Using SAP Code Vulnerability Analyzer to Avoid Vul...
Application Development Blog Posts
Learn and share on deeper, cross technology development topics such as integration and connectivity, automation, cloud extensibility, developing at scale, and security.
There is a significant threat to SAP applications from highly knowledgeable and organized hackers. Onapsis found attackers looking for vulnerable systems just 24 hours after a security flaw was disclosed. A functioning exploit was available within 72 hours. Onapsis identified over 300 exploits targeted at SAP-specific vulnerabilities. Any incursion into a company’s SAP systems risks a data breach, fraud, or outage. It’s vital that they are protected.
As developers, we can help avert disaster by testing our code for vulnerabilities and fixing them. That’s consistent with the DevOps idea of shift-left, where we try to find any issues as early as possible – preferably during development. The aim is to reduce rework later, and save time and money.
In this article, I wanted to share our experience using SAP Code Vulnerability Analyzer (CVA), and a few tips to get you started.
Why SAP Code Vulnerability Analyzer (CVA)?
There are lots of security tools available today. But, as is often the case when we’re talking about ABAP code, tools made for other programming languages aren’t really equipped for the job. (We find the same issue with code deployment and DevOps pipelines, where an SAP-specific option like ActiveControl is required).
But there is a solution. SAP Code Vulnerability Analyzer (CVA) is a tool that automatically checks your ABAP source code for common vulnerabilities. It’s created by SAP, who use it to analyze more than 500 million lines of ABAP code.
Code injection vulnerabilities, where users could run their own ABAP, operating system, or SQL instructions by entering specially crafted input.
Directory traversal vulnerabilities, where users could gain access to files outside the permitted path.
Backdoors, which are often the result of usernames or passwords remaining hardcoded in the application after testing.
Vulnerability to web-based attacks, including the risk of cross-site scripting and unvalidated URL redirects.
CVA is complementary to any penetration testing and vulnerability scanning you might do on the application as it runs.
Despite the fact that CVA is integrated with ABAP Test Cockpit (ATC), making it easy to set up, CVA seems to have been somewhat neglected by a lot of ABAP developers (like some of the other tools provided by SAP for developers, such as ABAPUnit).
Building a process around CVA
Using CVA, developers can check their code for vulnerabilities. As well as being a DevOps-friendly tool, this gives developers an opportunity to learn from the identified vulnerabilities to avoid similar problems in the future.
CVA should ideally be run by the developer once their changes are done but before the code is peer reviewed as a standard part of your ABAP development workflow. Even better, you can take the burden away from developers – and avoid the problem of them simply forgetting to use CVA – by making sure CVA is executed automatically as part of an automated CI/CD pipeline. Typically that will happen at a control point in the development system, perhaps when the developer tries to send their transports for approval before deployment to QA.
Creating an automated process that builds in CVA and other aspects of ATC means you can be absolutely sure the tools are always run, and deliberate decisions are being taken based on the results.
Because even in a more automated process you might not always want to try and solve everything CVA finds…
Decide how to manage your results
CVA analyzes the code and classifies the identified vulnerabilities according to their priority. Most vulnerabilities are easy to fix, and in an ideal world, all vulnerabilities would be fixed. However, some vulnerabilities can be hard to address, especially if they occur in a core component of your application that lots of other components depend on. Changes there might require a large amount of regression testing prior to release. Some changes might need the input of a solution architect and the QA team.
That means your team needs to agree how to proceed with the recommendations from CVA. At Basis Technologies, we have a team that comprises the original developer, a senior developer, and an intermediate or junior developer. Obviously if you have a dedicated security team they would also be included. Together, they decide how to address the concerns CVA has highlighted.
It’s possible to take a phased approach, targeting the priority 1s or the code injection risks first, for example. This helps to cope if CVA identifies a substantial number of issues the first time it runs. Some organizations might choose to deploy in phases, too, to avoid delay, especially if vulnerable code is already live.
While CVA shows you where it has identified an issue in the code, you might need to make changes elsewhere too to ensure the code continues to work as intended. In some cases, SAP provides APIs that can be used to fix vulnerabilities.
Sometimes there will be exemptions, where you decide a particular CVA recommendation does not apply to you or to a particular part of your code. By adding your exemptions to your baseline, you can stop that issue being flagged again in the future. The peer review feature in CVA ensures that there’s another pair of eyes checking any exemption before it’s added.
Conclusion
Shifting left is important in modern software development because it detects defects early in the delivery process when they are easier and less expensive to fix. As developers we should all be looking to take more ownership of issues like quality and security. Tools like CVA help us to do that by providing SAP’s experience on these issues to developers.
CVA helps you to create and ship robust ABAP code using a tool that is approved by SAP. Because it enables developers to fix their own code and learn from the process, it supports agile and DevOps workflows by shifting quality left. You can even run it automatically every time, with the right set-up. With a relatively small amount of developer effort, CVA helps you enhance security in your application delivery pipeline, and reduce the risk of future outages or losses in your business applications.
