English | Deutsch | Español

Higher SAP® Security by Running ABAP Code Scans

November 20, 2017 | From Virtual Forge GmbH

Conceptual image of micro circuit. Security concept.jpegIn order to systematically find security vulnerabilities in custom SAP® developments and to correct errors, Krones AG  introduced automated code checks despite of initial doubts. After a two year operating period, the machine and plant manufacturer draws a positive conclusion.

Being an internationally leading manufacturer of packaging and filling technology, Krones is bound to a high quality standard. This is realized by its specialist knowledge, high expenses for research and development, a production utilizing state-of-the-art facilities as well as a worldwide around-the-clock service. The group-wide SAP system represents the digital backbone of the company. In order to comply with the individual requirements of the professional users, the SAP standard is continuously expanded by custom developments which are made in a centralized development department. The requirements are led through an ITIL-based change release process.

In order to systematically find security holes in custom SAP developments and to correct errors, IT officers at Krones planned to introduce an automated code scan which at first did not find resonance with the decision makers. According to Markus Gradl (technology engineer for SAP development at Krones) "they were afraid of the financial and time effort necessary for implementing and maintaining an analysis tool." "But we convinced them that the costs are disproportionate to the potential damages caused by SAP data loss."

Pilot project with surprising results
To gain an impression of the effectivity of automated code analysis, Krones introduced Virtual Forge CodeProfiler for ABAP in a pilot project in 2015. Installation, configuration and the first scan of a chosen SAP development system only took a few hours but delivered astounding results: due to the large amount of custom code (6 million lines of code), an above average amount of code vulnerabilities was detected. Because of those results, the decision makers of Krones were convinced of the necessity of IT-supported analysis of custom ABAP code.

In the beginning, the developers were hesitant: they feared that the actual programming would take longer and that they would be exposed to stronger control during work. "At first, we had to convince them that CodeProfiler for ABAP works with the developers, not against them", stated Markus Gradl. Additionally, not all preset impacts of test cases were applied but rather only those of security test cases. Furthermore, the project managers focused on test cases regarding Mandatory impact which do not occur that often and can be corrected with relatively little effort.

Fixed component of the development process
Two years after its implementation, CodeProfiler for ABAP has become a fixed component of the development process at Krones. It is used directly in the SAP transport management and once a transport is released also in the QA system. By scanning the code whenever it is changed, it is avoided that at the end of an project many corrections have to be made. This would most likely not be feasible due to time constraints. Additionally, every two months, a complete scan of the custom ABAP code is run to determine the current key figures and publish them internally.

It's exactly those key figures that show how successful the use of this tool has been at Krones. Decisive for this are the total amount of findings and the findings per 1,000 lines of code. Markus Gradl : "While the overall number of found vulnerabilities has been heavily reduced since 2015, the amount of custom ABAP code increased by 11 percent in the same time period. This shows that we are heading in the right direction with CodeProfiler." To achieve this, the responsible people put emphasis on rarely giving authorization for security findings but correcting them instead.

Expanding the application step by step
In order to enhance the benefit of CodeProfiler for ABAP, Krones wants to expand its application step by step. While until now only security test cases have been classified as mandatory, this is supposed to be the case for all existing checks soon. Furthermore, there is a plan to activate test cases of the maintainability, robustness and performance areas. Plus, the code checks are supposed to be widened to third party developers – in close cooperation with Virtual Forge: "The cooperation with the advisors is based on partnership. In specific, we have participated in the creation of three test cases", Markus Gradl noted.

Editor: Sibylle Hofmeyer / Peter Schmitz