Application Security Testing for SAP S/4HANA
When you’re reading this blog, you’re probably aware that if I mention the term “SAST” I’m actually not referring to the South African Standard Time. Likewise, if I talk about DAST, that doesn’t mean I’m interested in the organosulfur compound. Rather, I’m referring to Static and Dynamic Application Security Testing – some of the most important pillars to continuously ensure security in software applications.
Simply put, when using SAST and DAST, you are testing your developed solution for security deficiencies. The main difference is that when using SAST you are looking at the code itself, whereas in DAST you are verifying a running application. Think of it as a food recipe: when scanning code with SAST, you’re looking if there is any poison hidden in the list of ingredients (or if a combination of ingredients might be toxic). DAST is the equivalent of analyzing the finished meal for toxicity, pretty much like what tasters did in medieval times protecting kings and queens.
With DAST and SAST being the cornerstones of testing application security, it seems obvious that we at SAP use it to look at our core product SAP S/4HANA. Therefore I would like to provide a little sneak behind the curtain of how serious we go about application security testing for SAP S/4HANA.
Security Testing SAP S/4HANA
Firstly, SAP S/4HANA is the next generation ERP solution for the intelligent enterprise. Nevertheless, some of the underlying fundamentals of SAP S/4HANA are built on our proven ABAP technology platform. Therefore, a first building block scanning code is using the ABAP Test Cockpit (ATC) and verifying that there are no security issues in the ABAP-based source code part of SAP S/4HANA.
However, another large part of the SAP S/4HANA solution is not written in ABAP but uses other languages – most prominently our Fiori-Applications. Built upon the SAPUI5 framework, those have to be scanned using a different technology than the ABAP code scan.
Secondly, let’s take a look at testing an application such as SAP S/4HANA dynamically. Just to remember: DAST means testing an application in a running state. This proves a bit more difficult, especially since some of our technologies used in SAP S/4HANA, such as SAPUI5, are not well covered by some of the commercially available solution in the market. Due to the complexity of SAP S/4HANA (more on that later), we also required a solution which can automate the security testing to a high degree. And, without spoiling too much, we did find a solution which met all of our requirements, and which now enables us to dynamically scan SAP S/4HANA continuously.
Which brings me to the next point: how often do we actually scan SAP S/4HANA for security weaknesses? The answer is relatively simple: always. Not all scans run continuously (though some do), but what can be mentioned in this context is our weekly analysis of both SAST and DAST testing. When considering that a testing cycle does not only consist of the testing itself, but also of preparing beforehand and analyzing the results afterwards as well as fixing the issues found, a weekly cycle might strike you as a high frequency. Which would be correct, but at SAP we want to ensure that we deliver the most secure version of SAP S/4HANA to our customers.
Securing a highly complex solution
Besides enhancing the security of our SAP products there is one more important reason to invest in the above-mentioned tests. They are fully built into the daily life of SAP’s developers and hence they become a routine within coding and test activities. This high level of automation and “shift left” approach in the development lifecycle allows an early detection of security issues with minimal efforts.
And the results from all of the code scanning and dynamic testing mentioned in this post show just how secure SAP S/4HANA really is as a software. Obviously, it’s not possible to disclose any details here, but one thing we can share. SAP S/4HANA is a highly complex software, with, quite literally, hundreds of millions of lines of code, a 4-digit number of different apps and various technologies and programming languages working together. Now, with an experience of more than a decade of the security of SAP solutions, I can confidently say what I have said previously, when working not with SAP directly, but for an SAP partner: SAP S/4HANA is one of the most secure products SAP has brought to the market.