One language for programming in the SAP® environment is ABAP® [Advanced Business Application Programming]. Development in general is about the creation of new objects for the modification of existing objects. Security Reviewer analyzes the source code of a group of programs selected by the user.
...
| Table of Contents |
|---|
SAP Extractor
You do not have to download your custom code manually; Security Reviewer will help you with Mass Extractor tool, a program that recursively searches for code, documentation and data dictionary objects and then downloads them in either text (.abap) or HTML format for easy offline browsing and incorporation into technical documentation. Mass Extractor program can download customer code at the push of a button to your local workstation or your system’s NFS. You don’t even need to provide the exact name of the program or object you want to download as you are able to filter objects by author as well.
...
Mass Extractor Source Code is available to invoiced customers only, for security reasons. BAPI
BAPI and IDoc
...
A Business Application Programming Interface (BAPI) is a precisely defined interface providing access to processes and data in business application systems such as R/3. BAPIs are defined as API methods of SAP business object types, available for both JAVA and .NET. A BAPI is implemented as a function module, that is stored and described in the Function Builder, but it can also describe interfaces, implemented outside the R/3 System that can be called in external systems by R/3 Systems.
...
JAVA BAPI (JAVA RFC, JCo Interface, JCA Interface)
JAVA ALE (JCO, JAVA IDoc Class Library)
.NET Connector (NCo) for C#, VB.NET and Managed C++
BAPI GUI Library
Remote Function Calls Components, (RFC SDK, RFC API, RFC Class Library, SAP Logon, Table Factory, Table Tree, Table View and Transaction Controls)
XML IDOCs
SAP SAP Netweaver
...
Each vulnerability detected will be classified using OWASP Top 10 2021, OWASP Top 10 API 2019, WASC, CVSS 3.1, PCI-DSS 4.0 and 3.2.1, BITEC and CWE 4.9 compliance standards.
...
.
SAP HANA
SAP HANA is an in-memory data platform that can be deployed on premise or on demand. At its core, it is an innovative in-memory relational database management system.
The development environment for SAP HANA supports a wide variety of application-development scenarios.
Application developers can choose between the following scenarios when designing and building applications that access an SAP HANA data model:
● Native Application Development Native applications are developed and run in SAP HANA, for example, using just SQLScript or the extended application services provided by the SAP HANA XS platform (or both) 18 PUBLIC SAP HANA Developer Guide Introduction to SAP HANA Development
...
● Non-native Application Development Non-native applications are developed in a separate, external environment (for example, ABAP or Java) and connected to SAP HANA by means of an external application server and a client connection: ADBC, JDBC, ODBC, or ODBO. These more traditional scenarios only use SQL and native SQLScript procedures.
...
Our SAST tool supports all above programming languages, with automatic recognition of SAP Code.
Static Analysis of ABAP Code
Inside your ABAP code, Security vulnerabilities, Dead Code, Best Practices, Resilience and Possible Bugs will be detected performing a Static Application Security Test (SAST). Sample of vulnerabilities categories that can be detected:
Dead Code (defined fields never referenced, code never executed, subroutine never called)
Deprecated, Unsupported or Obsolete Functions
SQL Abuse (SQL Injection, SQL bad commands, System Variables manipulation, etc.)
HTTP Abuse (Header, Session or Cookies manipulation)
HTTP Response Splitting/Tampering, URL Redirect, File Upload, File Download, etc.)
Information Leak, Privacy Violation, Password management/hardened mistakes
Authentication/hardened Credential mistakes
Code Injection, Command Injection, Resource Injection LDAP Injection, XPath Injection
XML Injection, File Injection, Mail Injection, PDF Injection, Cross-Site Scripting
Invalid Process Control, Kernel Calls, Dangerous ABAP commands
Denial Of Service (Connection-exceptions, Flood, XML, Shutdown, Lock, etc.)
Buffer Overflow
Log Forging
Path Manipulation, Directory Traversal
Database Access and Authorization mistakes
Unsecure Communications (missed SSL, Outgoing FTP, Phishing, etc.)
CSRF (Cross-Site Request Forgery)
Misconfiguration Mistakes
Insecure Cryptography
Poor Error handling/Logging, Poor Input Validation
Dynamic Code, Native Code/Library
A A graphical user interface provides navigation through detected vulnerabilities:
Security
...
Dead Code, Best Practices and Possible Bugs
...
Resilience
Security Reviewer SRA (Software Resilience Analysis) provides the assessment of:
Non-Conformance to application resiliency standards and best practices
Security and Privacy issues
Scalability
Risk to your business due to application failures
...
Quality
Further than Security, Deadcode-Best Practices and Resilience analysis, Security Reviewer provides a Quality option, able to calculate JAVA, .NET and ABAP Quality Metrics (part of SAP Analysis Modules). This last set of Metrics is focused to manage ABAP Programs on a Quality point-of-view as well as some significant Performance issue. ABAP useful metrics are calculated, such as: LOC (Lines Of Code, SLOC, Cyclomatic Complexity, Developer Effort, Comment Ratio, #Subroutines, #Parameters, SQL Quality).
...