SAP Code Vulnerability Analyzer

Peter Barker, Product Management

SAP SE, 2020
Disclaimer

The information in this presentation is confidential and proprietary to SAP and may not be disclosed without the permission of
SAP. Except for your obligation to protect confidential information, this presentation is not subject to your license agreement or
any other service or subscription agreement with SAP. SAP has no obligation to pursue any course of business outlined in this
presentation or any related document, or to develop or release any functionality mentioned therein.

This presentation, or any related document and SAP's strategy and possible future developments, products and or platforms
directions and functionality are all subject to change and may be changed by SAP at any time for any reason without notice.
The information in this presentation is not a commitment, promise or legal obligation to deliver any material, code or functionality.
This presentation is provided without a warranty of any kind, either express or implied, including but not limited to, the implied
warranties of merchantability, fitness for a particular purpose, or non-infringement. This presentation is for informational
purposes and may not be incorporated into a contract. SAP assumes no responsibility for errors or omissions in this
presentation, except if such damages were caused by SAP’s intentional or gross negligence.

All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially
from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only
as of their dates, and they should not be relied upon in making purchasing decisions.

© 2020 SAP SE or an SAP affiliate company. All rights reserved. Public 2

 The old-fashioned approach: expensive + reactive

2
IT deploys the
insecure software
Somebody builds
insecure software 1
In-house Outsourced Commercial Open source
Breach or pen
3
$
$$
4
We convince and pay
test proves our
code is bad

developers to fix it

© 2020 SAP SE or an SAP affiliate company. All rights reserved. Public 3

 You know the challenge – breaches are increasing
World’s largest data breaches and hacks

2009 – 2014 2015 – 2019

2014 Latest

2019

2013

2018
2012

2017
2011

2016
2010

2015
2009

http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
Source: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
© 2020 SAP SE or an SAP affiliate company. All rights reserved. Public 4
Application security testing solutions at SAP

Dynamic application security testing Static application security testing

Find vulnerabilities in the running application Find vulnerabilities analyzing the sources

Manual application penetration testing Manual source code review

Automated application vulnerability scanning Automated source code analysis

ABAP
SAP Code Vulnerability Analyzer (CVA)

Finding security issues at design time instead of in production is easier and less expensive!

© 2020 SAP SE or an SAP affiliate company. All rights reserved. Public 5

Enterprise application security best practice from SAP

 SAP Development runs security tests on

all SAP applications and code
delivered by SAP.
SAP on-premise
software
 SAP Development uses SAP CVA to development
systems ~8,500
scan more than 500 million lines of SAP internal
ABAP code before delivery to our SAP SE business
systems ~40
customers.

SAP cloud
development
systems ~500

© 2020 SAP SE or an SAP affiliate company. All rights reserved. Public 6

 SAP Code Vulnerability Analyzer
as a part of the ABAP Test Cockpit (ATC)

Eclipse
SAP GUI
Solution Manager (ADT)

Security (CVA)

Code robustness
CCLM SAP S/4HANA readiness
Extraction ABAP Test Cockpit
Custom checks
(ATC)
CHARM Unit tests

Performance

Usability

RFC RFC RFC

Checked Checked Checked

System A System B System C
(>=7.00) (>=7.00) (>=7.00)
Customer Customer Customer
Code Code Code

© 2020 SAP SE or an SAP affiliate company. All rights reserved. Public 10

 SAP Code Vulnerability Analyzer
Architecture

ABAP Quality
Developer Expert

R R
▼ ▼

ABAP Workbench (incl. ADT)

R► ABAP Test Cockpit (ATC) ◄ R

ABAP Editors Transport Management
Check
Exemptions
Results

R
▼

Code Inspector
Checks
ABAP Source
R
Code ▼

CVA Checks

© 2020 SAP SE or an SAP affiliate company. All rights reserved. Public 11

Demo

© 2020 SAP SE or an SAP affiliate company. All rights reserved. Public 18

Introductory example: SQL injection

Input for street:

xyz' salary = '1500

set_expr:
STREET = 'xyz'
salary = '1500'

...
SET STREET = 'xyz'
salary = '1500'
© 2020 SAP SE or an SAP affiliate company. All rights reserved. Public 19
How the code analysis works

1. There is an input field

3. There is a data flow between

the input field and the
dangerous statement

2. There is a potentially
dangerous statement

The Code Analyzer is searching for potentially vulnerable statements, where the input comes from
untrusted sources. Only such occurrences are reported!

© 2020 SAP SE or an SAP affiliate company. All rights reserved. Public 20

 Baseline in ATC – Focus on findings in new or recently changed
code

Baseline concept
Baseline management
Transfer individual ATC results into the baseline
Options
 suppress all findings (exclude from the ATC result)
 indicate the findings as exempted
 assign the low priority to the findings
The baseline is effective as long as the related code
sections remain unchanged

Baseline activities
Adding/removing individual check results
Deleting baseline (reset the test system to original state)
More about Working with Baseline in ATC

© 2020 SAP SE or an SAP affiliate company. All rights reserved. Public 22

Priority of each check can be adjusted to match the requirements

• Ability to control the priority of every single

finding

• Take into account your own risk and

security requirements.

• Possibility of a phased approach, enabling

security checks over time to have a higher
acceptance by developers.

© 2020 SAP SE or an SAP affiliate company. All rights reserved. Public 25

Use exemption workflow to deal with false positives

© 2020 SAP SE or an SAP affiliate company. All rights reserved. Public 28

 Remote code analysis with ATC

One central ATC system (SAP_BASIS >=7.51) Central Check System (SAP_BASIS ≥ 7.52)
for all security checks in your system
landscape ABAP Test Cockpit (ATC)
Remote stubs return a model from custom code
Check logic is executed on central system
RFC RFC RFC
Check variant is maintained in central system
New checks are installed on central system
Exemptions are stored on central system
Checked Checked Checked
Integrated in the development system System A System B System C
(>=7.00) (>=7.00) (>=7.00)
Customer
→Minimized administration efforts Code
Customer
Code
Customer
Code

→One quality standard for your whole Remote Stubs

system landscape More about Remote code analysis with ATC

© 2020 SAP SE or an SAP affiliate company. All rights reserved. Public 30

Application security products

SAP´s application security offering focuses on the product CVA:

Material Item Coding Blocks of Pricing metric

7019502 SAP CVA ABAP 5 Users

© 2020 SAP SE or an SAP affiliate company. All rights reserved. Public 34

Security checks in detail
Overview of available checks
Overview of available checks

SQL Injection
(ABAP SQL)

Web SQL Injection

Exploitability (ADBC)

Backdoors & Code Injection

Authorizations Security Checks (ABAP)

Directory
Call Injection
Traversal

OS Command
Injection

© 2020 SAP SE or an SAP affiliate company. All rights reserved. Public 38

Overview of the available checks
- SQL injection (ABAP SQL) -

Manipulation of dynamic ABAP SQL

• Potential manipulation of the dynamic WHERE condition (1101)
• Potential manipulation of a dynamic WHERE condition using the parameter I_FILTER of the object services
method CREATE_QUERY (1122)
• Potential manipulation of the SET clause in the statement UPDATE (1112)
• Potential read performed on an illegal database table in a SELECT statement (1118)
• Potential read performed on an illegal database table in a modifying OpenSQL statement (1120)
• Potential read performed using an invalid secondary database connection in an Open SQL statement (1121)
• Potential read performed on invalid table columns (1114)
• Potential use of illegal columns in a dynamic GROUP BY clause (1116)
• Potential use of illegal columns in a dynamic HAVING clause (1117)
• Read performed on sensitive database table (11G0)
• Write performed on sensitive database table (11G1)

© 2020 SAP SE or an SAP affiliate company. All rights reserved. Public 39

Overview of the available checks
- Backdoors & authorizations -
Weak authorization checks or user administration bypassed
• Hard-coded user name, possibly from undeleted test code or an indication of a back door (0821)
• Hard-coded host name sy-host, possibly from undeleted test code or an indication of a back door (11S1)
• Hard-coded system ID sy-sysid, possibly from undeleted test code or an indication of a back door (11S2)
• Hard-coded client sy-mandt, possibly from undeleted test code or an indication of a back door (11S3)
• System variable sy-xxxx compared with a hard-coded value from forgotten test code or that could indicate a back door (11S4).
• SY-SUBRC not evaluated after the statement AUTHORITY-CHECK (1160)
• SY-SUBRC not evaluated after switchable authorization check (1161)
• AUTHORITY-CHECK with explicit user name (1180)
• AUTHORITY-CHECK with explicitly specified user name sy-uname (1181)
• SY-SUBRC not handled after a security-relevant function was called (1165)
• Static CALL TRANSACTION without or with possibly insufficient authorization
check (114A, 114B, 114C, 114D)
• FILTER addition of the statement OPEN DATASET used (1107)
• Potentially missing authorization check in a report (11A1)
• Potentially missing authorization check in an RFC function module (11A2)

© 2020 SAP SE or an SAP affiliate company. All rights reserved. Public 45

Availability of SAP Code Vulnerability Analyzer – checking system

• SAP Code Vulnerability Analyzer is available as of:

− SAP NetWeaver AS ABAP 7.4 Support Package 15 and later releases
− SAP NetWeaver AS ABAP 7.5 including the new remote check framework with 7.51

© 2020 SAP SE or an SAP affiliate company. All rights reserved. Public 49

CVA: The competition

The ABAP language developers are at SAP.

At SAP we use CVA to check our code.

We have over 200 CVA customers.

Integration: CVA is already in NetWeaver, it just needs to be activated – or is your solution running
elsewhere, say, on a Java engine with all the overhead that it involves?

How does your solution handle updates? CVA’s central scanning approach minimizes the
administrative work required to provide the latest CVA checks.

The number of checks is irrelevant – you need the right checks -> fewer false positives

Small company risk: Will the company still be around in 5 years’ time?

© 2020 SAP SE or an SAP affiliate company. All rights reserved. Public 53

Proof of Concept of SAP CVA
Scan Results: Security Analyses in Extended Program Check

© 2020 SAP SE or an SAP affiliate company. All rights reserved. Public 56

Further information

SAP Code Vulnerability analyzer

 https://www.sap.com/community/topic/abap-testing-and-analysis.html

Documentation
 http://help.sap.com/abapdocu_740/en/abenabap_security.htm

SAP Community
 https://www.sap.com/community/topic/security.html

Blogs
 https://blogs.sap.com/2017/01/19/code-vulnerability-analyzer-checks/
 One central check system for multiple systems on various releases

© 2020 SAP SE or an SAP affiliate company. All rights reserved. Public 57

Thank you

Peter Barker
SAP Product Management, SAP SE
[email protected]
© 2020 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate
company) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices.

Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.

National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or its
affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or SAP affiliate company products and
services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as
constituting an additional warranty.

In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop
or release any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future
developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time
for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-
looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place
undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.

© 2020 SAP SE or an SAP affiliate company. All rights reserved. Public 59