Thursday, August 28, 2014

Scanning custom ABAP code for security risks

Similarly as SAP is during security checks of the standard software that they are delivering they offering tools enabling doing of the same for customers. There is a tool called "SAP NetWeaver Application Server add-on for code vulnerability analysis" or also known as Code Vulnerability Analyzer (CVA).  The tool carries out a static analysis of the custom ABAP source code in order to reveal possible security risks.

The tool is available in NetWeaver ABAP Stack based deployments starting with version:

7.0 NetWeaver: in EHP2 SP 14 or higher
7.0 NetWeaver: in EHP3 SP 09 or higher
7.3 NetWeaver: in EHP1 SP 09 or higher
7.4 NetWeaver: in SP05 or higher

In order to use the CVA tool first execution of system wide security checks needs to be enabled with report RSLIN_SEC_LICENSE_SETUP. Afterwards in standard ABAP code checking tools like: ABAP Test Cockpit (ATC), Code Inspector (SCI), and extended program check; the security checks are available. Option of these checks is usually called: "Security Analyses in Extended Program Check".

Notice that usage of the security check features for custom code is licensed separately and there are additional costs incurred. Also notice that the tool has several limitations -> see SAP Notes below for details.


More information:
1855773 - Security checks for customer-specific ABAP programs
1697494 - Customer Code Scans
1841643 - Customer Security Vulnerability Scans

1949276 - Code vulnerability analyzer: Restrictions

No comments: