Most of the companies build their software applications with focus on the functionality and features to ensure it will work absolutely fine at the customers’ landscape. Most of the time, the security aspects are sidelined, due to which one of the factors faced by any customer are security issues. In industry terms, it is called as security of the software supply chain. Like any other chain, it is the link that needs to be strengthened. Major security breaches have happened due to lack of security in the software supply chain. In this aspect, SAP would like to help their partners to elevate the security in their software.
There are two aspects to it: a) Secure development programming and b) Security Code scans (static and dynamic). To gain the customers trust, security plays a vital role and is a mandatory aspect for any serious software application built.
Today, application layer attacks are the most frequent pattern in confirmed data breaches. Currently, application security solutions can be difficult for overworked security teams to manage and scale, developers are not empowered to fix security issues and can find only certain software vulnerabilities.
Know about Security Code Scan Assessment service provided by SAP ICC:
To identify security threats, vulnerabilities in partner products and gain insight into the security of the partner software, SAP Integration and Certification Center (SAP ICC) together with the third party vendor has rolled out a service called “Security Code Scan Assessment”.
Partners can ensure that their code is as per the SAP Standard Security Policy. The third-party security review is independent of SAP thereby protecting partners IP.
Key benefits of this assessment are:
1) To identify the security threats and vulnerabilities at an early phase of development.
2) Reduce the risk of the entire application by detecting the top security flaws, thereby building a trusted product for your customers.
As a partner, all you need to do is upload the binaries and get the results, we do not require your hardware, software or the source code.
This service is available as a one year subscription model where partners can do unlimited number of scans (for that particular product and version) within one year.
Checks done during the scan:
According to the OWASP Top 10, following are the ten most critical web application security risks that must be taken into account during secure development:
|SQL Injection||Broken authentication||Sensitive data exposure||XML external entities|
|Broken access control||Security misconfiguration||Cross-site scripting (XSS)||Insecure deserialization|
|Using components with known vulnerabilities||Insufficient logging and monitoring|
Few other common security risks during the time of developing the Software:
Improper Validation of Array Index, External Control of File Name or Path, Stack-based Buffer Overflow, Use of Inherently Dangerous Function, Cross-Site Request Forgery (CSRF), Download of Code Without Integrity Check, Indicator of Poor Code Quality, Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’), Incorrect Ownership Assignment etc.
All the above-mentioned checks are done for the binaries uploaded in the security portal.
Platforms That Are Covered:
- SAP Business Technology Platform.
- Desktop applications: JAVA, DotNet etc
- Web Platforms: JAVA Scripts, PHP, Perl etc
- Mobile Platforms: iOS, Android, etc
After the successful* assessment, a detailed assessment report will be provided both from SAP and the 3rd party vendor.
Successful*: To successfully complete the assessment all the Very High and High priority issues have to be resolved/mitigated by partners’ comments.
Note: SAP ICC provides this security code scan assessment service for both ABAP and non-ABAP Scans. This is blog is only related to non-ABAP scans.
For ABAP Scans using CVA (Code Vulnerability Analyzer) tool please refer the below blog.
For more information related to the Security Code Scan Assessment kindly refer here