One language for programming in the SAP® environment is ABAP® [Advanced Business Application Programming]. Development in general is about the creation of new objects for the modification of existing objects. Security Reviewer analyzes the source code of a group of programs selected by the user, not only ABAP one, it can analyze any SAP supported programming language (BAPI, IDoc, Netweaver and HANA® development scenarios included).
SAP Mass Extractor
You do not have to download your ABAP custom code manually; Security Reviewer will help you with Mass Extractor tool, a program that recursively searches for code, metadata, documentation and data dictionary objects and then downloads them in either text (.abap) or HTML format. Mass Extractor program can download customer code at the push of a button to your local workstation or your system’s NFS. You don’t even need to provide the exact name of the program or object you want to download as you are able to filter objects by author as well.
Mass Extractor is a secured version of ZDTP_MASSDOWNLOAD, an open source designed by DaleTech® capable of finding as many items as possible of code, metadata, text and documentation needed to successfully download pieces of work for off-line viewing. And if that wasn't enough, we give you the option of downloading in plain ASCII text (.abap suffixed) or in hyperlinked HTML format.
Mass Extractor can retrieve all the following items automatically whilst scanning program code, or they can be downloaded manually as separate entities:
Program source + the following:
Individual messages
Selection texts
Text elements
Function modules
Database tables and structures
Global classes
Global Classes + the following
Database structures
Database tables
Programs
Function modules
Message classes
Module pools
Screens
Function modules + the following:
Global variable declarations
Global includes
Function includes
Text elements
Individual messages
Database tables and structures
Global classes
Documentation
Database structures and tables
Function groups with all function modules
Message classes
Security Reviewer Mass Extractor runs primarily on SAP R/3 Basis 6.20+. Due to demand, we have also made a legacy version available, that runs on R/3 4.6 systems. A more efficient version is also available for 7.00+ and SAP HANA® systems. Mass Extractor can help simplify code backups, allows technical documentation to be created easily and allows programmers to easily view programs and dictionary objects offline.
The following example shows a SAP integration Configuration. Inside Mass Extractor, you can easily configure which custom code you want to extract:
Security Reviewer Mass Extractor consists in an ABAP module that needs to be installed inside your development or stage server. It recursively searches for code, documentation and data dictionary objects and then downloads them in either text or HTML format for easy offline browsing and incorporation into technical documentation.
Mass Extractor Source Code is available to invoiced customers only, for security reasons.
ABAP git
Security Reviewer support scanning code directly from a git-compatible repo, abapGit Community and SAP versions included. abapGit is a tool to import and export code between ABAP systems. If a developer has a developer key to the system, the developer can perform these actions already. abapGit enables the developer to do mass export/changes/imports but not more than already possible to do manually. It can be used from SAP GUI, from Browser or directly from Static Reviewer Desktop, choosing Analysis Type as Repository.
BAPI and IDoc
A Business Application Programming Interface (BAPI) is a precisely defined interface providing access to processes and data in business application systems such as R/3. BAPIs are defined as API methods of SAP business object types, available for both JAVA and .NET. A BAPI is implemented as a function module, that is stored and described in the Function Builder, but it can also describe interfaces, implemented outside the R/3 System that can be called in external systems by R/3 Systems.
SAP Intermediate Documents (IDOC) are EDI like documents that are asynchronous in nature. IDOCS are often used in sending business documents (for example sales orders) from your SAP system to a trading partner or other system. With RFC calls to IDOC, the business processing is done immediately albeit on a different thread if we make use of the asynchronous methods described above. IDOCS offer additional queuing and retry capabilities. Security Reviewer, further than detecting all potential vulnerabilities for JAVA and .NET languages (C#, Managed C++ and VB.NET), when SAP Analysis Modules option is installed can analyze also the following BAPI/IDOC interfaces:
JAVA BAPI (JAVA RFC, JCo Interface, JCA Interface)
JAVA ALE (JCO, JAVA IDoc Class Library)
.NET Connector (NCo) for C#, VB.NET and Managed C++
BAPI GUI Library
Remote Function Calls Components, (RFC SDK, RFC API, RFC Class Library, SAP Logon, Table Factory, Table Tree, Table View and Transaction Controls)
XML IDOCs
SAP Netweaver
SAP NetWeaver® allows interoperability with JAVA application servers (like IBM® WebSphere) and Microsoft® .NET environments. Rather, it is possible to replace JAVA application servers or replace .NET with NetWeaver Application Server. Security Reviewer, further than detecting all potential vulnerabilities for JAVA and .NET languages (C#, Managed C++ and VB.NET), when SAP Analysis Modules option is installed can also analyze the following:
SAP NetWeaver® Development Infrastructure (NWDI) based applications
SAP NetWeaver® Developer Studio (NWDS) application
Web DynPro® applications
.NET Connector (NCo) for C#, VB.NET and Managed C++
SAP HANA
SAP HANA® is an in-memory data platform that can be deployed on premise or on demand. At its core, it is an innovative in-memory relational database management system.
The development environment for SAP HANA® supports a wide variety of application-development scenarios.
Application developers can choose between the following scenarios when designing and building applications that access an SAP HANA® data model:
● Native Application Development Native applications are developed and run in SAP HANA, for example, using just SQLScript or the extended application services provided by the SAP HANA XS platform (or both)
● Non-native Application Development Non-native applications are developed in a separate, external environment (for example, ABAP or Java) and connected to SAP HANA® by means of an external application server and a client connection: ADBC, JDBC, ODBC, or ODBO. These more traditional scenarios only use SQL and native SQLScript procedures.
Our SAST tool supports all above programming languages, with automatic recognition of SAP Code, SAP Business Pages, Datamart calculationview, XS JavaScript (XSJS), XMLA and SQLScript procedures included.
Static Analysis of ABAP Code
Inside your ABAP code, Security vulnerabilities, Dead Code, Best Practices, Resilience and Possible Bugs will be detected performing a Static Application Security Test (SAST). Sample of vulnerabilities categories that can be detected:
Dead Code (defined fields never referenced, code never executed, subroutine never called)
Deprecated, Unsupported or Obsolete Functions
SQL Abuse (SQL Injection, SQL bad commands, System Variables manipulation, etc.)
HTTP Abuse (Header, Session or Cookies manipulation)
HTTP Response Splitting/Tampering, URL Redirect, File Upload, File Download, etc.)
Information Leak, Privacy Violation, Password management/hardened mistakes
Authentication/hardened Credential mistakes
Code Injection, Command Injection, Resource Injection LDAP Injection, XPath Injection
XML Injection, File Injection, Mail Injection, PDF Injection, Cross-Site Scripting
Invalid Process Control, Kernel Calls, Dangerous ABAP commands
Denial Of Service (Connection-exceptions, Flood, XML, Shutdown, Lock, etc.)
Buffer Overflow
Log Forging
Path Manipulation, Directory Traversal
Database Access and Authorization mistakes
Unsecure Communications (missed SSL, Outgoing FTP, Phishing, etc.)
CSRF (Cross-Site Request Forgery)
Misconfiguration Mistakes
Insecure Cryptography
Poor Error handling/Logging, Poor Input Validation
Dynamic Code, Native Code/Library
Each vulnerability detected will be classified using OWASP Top 10 2021, OWASP Top 10 API 2019, WASC, CVSS 3.1, PCI-DSS 4.0 and 3.2.1, BITEC and CWE 4.9 compliance standards. A graphical user interface provides navigation through detected vulnerabilities:
Security
Once the analysis is terminated, you can view and manage the results. You can mark some vulnerabilities as False Positive, Suppress Vulnerabilities, and you can add Notes or change the Vulnerability’ Status.
Dead Code, Best Practices and Possible Bugs
Resilience
Security Reviewer SRA (Software Resilience Analysis) provides the assessment of:
Non-Conformance to application resiliency standards and best practices
Security and Privacy issues
Scalability
Risk to your business due to application failures
Quality
Further than Security, Deadcode-Best Practices and Resilience analysis, Security Reviewer provides a Quality option, 100% compatible with McCabe IQ®, able to calculate JAVA, .NET and ABAP Quality Metrics (part of SAP Analysis Modules). This last set of Metrics is focused to manage ABAP Programs on a Quality point-of-view as well as some significant Performance issue. ABAP useful metrics are calculated, such as: LOC (Lines Of Code, SLOC, Cyclomatic Complexity, Developer Effort, Comment Ratio, #Subroutines, #Parameters, SQL Quality).