Security Code Scan Assessment:
To identify security threats, vulnerabilities in partners’ products and gain insight into the security of the partner software, SAP Integration and Certification Center (SAP ICC) together with the third party vendor has rolled out a new service called “Security Code Scan Assessment”.
Partners can ensure that their code is as per the SAP standard Security check. The 3rd party security review is independent of SAP thereby protecting partners IP.
The key benefits of this assessment are: to identify the security threats and vulnerabilities, reduce the risk of the entire application by detecting the top security flaws thereby building the trusted products for your customers.
As a partner, you are not required to provide your hardware, software or the source code. All you need to do is upload the binaries and get the results. This assessment also provides an opportunity to have multiple scans for one year from the date the contracts are signed.
Checks done during the scan:
- Top security flaw checks: Cross-site scripting(XSS) attack check, buffer overflow check, SQL injection attack check and Directory traversal attack check
- Other critical checks: Application business criticality check, CRLF Injection, Credential management, Information leakage, Code quality and error handling.
- Few other checks: Confidentiality, Integrity, Availability Impact Check and Understand Severity, Exploitability and Remediation effort.
Platforms Covered are:
- SAP Cloud Platform.
- Desktop applications: JAVA, DotNet etc
- Web Platforms: JAVA Scripts, PHP, Perl etc
- Mobile Platforms: iOS, Android, etc
After the successful* assessment, a detailed assessment report will be provided both from SAP and the 3rd party vendor.
Successful*: To successfully complete the assessment all the very high and high priority issues has to be resolved/mitigated by partners’ comments.
For more information related to the Security Code Scan Assessment kindly refer here.