SAP Developer, how to manage the ABAP code security?

Security for custom code in SAP has always been underestimated in most installations

Only recently, in the last years, customers are starting to understand the true importance of code security, mostly related to ABAP language in SAP case.

The SAP ABAP developer then becomes a strategic figure in making sure that programs security (especially custom code security) is attended to and correctly managed.

How do you make sure to always be on top of the topic?

Increase internal developers' awareness?

It's essential to define some guidelines to a more secure development, at least in SAP, if possible, by already defining inside the prerequisites analysis documents a section that specifically addresses security and personal data management. Applicative security of the SAP ERP system, but also of all systems in the same family, is based on the controls situated inside the code (in this case inside the ABAP programming language)

The most swift actions to act on can be the ones that follow:

• Schedule meetings aimed at increasing awareness over the topic of safe code development
• Define a list of activities that must be avoided, for example:
  • Hard coded values in the code, for example
    • • Usernames
      • Technical roles names
      • User groups names
• Develop authorization models that differ from the standard authority check. For example, if the user exists in table X then Y
• Missing check on inputs from the user's side
• Missing integration of authority checks, or definition of authority checks without a full definition of field, or usage of a DUMMY mode as constant, or asterisk forcing inside the ABAP code
• Limit or avoid the usage of ABAP statements of administrative nature in programs for end users.
• Adoption of automatic checking systems and secure development even during code programming (see next section)
• Any doubts on how to approach development or on security management inside SAP?

How do you check external developers?

It's essential to stipulate NDA (Non-Disclosure agreement) with all commercial partners, which means also with consultancy agencies that access to the IT systems.

Especially for SAP, it's important to carry out audits on vendors to make sure that all data is cryptographed.

Be provided with tools for developed code checking.

Developed code checking

It's complicated to check the code developed in the company (whether this is developed by internal or external personnel) for many reasons:

• Specific competences in the used language (ABAP or others) are needed, for example:
  • Performance evaluation
  • Security evaluation
  • Code maintaining evaluation
• It's not always possible to have specialists inside the company (and usually it is anti-economic to hire them)
• It is very time consuming to look for and evaluate the above-mentioned elements

It then becomes essential to get a tool specifically built to check all developments. 

Keep in mind that the ABAP system has some peculiarities. Code checking softwares on the market have to be evaluated accordingly to the company needs.

Is it useful to create a profile for developers in the development system?

Developers must only be defined in the development system.

Speaking about developers profiling in the productive system doesn't really make sense

As mentioned in OSS Note 13202 - Security aspects in ABAP programming, SAP hasn't yet suggested to create an "SAP developer authorization concept" (in the development environment)

Accordingly, a developer in the development environment is limitless from an authorization standpoint (a segregation put in place could also be easily breached).

Security Audit of ABAP code? Contact us below! We suggest to define a process of secure management of the developed code.

Blog post originally translated from: https://www.aglea.com/blog/sviluppatore-sap-come-controllare-la-sicurezza-del-codice-abap