At SAP TechEd10 in Berlin I presented an Expert Lounge session on Security. Some "repeat offenders" turned up from last year and a little crowd of frustrated BPXers looking for hacks gathered over time as well 🙂 People again asked me to share the presentation information and notes to solutions. Here they are.
1st topic: Introduction to Security on SDN….
There is nothing new in the security area this year, except the content on SCN gathered during the time lapse and if you used it as an information source. For those not yet familiar with SDN: Within the Security & Identity Management category you can find a wealth of security related information and usefull tools, such as:
New authorization object S_TABU_NAM controls via the name of the table.
- Requires that S_TABU_DIS (auth group) first fails.
- Performed centrally in FM VIEW_AUTHORITY_CHECK (only..)
- Does not affect redundantly coded authority-checks.
Gotchas:
- SU53 will produce “red herrings” in the last failed check.
- SU24 proposals based on S_TABU_DIS
- Entries in table TSTCA will “auto correct” SU24 in lower release levels.
Guru note:
- Keep an eye out for the "package concept" implications for tables which belong to packages (and might have interfaces!). The developer trace warnings will help you further to heed these warnings...
- Authorization object S_ICF implemented as a client side access to call a target destination, regardless of the function being called.
- Service and RFC connections can be grouped into security zones for client side access to call the destination, regardless of the application used (e.g. CUA, eCATT, CCMS, BPM, SE37, etc...)
- Use case for SolMans is obvious...
4th topic) New trace features-> see Trace
SAP Note 1373111: Improvements to authorization trace.
- Reason codes are provided for sy-subrc.
- Application object disabled for transaction in SU24.
- Application object globally disabled in TOBJ.
- Success against FOR USER construct shown.
SAP Note 543164: Special tracing feature in SAP.
- Population of SU24 via “original data”.
- Application objects and values recorded with context.
- Tip: Use a clean “QAS” system and transfer to DEV.
- Note: This is a guru tool and you must first read the documentation and understand SU24.
5th topic) Patch Tuesday and custom code… New initiative from SAP to plan security related patching on a monthly basis.
- Check your emails for the term "Patch Tuesday"
- Covers SAP code and indirectly customer coding using documented and released SAP API functions.
What about the “black hole” of customer and partner products "in the wild"...?
- QA procedures: Typically only formal checks for signatures.
- Manual reviews: Cumbersome and time consuming.
- Code Inspector: Standard tool with static rules.
- Code Profiler: Guru tool used by SAP on their own code with security focus (commercial product).
Matt Billingham’s recommendations in his Virtual Community Day session from 2009 on The ancient and noble art of code reviews are still worth gold here for sustainability of code quality (beyond security boundaries). A good tool makes developers even better (or less worse from the security perspective of good software... 🙂
