Sunday, January 31, 2010

Secure programming in ABAP


In today’s dangerous cyberspace where we experiencing a lot of attracts it is important to consider how SAP applications written in ABAP are protected. Here are introduced some of potential security treats to ABAP program. In addition there are some best practices how we can protect them.

Threats:
- Password hash attacks - hash value of a password calculated outside SAP and compared to the hash value that is stored in SAP.
- Dynamic SELECT statements – allows to takeover whole DB and possibility to read any table.
- No predefined authority checks - in CALL TRANSACTIONS.
- Executing OS commands – CALL SYSTEM via statement.
- Viruses - E.g. in files uploaded into SAP app. Servers.
- Changes in Master Data.
- Usage of HTTP within BSP, webdynpro apps. – HTTPS must be used.
- Catching passwords transmitted over HTTP by GET method – POST method must be used.
- Manipulating with URL - Attacks on WAS via HTTP protocol.
- Folders in URL - directory traversing possible.
- Cross-site scripting (XSS) – always check user input, there might be malicious code.

Best practices:
- In general protect following components of your SAP ABAP application server: RFC connections, system profile parameters files, Change and Transport system, Table (T000) for Maintaining System Clients,
- Use logging framework (TA SLG0, SLG1, SLG2), change documents functionality (SCDO); logging of customizing objects and tables (TA SCU3) – logging helps to identify problem, auditing, etc.
- Always check Security Audit Log (BC-SEC) – via TA SM20, SM20N.
- Use tool RSECNOTE checks security-relevant notes or HotNews that are entered as related notes in this present note.
- Secure Storage – To securely store data in WAS you this component. See TA SECSTORE.
- Trust Manager - tool used when there is a public-key technology in place with the SAP WAS ABAP server.
- Protect table contents against: export of using transports; access using existing generic tools (TA SE11, SE12, SE16, SE17); external DB access (using SQL tools).
- Disable debugging in Production environment.
- Restrict authorizations for maintaining/executing external OS commands.
- Protect Batch Input sessions – E.g. unauthorized access to files used by batch input, restrict batch input authorizations.
- Secure store and forward mechanism (SSF) as a part of SAP Security Library (SAPSECULIB) – functionality to support digital signatures (ensuring authenticity) and confidentiality of data transmission (encryption).
- Protecting disclosure of SAPconnect RFC User – tool with which ABAP Stack is communicating with external telecommunications services such as FAX, Internet, X.400 and the SAPoffice. It does use a non-dialog RFC user type of CPIC to log on to the external system. Proper authorization profile must be given.
- Preventing or logging list downloading – User can access this functionality via menu option System -> List -> Save as Local file in SAP GUI. Authorization object S_GUI exists to prevent a user from downloading lists.
- Internet Graphics Service (IGS) Security – IGS must be protected by firewall
- While loading data into SAP system (via file upload from front end, FTP server, application server or via electronic data exchange: XML, RFC, IDoc, SAP XI/PI) use SAP Virus Scan Interface (SVI) – SAP provides interface to scan files. This is standard interface called NetWeaver Virus Scan Interface (NW-VSI) available for both Application server stacks: ABAP and JAVA. It does allow 3rd party antivirus software to scan data.
Useful links:

Friday, January 8, 2010

Status and delivery date of patch

In addition to my year 2009’s last post related to terms used in SAP’s release strategies I would like to introduce few more terms used mostly in delivering of SAP patches. Especially terms related to status and delivery data of patch.


Status can have following values:
Development: Patch is in development phase
Production: Patch will be produced
Retest: Patch is currently tested internally
Ready for delivery: Patch will be delivered soon (last step)
Delivered: Patch is available for download (e.g. via OSS)


Since nothing is perfect for first try then status may be changing from Production to Retest and backwards. This can happen for several times e.g. patch was not retested successfully or side effects are present). Usually this is a reason that Planned Delivery Date is postponed. Planned Delivery Date is an estimated date when the patch will be available for download.

Last/first SAP BW notes released on 2009-2010 years crossing

I was wondering how SAP support is active during year’s end closing caused by Christmas and New Year’s Eve holidays. So far I was able to find following two notes that seems to be the very last one of year 2009 and other one very first one of year 2010 (of course only SAP BW notes are taken into consideration in here):
The last BW note of 2009:

1369395 - Transformations generated from migration: Repair tools; version no.6 of this note was released on 29th of Dec. 2009.


 
The first BW note of 2010:
1281430 - DB6: Check notes needed for SAP NW BW system copy to DB6; version no.6 of this note was released on 5th of Jan. 2010.

 

Thursday, January 7, 2010

SDN launch page

This post is dedicated to SDN. It is suppose to be a SDN launch page containing all important links related to SAP BW/BO/ABAP/NetWeaver/WAS/basis topics.
Soon there will be a lot of links. I just start with BW and its forums.

Other Areas:
 

Monday, January 4, 2010

What year 2009 gave to SDN?

There were a lot of new things came during year. Really year 2009 was so fruitful to SDN. Kindly notice in this post that I do not recognize any more between differed types of community networks. I use term SDN for all of them: SAP Community Network (SCN), Software Developer Network (SDN), Business Process Expert (BPX), BusinessObjects Community Network (BOC), etc. Let me mention at least few new initiatives that enriched SDN during last year:


1.    SAP Collaboration Workspace (CW) – is tool to enable collaboration between SAP and its customers and partners. CW is enterprise social-networking site, powered by Jive Software's Clearspace and its successor Social Business Software 3.0 (SBS). CW initiative started backing to 2008 as wiki functionality was added to SDN. It evolved into orchestrated ecosystem with goal into fast, easy, global, secure, enterprise IP protected collaboration solution. In June 2009, SAP and Jive (at the Enterprise 2.0 conference in Boston) announced an agreement that will see SAP's BusinessObjects BI OnDemand software integrated with Jive's community and collaboration platform. So we can expect much more out of these in future.
Side note: Jive’s Clearspace functionalities of forums and enterprise wiki are used in SAP NetWeaver Portal (based on NetWeaver 2004 SPS23). Forum is called SAP Forums (Primary Components: BC-COM-FOR, XX-PART-JIV-FOR, XX-PART-JIV-WIKI on OSS).      
2.    Integration of BO into SDN – A new community has born – dedicated to BusinessObjects BI products: SAP BusinessObjects Community (BOC). Same as BO support portals was absorbed by OSS; BO communities needed to be under one roof. You can find here plenty of information related to broad portfolio of BO products.
3.    Careers Center – Based on JobTarget platform it does help on one hand employers to identify SAP talents worldwide and on other hand job seekers to show their skills in environment of the SDN.
4.    SAP Docupedia - Collaboration Workspace from SAP, documentation wiki for additional content and community contributions. It is kind of user written documentation of SAP products. You can see how better users are when writing the documentation in parallel to official one at hep.sap.com.
5.    InnoCentive – represents SAP commitment to technology innovation and sustainability. It is a part of InnoCentive which is a global, online marketplace where organizations in need of innovation–companies, academic institutions, public sector, and non-profit organizations–can utilize a global network of over 160,000 of the world’s brightest problem solvers.
6.    University alliances (UAC) – provides connections between university leaders and students, SAP customers and partners, and SAP internal experts. Several universities across the world and involved in here.
7.    SAP EcoHub – includes SAP service provider’s offerings to customers in easy way to discover, evaluate, and buy partner solutions and services from SAP’s community-powered online solution marketplace.
8.    Community Code Gallery – It is a part of SDN wiki which allows sharing of code, snippets, tutorials, etc.
9.    Best Build Application – Official SAP reference of building apps to be compliant SAP Business Suite software. It does contain all the rules, practices etc to meet solutions to architectural approaches, standards, and industry best practices similar to the ones used by SAP. See overview in presentation here. See the guide itself here.
10. Get Active. Stay Active. Build Your Reputation. – SDN is highlighting and showcasing active contributors no matter how that doing it. Even it is answering on forums, blogging, mentoring, documenting, wiki-ing, article contributing and so on. For starting with SDN contributing see FAQs.
11. SAP Mentor Program – If you are so good in particular SAP area; means you are so active at all SDN stages you can become nominated and might be later really become an SAP Mentor. See details of program here, FAQs here.
12. PlaNet Finance Program – Another incentive program for active contributing to SDN. For overview of this program see here. See active top contributors here, top companies here. Here you can even dig into contributors list based on several filter criteria.
13. SDN Events – Place where you can find all SDN related events both: regular and virtual plus recorded ones.
14. BI Best Practices – Offers practices helping companies to build up BI strategies. See details here.

For sure there are much more other initiatives that I’m not aware of. This is just small demonstration how great SDN is.

Sunday, January 3, 2010

4 paths of BI projects

I wish all of you happy and prosperous New Year 2010 and have a plenty of if not even kingdom’s then nirvana’s SAP BW projects. Cheers :-)