We recently sat down with SAP Quality Assurance Solutions VP for the Americas Gregory Martini and SAP Quality Assurance Solutions Director Andreas Gloege, to discuss the future of cybersecurity and testing. Read the full blog.
Now, we continue our discussion about the best way to protect your data and applications from threats. Here’s what our experts had to say.
Which solutions are key to understanding the security vulnerability in SAP and non-SAP applications?
AG: Hackers need only one vulnerability to do damage. Our customers run a broad range of SAP and non-SAP applications, so they need solutions that protect both environments. To efficiently scan and protect SAP applications built with the ABAP® programming language, customers will want to use the SAP NetWeaver® Application Server, add-on for code vulnerability analysis.
GM: Yes, and SAP® Fortify by HP helps secure all non-SAP applications, offering a proactive, holistic view of solution quality management and security vulnerability testing using both a static and a dynamic approach.
Can you explain, on a high level, how these applications work?
AG: Static application security testing allows developers to test for vulnerabilities at the very early stages of code development. Then in QA or production mode, SAP products can be used for dynamic security testing – running simulated attacks on web applications or servers.
GM: SAP solutions identify vulnerabilities and recommend repairs. They train developers to avoid a problem, or write to new standards in the future. Since the potential for a breach changes as hackers get more creative, it’s important to rerun dynamic security tests on a regular basis. This is another capability of the SAP solution set. So in a nutshell, our solutions cover the code as it is being written by the developers and can be used for penetration testing of code that is already in production.
Which development languages and environments are supported by SAP security solutions?
What’s the best way for a customer to get an overall view of security scanning results across SAP and non-SAP applications?
AG: The interactive dashboard of the SAP Fortify software security center gives customers a consolidated view of reports and audits, ensuring that they meet both internal and external security and quality mandates..
GM: The security center provides the real-time statistics, data, and information you need to evaluate solution criticality and establish scan timing. You can also track developer performance, including scan frequency and implementation of advised solutions – critical for offsite or contract developers.
Who in an organization would use these solutions?
AG: Multiple roles in an organization are involved with security assessment. At the very early stage, developers run security scanning. The QA team runs the scans on the entire custom code which can include code from internal developers or from outsourced development organizations. Finally, the security team audits and analyzes the security scan results.
GM: Developers check code during the development process. Management can use the solutions to review developer findings, monitor scan frequency, and improve security and functionality. Finally, the security group manages dynamic testing of solutions in production, performing regular penetration testing to protect access to sensitive data.
If they’re applied correctly, are network hardening tactics enough to keep companies’ data repositories secure?
AG: Network and infrastructure security solutions are an important component of overall security, as are role and user authorizations. But network and infrastructure security doesn’t guard against external or internal application security risks.
GM: Organizations spend a significant amount of time and money hardening their networks. But then they surface applications that create holes in the firewalls, exposing internal vulnerabilities. This is why it is important to secure external facing applications. Also, people come and go from companies all the time – only some of them on good terms. Contractors or disgruntled employees could have access to or knowledge of mission-critical code, systems, and data, leaving applications vulnerable inside the firewall. Internal breaches are also significant, although they are much less frequently reported through media. Network hardening tactics can’t help in these cases.
What’s the difference between application security and access security?
GM: Access security enables a company to use pre-established guidelines to set individual users’ authorization to access appropriate business transactions, data, and reports required to do their jobs. It is important to realize that a hacker generally looks at a program with a mindset of how the code can be stretched to access information regardless of the intent of the original programmer. Application security, in contrast, limits inappropriate access to program functions, ensuring that the applications themselves have no code vulnerabilities that could let hackers misuse them. It is important to understand that the best access security approach is not sufficient if a hacker can find a potential security vulnerability in the application and bypass all the access security put in place.
If a customer doesn’t surface any SAP ERP solutions outside of the firewall and has a robust authorization scheme, why is there a need for code vulnerability analysis?
AG: It’s easy for hackers to find a way through firewalls. For example, everybody uses email – and a hacker could get in if you open a hijacked document you believe was sent by your boss. Code vulnerability analysis validates the security of internal applications and proactively ensures code security, protecting the application and its data.
GM: As custom code is developed inside the ABAP language, code can be written around the access rules designed and implemented with standard SAP function. A significant percentage of breaches happen inside the firewall. Code vulnerability analysis ensures that custom code adheres to standard authorization schemes and does not grant access beyond the intention of the program.
How much training and change management is needed to use these solutions?
AG: Our solutions work within the developer’s programming language of choice. No need to learn another program – developers run the scans within their chosen tools. There’s minimal training required.
GM: The solutions themselves drive training and change management. The solutions help correct code as it’s developed, and train developers to write future code with security in mind.
Want to learn more?
Learn more about securing your applications with SAP Fortify by HP or SAP NetWeaver Application Server, add-on for code vulnerability analysis.