Automatic security code scan of custom ABAP code
All ABAP developers are responsible to create secure code. But where can any normal ABAP developer get help in order to assure that the code of his ABAP-based applications does not contain any security issues?
Internally, SAP Global IT uses a tool based approach with the new ABAP Test Cockpit (ATC). While ATC is a generic cockpit for handling findings, SAP Global IT has chosen a 3rd party product, Virtual Forge CodeProfiler, for detecting and prioritizing findings in ABAP code. CodeProfiler is a SAP certified – integration with SAP applications and has been integrated into ATC on a project basis accordingly.
It is important to ensure security and compliance of all developed code. Of course, code scanning is not the only method to ensure security. Security standards, compliance as well as data protection guidelines and rules also have to be adhered to. At SAP, this is enforced with a mandatory “Secure programming training” for developers and the secure programming guide. And before any new application goes out for general availability, the validation of the source code is done which contains the automatic source code scan. Subsequently, any found issues are analyzed (e.g. for false positives), prioritized and fixed if necessary, before the application can be published.
We at SAP recommend to our customers to support their developers in their daily effort to develop secure code as much as possible. In order to understand the approach which is enforced at SAP see also the presentation on “ABAP Custom Code Security” that was published in November 2012 by SAP Global IT and the SAP Product Management team.