ABAP Code Security Review

Why do you need ABAP Code Security Review?

Assessment of SAP custom code is a must-have if you want to control stability and security of your SAP systems. Every SAP System has vulnerabilities and even backdoors that are left open by developers. A perfectly configured system is a result of great architecture and genius minds combining together Vulnerability and Configuration Management, Access Control and Segregation of Duties and of course Source code Security. Even with the latest security updates, unauthorized access to critical information is still a possible risk. These are probable instances where developers overlook vulnerabilities or there is a genuine possibility of backdoors injected intentionally at the source code of ABAP, JAVA and HANA platforms.

Analysis of 3000 vulnerabilities in SAP

2012 HackTivity. Top 10 most interesting vulnerabilities and attacks in SAP

How we can help with ABAP Code Security Review?

We mix manual and automated assessment to provide the best results. We use ABAP code review tool which is a part of ERPScan Security Monitoring Suite for SAP. After that, our team of experts analyze reports, identify false positives and false negatives and perform manual review of the most critical parts and execute complex manual checks which are not possible to automate. During ABAP security code review we also take into account context of system which we analyze. Custom transactions, user right, configuration parameters and all other things which can affect criticality of vulnerability or probability of exploitation. At the final stage we provide custom solutions based on industry guidelines and taking into account all system customizations and business needs.

What we do during ABAP Code Security Review?

The ABAP custom code like any other code can have vulnerabilities, allowing the attacker unauthorized access to critical information and even change data present in the production system.

We review custom code according to the best-practices such as OWASP(owasp.org) and EAS-SEC (eas-sec.org).

During sap code scan we look at the typical types of vulnerabilities such as:

Buffer overflow;
SQL injections;
Cross-Site scripting;
Directory traversal;
Command injections;
etc.

Apart from these typical vulnerabilities we identify ABAP-specific issues such as:

Insufficient authority checks;
Cross-client access;
Generic ABAP function calls;
Hardcoded authentication data;
etc.

These particular risks were analyzed by SAP, based on these results; documents were issued narrating the basic requirements for secure application development required by SAP for ABAP and JAVA.

What you will get after ABAP Code Security Review?

We check your applications source code for compliance within these mentioned requirements as well as other existing vulnerabilities which are equally critical and suggest required patching to rectify issues.

Customers

Awards

Pwnie Awards

“We would like to thank the world-class security experts of ERPScan for the highly qualified job performed to help us assess the security of our pre-release products.” Senior Director, Product Security, Technology and Innovation Platform SAP Labs, Palo Alto, USA

Interested? Request demo now

Select your country:

RESOURCES

Research

Analysis of 3000 vulnerabilities in SAP 2012 HackTivity. Top 10 most interesting vulnerabilities and attacks in SAP

News

Hack Brief: Mobile Manager’s Security Hole Would Let Hackers Wipe Phones Oracle’s software was hacked by interns in an hour, researcher says