The Missing Link: Compliance at the Code Level

  • by Andreas Wiegenstein, CTO, Virtual Forge
  • Mark Schumacher, Software Security Expert
  • Sebastian Schinzel, Security Consultant, Virtual Forge
  • October 15, 2008
Establishing security processes, developer training, and tools right from day one of development projects leads to initially higher investments. However, the savings resulting from lower cost for corrections and lower risk for cyber attacks in the final product are going to outweigh the initial investments substantially. See some examples of insecure code issues and some ways you can solve GRC problems at the code level.
Key Concept
Mastering security in SAP landscapes is a big challenge. While roles and authorizations, encryption, and single sign-on are well-established practices, security issues at the code level are often neglected. Bad code can lead to vulnerabilities such as backdoors, elevation of privileges, and data manipulation. This in turn can lead to violations of regulations such as Sarbanes-Oxley, Payment Card Industry Data Security Standard, and data protection laws.

Bad code can lead to compliance violations. What’s bad code? Many SAP customers develop vast amounts of custom code (e.g., in the HCM, Financials, or retail area). That can lead to severe issues:

  • Experience shows that such code usually contains flaws and bugs
  • An attacker can use vulnerability at the code level to bypass role concepts
  • Attackers can call critical transactions, thus impersonating other users
  • Attackers can change or delete critical business data

In this context, bad means that the application shows unexpected and unwanted side-effects, namely the exposure to attackers (either external or internal). A tool cannot detect these problems. For example, SAP solutions for GRC primarily focus on the authorization concepts and not on the implementation at the code level.

We’ll elaborate on the problem and provide examples in the Sarbanes-Oxley, Payment Card Industry Data Security Standard (PCI-DSS), and data protection context. We also show how to solve the insecure code problem: by ensuring that the software development process covers security and compliance requirements. Independent testing proves whether those requirements are met. That way, SAP users can effectively close this gap in their SAP landscape.

Andreas Wiegenstein

Andreas Wiegenstein is CTO of Virtual Forge. Since 1991, he has been working successfully as a freelancer and was involved in several projects related to SAP technology and applications (ITS, Web Application Server ABAP, Enterprise Portal [iViews], XI, and many more). He also conducted security analyses of SAP NetWeaver Enterprise Portal as well as other SAP NetWeaver components such as the SAP’s J2EE engine. He analyzed many custom applications written in ABAP, .NET, PHP, and C/C++.

See more by this author

Mark Schumacher

Sebastian Schinzel has been a developer and security consultant for more than five years in various technology domains. He focuses on application security assessments, as well as secure development of business software applications. At Virtual Forge, Sebastian is involved in research and development, security processes, and security assessments of SAP customer applications. Sebastian has a master’s degree in computer science and frequently publishes his insights in journals and blogs. Sebastian is a frequent speaker at international conferences. You may reach Sebastian via email at editor@grcexpertonline.com.

See more by this author

Sebastian Schinzel

Sebastian Schinzel has been a developer and security consultant for more than five years in various technology domains. He focuses on application security assessments, as well as secure development of business software applications. At Virtual Forge, Sebastian is involved in research and development, security processes, and security assessments of SAP customer applications. Sebastian has a master’s degree in computer science and frequently publishes his insights in journals and blogs. Sebastian is a frequent speaker at international conferences.

See more by this author


Comments

No comments have been submitted on this article. 


Please log in to post a comment.

To learn more about subscription access to premium content, click here.