EAS-SEC. Secure ABAP development Guide. Introduction

This blog post is the first of the series of articles describing basic security issues related to development of custom programs for business applications (such as ERP, CRM, BI, and others) and methods to avoid or remediate them.

Insecure configurations, which we discussed earlier (see EAS-SEC guide for vulnerability assessment), are not the only way for attackers to affect business application security.

ERP system, especially from such vendors as SAP and Oracle, is usually not typical software, it’s more like a framework. On top of it companies develop their own programs and applications, which can have vulnerabilities. Moreover, custom applications may also have backdoors left by internal developers or 3rd party contractors. So, by this guide, we would like to draw your attention to the importance of secure programming.

An ERP system is an important part of any large company: all processes critical for business (e.g. purchases, payments, logistics, financial planning, product management, HR, etc.) are handled within it. All the information stored in ERP systems is sensitive, and an unauthorized access to this data can cause huge damages up to a business interruption. This fact makes customization protection via periodic assessment of a custom code an essential part of ERP Security.

Why development issues are important

Unfortunately, developers usually don’t consider the security of their code a top priority. This fact may lead to serious security violations and thus losses for a company. Espionage, sabotage, fraud – all of this can be the result of exploitation of a single vulnerability.

Custom code for ERP systems can be written in different languages: from narrowly targeted ABAP for SAP, PeopleCode for PeopleSoft, or X++ for Microsoft Dynamics to widely used Java and JavaScript. It is not nearly the complete list. There are many subtleties in business-oriented programming, so it’s pretty simple to miss something. At the same time, there’s no analog of OWASP (Open Web Security Application Project) for business-oriented programming languages where developers can find information about widespread and critical issues.

There are several reasons to increase security awareness of the developers of Enterprise Business software. First of all, 71% of developers assure that security is not addressed in software development lifecycle (SDLC) in their companies.

As a result, an organization has a lot of issues that can pose serious security risks. Secondly, it is easier and less expensive to fix vulnerability during the SDLC than during post-production.

Vulnerability Cost in Stages of SDLC (Source: National Institute of Standards & Technology)

Thirdly, 80% of attacks can be prevented by simply training developers in some security development basics. Therefore, with this Guide we would like to inform developers in your organization by sharing best practices.

9 most critical types of issues in business applications source code

Below you can find the list of Top 9 critical development issues for business applications. They are ranked from 1 to 9 according to their severity, impact on the business applications, and other metrics. For this list, 3 main parameters were considered:

1. Initial access to exploit the vulnerability;
2. Severity of vulnerability (a potential impact if exploited);
3. Complexity of vulnerability exploitation.

This list is the same for all the business-oriented programming languages such as ABAP, PeopleCode, X++, and others. These descriptions are stated in a way to ensure understanding of the basic principles relating to development issues for any enterprise applications and ERP systems.

Issue Access Severity Simplicity Examples
1. Injections Anonymous High High SQL injection, Code injection, OS command injection, XPath injection
2. Critical calls User High Medium To database, To OS
3. Missing or broken access control checksUserHighHighMissing authentication check
4. Path traversalAnonymousHighHighDirectory traversal
5. Modification of displayed contentAnonymousMediumHighStored XSS, Reflected XSS, JavaScript/HTML injection
6. BackdoorsDeveloperHighHighHard-coded credentials
7. Covert channelsUserHighMediumHTTP calls, Server-side request forgery
8. Information disclosureAnonymousHighHighHard-coded users, Hard-coded passwords, Debug information
9. Obsolete statementsAnonymousMediumHighObsolete table access, Kernel methods

In the next chapters, we will look how this framework can be applied to the ABAP language, what the examples of vulnerabilities for each category are, and what control procedures should be implemented to prevent each of them.

The ABAP Secure Development Guide

This section will contain a detailed list of controls to ensure secure development of ABAP applications for SAP NetWeaver platform, which were distributed among 9 categories mentioned above. So, this series of articles will be a kind of ABAP code review checklist.

The authors’ effort were to make this list as brief as possible and to cover the most critical issues for each category at the same time. Of note, these checks can be performed in development, testing, and production systems.

As a result, each of the 9 categories includes major controls that must be implemented first to ensure that this particular category is covered.

Besides basic actions aimed at avoiding or remediating development issues, each category contains a “Further steps” subsection describing major guidelines and instructions on what should be done next to increase application security for this particular category. The recommended guidelines are not always mandatory and depend on a specific development case. This approach allows authors to highlight fundamental principles of secure development, cover all issues, and give complete recommendations on them.

The aim of this Guide is to accumulate authors’ knowledge related to secure development of business applications and to provide simple and clear instructions not only for security specialists, but also for developers and testers on how to securely develop ABAP applications.

In further, we will explain all of these categories in detail to provide a comprehensive guide on SAP custom code security.

Do you want more?

Subscribe me to your mailing list