ABAP Test Cockpit (ATC)- Your Way to Secure ABAP Code
The Challenge of Security
In order to secure an application, all of its components, functions, infrastructure and the related threats must be understood. In order to break an application, only one flaw in any of its components/functions or the infrastructure may be enough. so ignoring a small security hole might create a big problem to the product and company.
Firewalls, Intrusion Detection Systems, Signatures and Encryption alone don’t make a secure IT system. Even if the IT is very strong but the application is very poor with respect to security aspects, then the entire system is prone for attacks.
Entry points for security questions concerning custom developed ABAP-applications
A custom ABAP code can have multiple entry points for security issues. viz:
- Security bugs: Custom code not developed using enough secure coding measures can create an opportunity for the hacker to attack on the system.
- Compliance: If the custom code is not adhering to security standard compliance will result in ill secure product which is prone to attack by the hacker.
- Data Protection: This topic comes under compliance topic itself. Many of the countries has their own rules for data protection topic. Following these rules makes the product more secure. Not following those rules will cause legal issues.
- Quality: If the coding / product doesn’t meet the quality standards, it is prone for attacks.
- Malicious coding: Leaving a backdoor entry in the code will have serious security threats to the product. Similarly other malicious coding will affect the product adversely.
- Ensuring security and compliance of custom developed code is key
- To ensure secure custom developed ABAP code a highly automated solution is required
- The solution must also support the developer’s requirements in his daily work in a convenient way
ABAP TEST COCKPIT
What is it?
- ATC is an ABAP check framework which allows to run static checks and unit tests for ABAP programs
- ATC is fully integrated into the development environment and transport tools, along with instant navigation, documentation and fix recommendation
What are the benefits?
- ATC is the single point of entry for all static code check tools
- ATC comprises a 4-eye principle exemption process to handle findings effectively
- ATC is fully integrated in the ABAP development workbench with a high usability for developers and quality experts
- ATC is not only a check tool but supports essential QA techniques like
Q-Gates or regression testing in a consolidation system
Architecture overview :
As it is mentioned earlier ATC is tightly coupled with ABAP workbench. AWB contains ABAP editors which in turn used to access ABAP source code. Code inspector checks and SLIN checks will be executed on this ABAP source code. ATC will be accessed via ABAP editors. ATC will run CI and SLIN checks on the source code. Results of these checks can be viewed in ATC tool. Also exemptions for false positives can be requested via ATC tool. ATC tool is also tightly integrated with Transport Management system, so that if a transport is released, it undergoes ATC check automatically and also if exemption is approved in consolidation system, that will be transported back to dev system and the issue won’t be visible in next scan.
Both developer and Quality expert can access this ATC for their respective tasks. In next section, there is an detailed explanations of tasks performed by each of the actor ( developer, Q Expert etc.,)
ATC in action:
ABAP Test cockpit tool can initiated via:
- Transactions : SE24, SE38, SE80, SE11 etc. (right click on program, select “check” and then “ABAP Test cockpit” to launch ATC)
- Developer can perform static / unit test on their objects.
- Checking can be scheduled via automated batch job which runs periodically.
- ATC automatically runs when a transport is released by a developer.
- Once the transport reaches consolidation system, Quality Expert can perform a mass check and distribute the results to the respective developers.
Different types of user roles available for ATC:
List of activities a developer does in the day to day events are:
- Checks code during development and transport release
- Corrects bugs
- Requests exemptions for false-positives
- Start ATC within different ABAP workbench tools: SE80, SE24, SE38, SE11…
- ATC automatically runs during release of transport requests
- Easy access to central ATC results in the development systems
- User-centric display of ATC results – incl. powerful filter, navigation, re-check…
List of activities a Quality Expert does in the day to day events are:
- Defines commonly used check variant to configure ATC
- Monitors quality of the whole code base by performing ATC scan in the consolidation system and distributes the results to appropriate developer.
- Approve / reject exemptions raised by developers.
- Exemption approval process
- E-mail ATC result to “responsible” contact person
- Statistics showing aggregation of ATC findings using different criteria
- Execution of ABAP Unit tests
List of activities a ATC Administrator does in the day to day events are:
- Configures ATC in development and consolidation systems
- Monitors execution of ATC check runs and regular jobs
- Powerful parallelization engine to run mass tests very effectively
- Restart capability in case of a canceled/crashed ATC run
- Possibility to schedule regular ATC runs
- Powerful monitoring tool and flexible logging
- Distribute ATC results to multiple target systems (e.g. from consolidation to dev. systems)
Below diagram shows ATC check run for “TEST_JAM” package. for this you have to open package “TEST_JAM” through se80. right click on the package and select “check with” -> “ABAP test cockpit”. Once you run the ATC, you will get the below result.
To view the details of particular issue, we have to select that entry from the result table. when an item is selected, the details will be displayed in the below format.
The details section have link for documentation. This include explanation about the issue. What is the reason for the finding and how to fix that issue. Also there will be link to navigate to the code where the issue is occurring.
There is an option to raise exemption for this issue via link in the same section. We will explain in detail how to request for exemption in next section.
How ATC works?
ATC scans the code for security bugs. The logic behind this is as follows .
In the below example we have sample code with SQL injection bug. The ATC tool will first identify there is a input field in the code. Then it scans for any potentially dangerous statement. In this case line 26. And then it searches for use of this input field in the making of dangerous statement. here line 11.
Since there is a data flow between input field and dangerous statement, an SQL injection message will be shown by the ATC tool.
The ABAP Keyword Documentation has been enhanced with a new chapter about Security:
- Provides an introduction on how to avoid security issues during development
- Provides an overview about typical ABAP security scenarios
- Provides easy to understand ABAP coding examples
- Provides examples how to avoid attack surfaces
The ABAP Test Cockpit exemption process
- Write code
- Run ATC on created program
- Analyze the finding and check the documentation
- Request an exemption ( only if the finding is false positive)
The task of the developer:
- Choose an approver from a list
- Choose a reason for the exemption
- Use the justification field to enter an explanation for the approver
The task of the approver:
- Start transaction ATC
- Choose Exemption Browser form the navigation menu
- Adapt the selection list if required
The task of the approver:
- Check the message information
- Read through the description
- Run a check on the code to be exempted to see the result
- Decision: Approve, Reject or Return
The task of the approver:
- Validate the provided information
- Approve the exemption
The task of the developer:
- Mark the entries to be rechecked
- Press Check Again
See the result:
- Green à no finding any more
- Yellow à finding still exists
- Red à new issue created (not in this example)
- ATC is available as part of:
SAP NetWeaver AS ABAP 7.0 EhP2 Support Package 12
SAP NetWeaver AS ABAP 7.0 EhP3 Support Package 05
SAP NetWeaver AS ABAP 7.3 EhP1 Support Package 05
SAP NetWeaver AS ABAP 7.4 and later releases
- SAP Security Code Scan is planned to be available as of:
SAP NetWeaver AS ABAP 7.0 EhP2 Support Package 14
SAP NetWeaver AS ABAP 7.0 EhP3 Support Package 09
SAP NetWeaver AS ABAP 7.3 EhP1 Support Package 09
SAP NetWeaver AS ABAP 7.4 Support Package 05 and later releases
Few things about Security Code Scan:
- It is developed by the team that also creates the ABAP language
- Tightly integrated into standard infrastructure, hence users won’t find difficult in using this as the UI remains same as existing AWB.
- Already tested and in use by SAP internally for several years
- Tried, Tested and Trusted by customers
- Easy to integrate (pure ABAP) into development landscape
- Separate license required
- One weakness is enough to put your business at risk! hence we have to be very sure that wedon’t leave that one weakness also.
- Transfer the knowledge to the developers on how to protect your core business! Securing application should start from the first step itself- coding. hence using this tool we can make sure that the code is secure as and when the developer codes/ release the request.
- Train the developers to ensure they know the common weaknesses!
- Don’t expect that security is a once in a lifetime project – security improvements are part of your daily work! Every day there will be new methods identified to hack the system. it is our necessity to keep updated ourselves for the new kind of threats.
- Use an automatic tool to analyze your code and get focused on weaknesses!