Gems in SAP Cloud Platform Security – “Don’t let your Heartbleed, Cloud Platform!”
SAP Cloud Platform is an essential ingredient of SAP’s digital strategy. It is the platform for our customers’ and partners’ transformation journey towards digital business models and thus is of utmost importance for SAP.
And so is security in SAP Cloud Platform!
New Year’s Eve 2011.
Robin Seggelmann, a Germany-based developer, didn’t know at that point that he
was about to become famous a few years later in 2014. At least in some sense…
It was the moment when Seggelmann submitted coding in OpenSSL which,
by mistake, introduced a vulnerability that has later been described as a
“catastrophic” flaw in “Transport Layer Security” (TLS).
OpenSSL is an Open Source project.
“But, hey, isn’t Open Source software more secure per se? The more people review the code, the more secure it will be!”
“It’s unfortunate that it’s used by millions of people, but only very few actually contribute to it,” Seggelmann said in an interview.
Small funding, missing resources. And a bug which went unnoticed for more than two years. A bug which led to “Heartbleed”, impacting business users and private users on the Internet around the globe…
That’s why we at SAP go far beyond merely consuming Open Source Software.
Within our SAP Cloud Platform, we know the benefits of using Open Source very well as we rely significantly on Cloud Foundry. This strategic approach allows developers out there to create new and innovative Cloud Foundry-based applications that run on SAP Cloud Platform. With SAP’s engagement in the Cloud Foundry open source project, the ecosystem, and community around it, it was clear that we also actively contribute to the security of Cloud Foundry.
We do this in different ways:
- Reuse knowledge: Increase the level of security of the components in use
- Share Knowledge: Contribute back into the Open Source community
As the “Heartbleed” example showed: Open Source components can contain vulnerabilities just like any other piece of software could. Reuse knowledge aims on minimizing that risk. At SAP, we follow a professional tool-supported approach for this. It comprises а vulnerability assessment tool and notification service which provides the list of publicly known security vulnerabilities. It is complemented by a program analysis tool that helps developers identify, assess, and mitigate vulnerabilities in the open-source dependencies of Java applications.
With all the expertise we have in-house, contributing back into the Open Source community is another key pillar of increasing the overall security level of Cloud Foundry. Share knowledge bundles a variety of activities in that sense, based on the experience that the team developing on Cloud Foundry gathered. They are the ones who enhanced the central Cloud Foundry identity management service UAA – User Account and Authentication – for enterprise readiness. Their contribution consists of
- contributing code changes for strategic parts, e.g. additional authentication flows, performance improvements, and fixes to security vulnerabilities
- reporting identified vulnerabilities & threats and
- publishing threat models together with the community.
There is one more aspect of Open Source usage with Cloud Foundry for SAP, though. It allows us to Differentiate, as we develop enterprise-grade security features within UAA which remain SAP’s assets. Moreover, we work on implementing a next level of security with self-defending applications. During run-time, the system is able to identify pieces of information which are fed as input and can be compared to accepted structures – dynamic information flow tracking. For this purpose we implement parsers that refuse code execution once they encounter unexpected code tokens.
In a nutshell, we see the combination of enterprise software and Open Source as a brilliant opportunity. Or, as Bernd Leukert, member of the SAP Executive Board responsible for Products & Innovation, put it: “I … see big potential in combining the good of both worlds as well as overcoming the challenges both worlds are facing. Open Source does not equal free software; it is rather focused on community building and participation in communities by contributions.”
“Gems in Cloud Platform Security” is a new series of blogs. It takes you on a tour to discover how security is seamlessly woven into the success of SAP Cloud Platform.
Bernd Leukert’s blog “Open Source – Not a one-way street”
Press release on SAP and Cloud Foundry (2014)
Read other blogs in the “Gems in SAP Cloud Platform Security” series:
Gems in SAP Cloud Platform Security – “FIPS – Encryption is Key”
Gems in SAP Cloud Platform Security – “How to seamlessly integrate with Microsoft and Google”