Similarly as SAP is during
security checks of the standard software that they are delivering they offering tools
enabling doing of the same for customers. There is a tool called "SAP NetWeaver Application Server add-on for
code vulnerability analysis" or also known as Code Vulnerability Analyzer (CVA). The tool carries out a static analysis of the custom
ABAP source code in order to reveal possible security risks.
The tool is available in
NetWeaver ABAP Stack based deployments starting with version:
7.0 NetWeaver: in EHP2 SP
14 or higher
7.0 NetWeaver: in EHP3 SP
09 or higher
7.3 NetWeaver: in EHP1 SP
09 or higher
7.4 NetWeaver: in SP05 or
higher
In order to use the CVA tool
first execution of system wide security checks needs to be enabled with report
RSLIN_SEC_LICENSE_SETUP. Afterwards in standard ABAP code checking tools like:
ABAP Test Cockpit (ATC), Code Inspector (SCI), and extended program check; the
security checks are available. Option of these checks is usually called: "Security
Analyses in Extended Program Check".
Notice that usage of the
security check features for custom code is licensed separately and there are
additional costs incurred. Also notice that the tool has several limitations -> see SAP Notes below for details.
More information:
1855773 - Security
checks for customer-specific ABAP programs
1697494 - Customer
Code Scans
1841643 - Customer
Security Vulnerability Scans
1949276 - Code
vulnerability analyzer: Restrictions
No comments:
Post a Comment