Skip to Content
Technical Articles

SAP ABAP Security Code Scan

SAP customers have always worked with SAP partners and ISVs to augment their SAP environment with third-party ABAP add-ons, that customers license directly from SAP partners. The security of these 3rd party ABAP add-on is becoming more and more a topic of interest in the licensing process. CIOs or project managers have a long check list, on which they always put security on top and as solution provider, the partners are always being asked, “Does your add-on secure and has it been assessed by SAP? “

To help partners address this question, the SAP Integration and Certification Center (SAP ICC) has introduced an optional service ABAP Security Code Scan for any ABAP add-on that partners certify via SAP ICC.

SAP ABAP Security Code Scan will use SAP tool, CVA (Code Vulnerability Analyzer), to scan the code base, reporting issues and propose correction solutions. This aims to support partners troubleshoot their add-ons prior to deployment in a customer environment. However, ultimately customers and partners will always need to verify the add-on in the customer’s individual environment again for full due diligence.

Here some details, what SAP ICC will help partners test in a lab environment. CVA will cover below software security aspects:

  • Manipulation of dynamic Open SQL (Open SQL Injection)
  • Manipulation of SQL statements (Native SQL Injection)
  • Manipulation of dynamically generated ABAP code (ABAP Command Injections)
  • Manipulation in dynamic calls (Call Injections)
  • Injections of operating system commands
  • Potential unauthorized access to directories and files (Directory Traversal)
  • Insufficient authorization checks of user administration bypassed
  • Potential back doors
  • Possible attacks using Web technologies
  • Further checks

CVA, as a tool specific for ABAP add-on, has below advantages:

Scan efficiently

  • Reduced false-positive rate by dataflow analysis.
  • Scanning directly from within the ABAP development environment with broad range of predefined checks

Developer guidance

  • Detailed help and explanations to all errors and assistance to find the right location for the fix
  • Prioritization of checks. CVA will report the issues by categorize them as Priority 1, Priority 2 and Priority 3 issues.

Integration

  • Integrated into standard ABAP check frameworks, SAP transport system and ABAP Test Cockpit (ATC)

 

SAP CVA report run will depend on the variant delivered by SAP as a standard. Below are the variants for SAP ERP and SAP S/4HANA on Premise.

SAP NetWeaver releases 7.50 SP3 (SAP ECC 6.0 or above)

  • Security Analyses in Extended Program Check (SLIN)
  • Critical Statements
  • Find Specific Critical Statements
  • Dynamic and Client-Specific Accesses in SELECT
  • Dynamic and Client-Specific Assesses with INSERT, UPDATE, MODIFY, DELET
  • Use of ADBC Interface
  • Client-Specific Shared Objects methods

SAP S/4HANA on Premise 1809 or above

  • DDIC: DB Tables(Logging Check)
  • Security Checks for ABAP (CVA)
  • Security Checks for BSP (CVA)
  • Critical Statements
  • Find Specific Critical Statements
  • Dynamic and Client-Specific Accesses in SELECT
  • Dynamic and Client-Specific Assesses with INSERT, UPDATE, MODIFY, DELET
  • Use of ADBC Interface
  • Client-Specific Shared Objects methods
  • Invalid access to CDS Views

 

For partners who peruse certification, as you are requested to correct and mitigate Priority 1 and 2 issues reported by CVA, you are highly recommended to finish ABAP Security Code Scan first before you use AAK to assemble your code and start deployment certification. This way will prevent re-work to be happening as much as possible.

In order to start SAP ABAP Security Code Scan, below are the major activities to be performed:

  • Partners need to contact SAP ICC to start a service contract
  • SAP ICC consultant will schedule kick-off meeting to illustrate the assessment process and activate CVA license
  • SAP ICC consultant will provide a Cookbook for partners with step-by-step guide to run the reports
  • Partners are required to correct and mitigate Priority 1 and 2 issues reported
  • To run CVA report as a final run for validating the result

As a deliverable from SAP ABAP Security Code Scan, SAP ICC will issue an Assessment Report and mark this achievement along with your ABAP deployment certification on CSD ( Certified Solution Directory).

 

SAP ICC Contact information: icc-info@sap.com

Useful links

SAP note 1855773 – Security checks for customer-specific ABAP programs

Code Vulnerability Analyzer

 

3 Comments
You must be Logged on to comment or reply to a post.
  • A great initiative from SAP to (finally) embed code security in their add-on certification progress. Far too often we run into exploitable code vulnerabilities within 3rd party code.

  • Hi,

    Do you have any sample report generated by CVA so as I can show it to our customer.

    Some of them want to see OWASP top 10 check item on the list, can we have them ?

    In addition, we’d like to know pricing model ?

     

    Thanks