defects exist in ABAP code.

20. • SAP CCOE @ GM EMEA
• CPR - Automated Change Management at GM
• Potential Risks from Bad ABAP Code
• ABAP Firewall: Automatic Code Scanning
• Summary
Agenda

21. Code Governance & Control
Built into the Process
1. Release transport
CodeProfiler
SAP
2. Automatic analysis
of all transports by
CodeProfiler (TMS /
ChaRM) Gatekeeper
Quality
OK?
SAP
Test / QA
SAP
Development
NO: Reject approval
YES: Allow transport
YES: Allow transport3. [Optional] Ask QA for exception (peer review)
Quality
OK?
NO: Reject transport

22. Data and Control Flow Analysis (Patented)
Show only findings that matter
Input (SAP GUI, BSP, RFC, ...)
Dangerous Statement
Software

23. CodeProfiler: Comprehensive Test Scope
s
Security Tests
QA Tests
Security
ABAP™ Command Injection
OS Command Execution
SQL Injection
Broken Authority Checks
Hard-Coded Usernames
...
Performance
Usage of WAIT Command
Usage of SELECT*
Nested Loop
Incomplete Index
...
Data Loss Prevention
Disclosure of Critical Data
Disclosure of Source Code
Maintenance of sensitive data
…
Maintainability & Robustness
Naming Conventions
Nested Macro Calls
Hard-coded Org Units
Insufficient Error Handling
...
CodeProfiler
PATENTED
all rights
reserved
Security Performance Quality

24. Custom Development: Cost of Defects
 Custom ABAP Development Facts
Cost of Defects
Cost of attack or system down
$$$$$
to correct defect in production
$10,000
to correct defect found in QA testing
$1,000
to correct defect during development
$100

25. ABAP Code Scanning - Benefits
Lower Risk
– Detects and support mediation of vulnerabilities
• Cyberattacks
• System Failures
• Data theft/Fraud
• Industrial Espionage
– Tests in-/out-sourced development and 3rd party add-ons.
• Enforces standards for all development deliverables
• Clear and enforceable definition of programming standards
– Ensures all ABAP code changes meet Compliance and
Audit requirements

26. Lower TCO
• Problems are found earlier in SDLC
= Lower cost to mediate defect
• better quality code (maintainability, performance, robustness)
= Lower test and maintenance costs
• Reduced review & testing times
= Faster delivery of new applications
• Automated scanning
= Less use of (expensive) development resources
• Online scan & mediation support for faster resolution
= Less time for corrections and repair
• Better quality code
= Less SAP production system issues
ABAP Code Scanning - Benefits

27. • SAP CCOE @ GM EMEA
• CPR - Automated Change Management at GM
• Potential Risks from Bad ABAP Code
• ABAP Firewall: Automatic Code Scanning
• Summary
Agenda

28. Internal Control Systems -Structure in the ERP Environment
ABAP Security in Context
IT General Controls (ITGC)
Change Management
ABAP Application Code
Business Rules Enforcement
Authentication, Encryption, Authorization,
Logging, Interfaces, Audit…

29. Custom Development: Source of Defects
 Custom ABAP Development Facts
Source of Defects
Little/no technical specifications
Manual/Basic code reviews
Testing focused on functional aspects
External/3rd Party development
Limited/no code change monitoring

30. Custom Development: Business Risks
 Business Risks
Due to Security Defects
Cyberattacks
Data theft/Fraud
Industrial espionage
Loss of image
System failures

31. ABAP Static Code Scanning
 Security and compliance of
SAP® applications
 Performance
 System stability
 Quality standards of internal and external
software development
Benefits of Static Code Scanning
 Business risks
 Maintenance efforts
 Test and correction efforts
 Operating costs
Increase Decrease

32. About BIZEC

33. Meet Markus at the Virtual Forge Booth 2227B
Follow @virtual_forge and ask about #safercode

34. THANK YOU FOR PARTICIPATING
Please provide feedback on this session by
completing a short survey via the event mobile
application.
SESSION CODE: 0610
For ongoing education on this area of focus,
visit www.ASUG.com
Meet Markus at the Virtual Forge Booth 2227B