Skip to Content
Author's profile photo Otto Gold

SAP Security for ABAP developers: My way to Security

In every developer`s life the moments come that change your perspective Change the way you build your code, the way you analyze things before building them or what are the post-development activities of yours. (Since I don’t dare to blog for security specialists, I will describe rather simple things without many details so this blog(s series) can be used by the beginners and other not yet security aware folks). In the following lines I will try to name the moments that were important for me and my professional development and how the security perspective fits into the picture. 

Eye opener #1: SAP standard

First eye opener was the vast possibilities and opportunities of using SAP standard DDIC objects, reports and function modules (if you`re interested in my opinion on SAP standard and reusability of code, read other two blogs of mine called: Celebration of the SAP standard code for dummies Celebration of the SAP standard code for dummies, part 2) .

Ok, that is obvious, but after leaving school with only experience with stuff like C++ you`re not really used to do this. STL for C++ is far from the wide SAP standard. Why do I name such obvious thing? It is because that as the time goes I am able to write less and less code on my own and achieve things I want to achieve by calling the SAP standard tools in the right order, with right arguments etc.

This is not relevant to security very much, but it took me years to get rid of my fear of debugging the whole depth of SAP standard code and reuse what already exists heavily. One of my most important pieces of experience with heavily reusing SAP standard is very much connected with the development I am working on right in the last weeks and months – security tools and enhancements.

If you`re a beginner, try this as soon as possible, don’t be afraid, it will speed up your skills very much and will make you a better SAP developer.

Keep in mind that any code monkey can move values from variable to variable. Other things than that makes you a valuable member of the team

Eye opener #2: Performance aspects

Eye opener number two was the performance aspects of the development. When one develops something, he/she decomposes the task into small pieces and builds a method, a report or a function module for each of the pieces. When you do this with your eyes (or brain) closed, you use something like SELECT SINGLE and then call the method in LOOP and performance goes to h…Holywood.

Another obvious fact. But as a developer you do small logical units testing all the time, so you test that method for a single call. Or if you have time or do your job properly, you then test the whole development together to see what happens. Then a slight slowdown can appear. Pfff 0,1 s or 0,2 s makes no difference. But then a situation appears that you transport your development to the test system and then to production system and it stops working. Why? Because there are zillions of records you have to process in the production system, but the number of records processed in DEV and QAS was like thousand times lower. Yes, that was quite an eye opener.

Eye opener #3: Security

And here it comes. Security. The third and the last important “eureka” moment so far was about Security. Why? Simple. How much do you think about the security of your development? How many AUTHORITY CHECKs do you implement? None? Few? I don`t know any developer that would protect his/her development the way the true security consultant would say “hey, good job, very precise” (could be a rivalry, not the bad way of programming, but still…). How many authorization objects do you know? There are hundreds of them, nobody knows all of them (unless you`re the “object search help”…). But one should know at least few: the most important ones, the most critical ones, the ones tight with your favorite application area.

How do you protect your code so it cannot be misused through the debugger?

What do you do to make your code quickly usable by the users, because it is obvious which role does the user needs? (well, you don`t give your users the code but an application, but I know many developers who give users or managers the code, they don`t care about applications or anything which starts with the word “business” like “business case” or “business user”). Do you provide roles for your development or you have to be asked to do that and then ask for days/ weeks to build the roles? Have you ever used SU24, so you provide SU24 proposals for your development?


I don`t want to sound offensive. I know many developers who do most of this or their employers have some processes in place so the workload is split. But not many who do everything I named above (and there is much more to do regarding the secure development). Please don`t feel offended.  There are too many of those who don’t get the underlying concepts or have no experience (or even no initial training), so they don`t do things. That`s why I name the things here.

Another favorite example of mine (personal experience) is about RFCs and workflows. What users do you use for your RFC and workflow scenarios? ALEREMOTE with SAP_ALL? WF-BATCH with SAP_ALL? Careless development cause so much overhead if you want to fix things later (documentation? I will write some after the go-live. Security? Let`s talk about that after the documentation is finished. Sounds familiar?). It causes much vulnerability in your system. Obvious. So start thinking about your processes and ways you and your work team now.

Motivational example: Do you like having cold? I don`t. So I try to eat some fruit and all those things as a daily routine instead of trying spending days out-of-order. And that`s very much the same as with the security. Better safe than sorry.

Cheers Otto

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Juan Reyes
      Juan Reyes
      Conclusion... Research, test and protect

      Nice blog Otto


      Author's profile photo Ian Stubbings
      Ian Stubbings
      Hi Otto

      This is a subject I have been involved in for many months now. Awareness in the developer community is very low but interesting that TechEd features a session on Secure ABAP for the second year running this year...

      Have you coem across CodeProfiler from Virtual Forge yet?


      Author's profile photo Otto Gold
      Otto Gold
      Blog Post Author
      I also think that the awareness is not high enough, so that`s why I wrote this one, have a second part ready on my HDD and thinking about the topics for future articles.
      I am looking forward to TechED, see some friends and now maybe even learn something brand new. Or do you expect an overview only?
      I am going to use the Profiler in few weeks, cool thing, but I am not we discuss that in public. I don`t do marketing when blogging on SCN:))
      Thanks for the comment,
      cheers Otto
      p.s.: are you going to share some of the checks the Profiler performs to help the ABAPers understand?:))
      Author's profile photo Former Member
      Former Member
      Hello Otto,

      Typical blog from you. Precise, educating & most importantly interesting to read!

      During my formative years as an ABAPer(i still consider myself a novice) i was lucky to be part of a mature SAP implementation team. So I can relate to all the points highlighted by you in this blog.


      Author's profile photo Former Member
      Former Member
      Hi Otto

      Nicely summarised and much appreciated as it's rare to find auth. checks already included in programs.

      As a simple security peep, searching ABAP is one of my biggest weaknesses so I'm traeling through handy snippits like this to try to pick up some skills


      Author's profile photo Wouter Peeters
      Wouter Peeters

      Hello Otto and others,

      I am a junior developer always looking to learn more, and at the moment I do not use SU24 and neither do I use authorization objects at the moment. Specific authorization to use a transaction is mostly done by other consultants.

      But I do want to learn more about this, guidelines of using/looking for auth objects that can be used in certain domains and transaction SU24, best practices for RFC user security/roles.

      If you have any good blogs/documents to share that is always welcome 🙂

      Kind regards,