2011 Virtual Forge GmbH | www.virtualforge.com | All

advertisement
Dr. Markus Schumacher
PPT Masterfolie
Reliable
SAP® Applications
We protect your ABAP Code: Security, Compliance, Performance, Maintainability & Robustness
zur Erstellung von Präsentationen
TM
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
CONTENTS
PPT Masterfolie
zur Erstellung von Präsentationen
1. About Virtual Forge
2. CodeProfiler – Protecting your ABAPTM Code
3. CodeProfiler – Approach and Test Domains
4. Technology Integration (SAP TMS/ChaRM, SAP BI, IBM)
5. CodeProfiler – Certification and References
6. Professional Services
7. Summary & Discussion
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
PPT
Masterfolie
1.
About
Virtual Forge
zur Erstellung von Präsentationen
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Virtual Forge GmbH
History & Facts
PPT Masterfolie
 Founded in 2001, headquarters in Heidelberg, Germany
Erstellung
von Präsentationen
zurPrivately
held
 Long-term development & consultancy expertise in the area of
 SAP® security audits
 SAP design and code reviews
 SAP penetration testing
 SAP Trusted Technology Partner
 Unique solution Virtual Forge CodeProfiler (1.0 in 2008)
 Data and Control Flow Analysis
 Automated testing of ABAPTM, ABAP Objects, BSP, WebDynpro ABAP
 Security, Compliance, Performance, Maintainability, Robustness
 Book “Sichere ABAP-Programmierung”, SAP Press 2009
 Leading Industry Guideline for ABAP Development and Maintenance
©
© 2011
2011 Virtual
Virtual Forge
Forge GmbH
GmbH || www.virtualforge.com
www.virtualforge.com || All
All rights
rights reserved.
reserved.
Virtual Forge GmbH
Vision and Promise
Masterfolie
PPT
Virtual
Forge is the leading provider for code security and quality solutions in SAP®
zurenvironments.
Erstellung von Präsentationen

We help our clients as trusted advisor to




identify code security & quality gaps.
prioritize these gaps for mitigation and resolve them.
significantly improve their SAP environment.
We are able to offer our clients latest and market leading expertise through a clear
focus on first-class research in SAP code security & quality.

SAP’s internal ABAPTM development uses Virtual Forge CodeProfiler in their security
and quality processes. Thus, our clients benefit from first-hand experience from the
world’s largest SAP development projects.
©
© 2011
2011 Virtual
Virtual Forge
Forge GmbH
GmbH || www.virtualforge.com
www.virtualforge.com || All
All rights
rights reserved.
reserved.
PPT
Masterfolie – Protecting your ABAPTM Code
2.
CodeProfiler
zur Erstellung von Präsentationen
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Protecting your SAP® applications
Identify, prioritize, and mitigate issues in your ABAPTM Code
PPT Masterfolie
on
SAPErstellung
solutions and services
run their business, making SAP solutions highly
zur
von toPräsentationen
Worldwide more than 176.000 organizations of all sizes and industries are depending
critical.

More than 90% of SAP applications
are written in ABAP.

Custom development adds
specific functionality to applications



Often no requirements for non-functional aspects
No testing beyond functional testing
Consequence: unknown risks in ABAP applications
©
© 2011
2011 Virtual
Virtual Forge
Forge GmbH
GmbH || www.virtualforge.com
www.virtualforge.com || All
All rights
rights reserved.
reserved.
How we help our Clients
CodeProfiler – delivering a Business Case in key areas
PPT Masterfolie
zur Erstellung von Präsentationen
©
© 2011
2011 Virtual
Virtual Forge
Forge GmbH
GmbH || www.virtualforge.com
www.virtualforge.com || All
All rights
rights reserved.
reserved.
Protection by CodeProfiler
Securing high risk areas in SAP ® infrastructures
PPT Masterfolie
zur Erstellung von Präsentationen
©
© 2011
2011 Virtual
Virtual Forge
Forge GmbH
GmbH || www.virtualforge.com
www.virtualforge.com || All
All rights
rights reserved.
reserved.
Data Loss Prevention
whether critical
data leaves the
boundaries of a
Protected SAP Environment
Data Loss Schematic
PPT Masterfolie
 CodeProfiler
zurdetermines,
Erstellung von Präsentationen
User
SAP Database
trusted environment
ABAP Program
on SAP server
External
Server
File
(asset flow analysis).

Three simple steps
1. You define critical data (HR data, credit card numbers, etc.).
2. Conduct CodeProfiler scan against target application: results show where
critical data is accessed and written to external context
3. Review findings, assess risk, and mitigate potential backdoors
©
© 2011
2011 Virtual
Virtual Forge
Forge GmbH
GmbH || www.virtualforge.com
www.virtualforge.com || All
All rights
rights reserved.
reserved.
Uncontrolled Environment
Asset Flow Analysis
PPT
Masterfolie – Approach & Test Domains
3.
CodeProfiler
zur Erstellung von Präsentationen
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
CodeProfiler Engine
Data and Control Flow Analysis
PPT Masterfolie
zur Erstellung von Präsentationen
rule set that covers many data sources and dangerous ABAP
CodeProfiler uses data and control flow analysis in combination with a comprehensive
TM
statements.
Data flow analysis is a technique that first identifies data source, i.e. points in the code
where (external) data is read into variables. It then analyzes whether there are any
connections between a data source and a potentially dangerous statement. Any identified
connection (data flow) indicates that the dangerous statement is most likely exploitable.
In addition to data and control flow analysis CodeProfiler applies further sanity tests like
type checks, authority checks, usage of regular expresses etc. As a result we can
prioritize the findings and improve the efficiency of the mitigation process.
©
© 2011
2011 Virtual
Virtual Forge
Forge GmbH
GmbH || www.virtualforge.com
www.virtualforge.com || All
All rights
rights reserved.
reserved.
CodeProfiler Engine
Data and Control Flow Analysis
PPT Masterfolie
zur Erstellung von Präsentationen
METHOD read
METHOD read .
DATA: request
DATA: s_html
DATA: event
1
2
Input
TYPE REF TO if_http_request.
TYPE string.
TYPE string.
request->get_form_field()
Stored in variable
s_html = request->get_form_field( 'mydata' ).
CALL METHOD me->process
EXPORTING
s_data = s_html.
RETURN.
s_html
Passed on to another method and variable
ENDMETHOD.
METHOD process
METHOD process .
s_data
3
DATA: s_out
DATA: out
TYPE string.
TYPE REF TO if_bsp_writer.
CONCATENATE
`<b>`
s_data
`</b>`
INTO s_out.
out = me->get_previous_out( ).
4
Modifed and copied to another variable
s_out
out->print_string( s_out ).
ENDMETHOD.
Output
Passed on to dangerous function
out->print_string()
©
© 2011
2011 Virtual
Virtual Forge
Forge GmbH
GmbH || www.virtualforge.com
www.virtualforge.com || All
All rights
rights reserved.
reserved.
Testdomain – Security
PPT Masterfolie
zur Erstellung von Präsentationen
This domain covers test cases related to classical security defects, i.e. code with
Security
hidden side effects that can be misused by an attacker.
Visit http://www.bizec.org for application security risks related to business
applications.
Testcases – Examples:
ABAP Command Injection
Directory Traversal
Cross-Site Scripting
Missing AUTHORITY-CHECK
Pishing
SQL Injection
©
© 2011
2011 Virtual
Virtual Forge
Forge GmbH
GmbH || www.virtualforge.com
www.virtualforge.com || All
All rights
rights reserved.
reserved.
Protection by CodeProfiler
Code Sample
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
PPT ABAP
Masterfolie
Command Injection
zur Erstellung von Präsentationen
Data and Control Flow
REPORT ZFT.
0
REPORT ZFT.
DATA: prog(72) OCCURS 0 WITH HEADER LINE.
DATA: pool(20) TYPE c.
DATA: lv_text TYPE string.
6
PARAMETERS lv_name TYPE string.
11
CONCATENATE `name = '` lv_name `'` INTO lv_text.
PARAMETERS lv_name TYPE string.
12
prog = lv_text.
prog = 'REPORT ABAP_CMD_INJ.'. APPEND prog.
prog = 'FORM MYFORM.'. APPEND prog.
prog = 'DATA: name TYPE string.'. APPEND prog.
CONCATENATE `name = '` lv_name `'` INTO lv_text.
prog = lv_text. APPEND prog.
prog = 'WRITE : / ''Hello '', name.'. APPEND prog.
prog = 'ENDFORM.'. APPEND prog.
16
GENERATE SUBROUTINE POOL prog NAME pool MESSAGE prog.
19
APPEND prog.
PERFORM ('MYFORM') IN PROGRAM (pool) IF FOUND.
Control Flow
Data Flow
GENERATE SUBROUTINE POOL prog NAME pool MESSAGE prog.
IF sy-subrc = 0.
PERFORM ('MYFORM') IN PROGRAM (pool) IF FOUND.
ELSE.
WRITE : / 'Error in Code'.
ENDIF.

BIZEC APP/11 APP-01 (http://www.bizec.org)
ABAP Command Injection: coding that dynamically creates and executes
arbitrary ABAP programs based on user input on a productive system.
©
© 2011
2011 Virtual
Virtual Forge
Forge GmbH
GmbH || www.virtualforge.com
www.virtualforge.com || All
All rights
rights reserved.
reserved.
Testdomain – Compliance
PPT Masterfolie
zur Erstellung von Präsentationen
This domain introduces test cases related to compliance defects, i.e. coding
Compliance
practices that bypass an important security mechanism in the SAP ® standard.
Testcases – Examples:
Hard-coded User Name (sy-uname)
Cross-Client Access to Business Data
Hidden ABAP Code
©
© 2011
2011 Virtual
Virtual Forge
Forge GmbH
GmbH || www.virtualforge.com
www.virtualforge.com || All
All rights
rights reserved.
reserved.
Testdomain – Performance
PPT Masterfolie
zur Erstellung von Präsentationen
This domain includes test cases that identify coding practices that have adverse
Performance
effects on the performance of an SAP ® system.
Testcases – Examples:
Usage of WAIT Command
Database Modifications in a Loop
SELECT Statement in a Loop
Usage of LIKE Clause
Missing WHERE Restriction in SELECT Statement
Nested SELECT Statement
©
© 2011
2011 Virtual
Virtual Forge
Forge GmbH
GmbH || www.virtualforge.com
www.virtualforge.com || All
All rights
rights reserved.
reserved.
Testdomain – Quality (Maintainability)
PPT Masterfolie
zur Erstellung von Präsentationen
This domain contains test cases that analyze the ABAP coding for issues that
Maintainability
TM
make the code difficult to maintain.
Factors that reduce maintainability include



Coding that is difficult to understand for a developer new to the project.
Coding with a complex structure.
Poor documentation.
Testcases Examples:
Empty Block
Empty Module
Overlong Module
©
© 2011
2011 Virtual
Virtual Forge
Forge GmbH
GmbH || www.virtualforge.com
www.virtualforge.com || All
All rights
rights reserved.
reserved.
Testdomains – Quality (Robustness)
PPT Masterfolie
zur Erstellung von Präsentationen
This domain provides test cases that check for ABAP coding practices which
Robustness
TM
jeopardize the reliable execution of a business application.
An important benefit of having robust code is business continuity: Robust code
reacts to error conditions in a controlled, reliable and predefined way.
Testcases – Examples:
Insufficient Error Handling (TRY/CATCH)
Incomplete CASE Statement
Recursion (Immediate)
©
© 2011
2011 Virtual
Virtual Forge
Forge GmbH
GmbH || www.virtualforge.com
www.virtualforge.com || All
All rights
rights reserved.
reserved.
Naming Conventions
PPT Masterfolie
Beyond “Maintainability” and “Robustness”, the test group „Code Quality“ now
zuralsoErstellung
von Präsentationen
covers the frequently requested check for “Naming Conventions”


Application specific rules




different naming conventions per package
Validity timeframe (from / to)
Check of legacy and new code without conflicts with the applicable rules
The naming conventions can be seamlessly integrated into the automated
TMS/ChaRM “code firewall”.
©
© 2011
2011 Virtual
Virtual Forge
Forge GmbH
GmbH || www.virtualforge.com
www.virtualforge.com || All
All rights
rights reserved.
reserved.
Naming Conventions
PPT Masterfolie
zur Erstellung von Präsentationen
©
© 2011
2011 Virtual
Virtual Forge
Forge GmbH
GmbH || www.virtualforge.com
www.virtualforge.com || All
All rights
rights reserved.
reserved.
CONTENTS
CodeProfiler 3.1
PPT Masterfolie
1. Status Quo: Getting Secure
zur- As
Erstellung
Präsentationen
developer orvon
auditor
- Analysis of transports
- Batch scheduling (SM37/SM36)
2. TMS/ChaRM Integration: Staying Secure
- Automatic scan of transports (SE10)
- Approval Workflow (enforcement of requirements)
3. Work with Findings: Mitigation
- Finding Manager (review, qualification and correction in SE80)
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Predefined Roles, Menus and
Authorization Objects
PPT Masterfolie
zur Erstellung von Präsentationen
©
© 2011
2011 Virtual
Virtual Forge
Forge GmbH
GmbH || www.virtualforge.com
www.virtualforge.com || All
All rights
rights reserved.
reserved.
Configuration: Test Group Definition
PPT Masterfolie
zur Erstellung von Präsentationen
©
© 2011
2011 Virtual
Virtual Forge
Forge GmbH
GmbH || www.virtualforge.com
www.virtualforge.com || All
All rights
rights reserved.
reserved.
CodeProfiler Analysis
Packages, individual ABAPTM Object Types, or Transports
PPT Masterfolie
zur Erstellung von Präsentationen
©
© 2011
2011 Virtual
Virtual Forge
Forge GmbH
GmbH || www.virtualforge.com
www.virtualforge.com || All
All rights
rights reserved.
reserved.
Batch Scheduling (SM36/SM37)
PPT Masterfolie
zur Erstellung von Präsentationen
©
© 2011
2011 Virtual
Virtual Forge
Forge GmbH
GmbH || www.virtualforge.com
www.virtualforge.com || All
All rights
rights reserved.
reserved.
Result Navigation
PPT Masterfolie
zur Erstellung
von
Präsentationen
provides
immediate feedback
on current
business risks at code level.
The executive summary report (PDF) contains a prioritized list of all discovered issues. This list
Following the executive summary, the full PDF report (or result navigation in the Finding
Manager) contains detailed information about each finding, grouped by test cases. Each test
case starts with general information about the respective issue:






Introduction
Business Risk
Detailed Explanation
Example Vulnerability
Solution in General
Solution Example
In addition to the general information, the report lists details for all discovered issues.
©
© 2011
2011 Virtual
Virtual Forge
Forge GmbH
GmbH || www.virtualforge.com
www.virtualforge.com || All
All rights
rights reserved.
reserved.
Working with Scan Results
Finding Manager, Forward-Navigation to SE80
PPT Masterfolie
zur Erstellung von Präsentationen
©
© 2011
2011 Virtual
Virtual Forge
Forge GmbH
GmbH || www.virtualforge.com
www.virtualforge.com || All
All rights
rights reserved.
reserved.
CodeProfiler finds and prioritizes
Security Issues and other Findings
PPT Masterfolie
zur Erstellung von Präsentationen
©
© 2011
2011 Virtual
Virtual Forge
Forge GmbH
GmbH || www.virtualforge.com
www.virtualforge.com || All
All rights
rights reserved.
reserved.
PPT
MasterfolieIntegration
4.
Technology
zur Erstellung von Präsentationen
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Integration in Development Process
PPT Masterfolie
CodeProfiler
automatically beforevon
the actual
release on task level as well as transport level (or both). You can then
zur Erstellung
Präsentationen
The integration into the SAP Transport Management System (TMS) enables you to check transports with
release them or, if required, re-route them to a defined exception handling process.
The automated check before importing code into an existing system (development, consolidation, production) can
be carried out in the same way as the check during the release phase. From a technology point of view, it does not
make a difference whether one or more SAP Systems are connected. CodeProfiler supports the common transport
and release mechanisms, such as Transport Management System (TMS), Change Request Management (ChaRM),
Change und Transport System (CTS), as well as CTS plus.
Integration with additional tools such as theGuard! TransportManager by REALTECH, Transport Express by Basis
Technologies, or other products is possible.
The Virtual Forge CodeProfiler standard shipment includes a preconfigured SAP workflow (notification and approval
workflow) for release, QA and exception processes.
©
© 2011
2011 Virtual
Virtual Forge
Forge GmbH
GmbH || www.virtualforge.com
www.virtualforge.com || All
All rights
rights reserved.
reserved.
TMS/ChaRM Integration
PPT Masterfolie
zur Erstellung von Präsentationen
RequirementsPaper
Development
CodeProfiler
TMS-gatekeeper
Test/QA
Production
SICHERE SAP PROGRAMMIERUNG
Java
Guideline
Interne
Entwicklung
ABAP
Guideline
Generelle
Guideline
Java
Spezifikation
ABAP
Spezifikation
Externe
Entwicklung
D60
Q60
P60
EhP4
EhP4
EhP4
Exception
via QA
©
© 2011
2011 Virtual
Virtual Forge
Forge GmbH
GmbH || www.virtualforge.com
www.virtualforge.com || All
All rights
rights reserved.
reserved.
Approval Workflow
Governance & Compliance in Development Process
PPT Masterfolie
zur Erstellung von Präsentationen
Reject
QA / PL
Developer
Develop
Release
Approve
Request
Review
Review
False
Change
Parse
Okay
CodeProfiler
TMS
©
© 2011
2011 Virtual
Virtual Forge
Forge GmbH
GmbH || www.virtualforge.com
www.virtualforge.com || All
All rights
rights reserved.
reserved.
Transp.
Options of TMS/ChaRM Integration
A.
Workflow
Process:
PPT
Masterfolie
CodeProfiler allows
to transport
zurErstellung
von
Präsentationen
 CodeProfiler declines to transport
 Developer ask QA instance via approval workflow for exception
 Yes, transport will be released
(compliance: document exceptions)
 No, back to development
B. Simplified Process:
 Developer may decide on his own discretion to release transport although
CodeProfiler reported issues
 Appropriate approach depends on your requirements
- Organization (small, large)
Compliance (4 eyes principle)
- Reliability / Stability
Speed (fixes, development)
©
© 2011
2011 Virtual
Virtual Forge
Forge GmbH
GmbH || www.virtualforge.com
www.virtualforge.com || All
All rights
rights reserved.
reserved.
Enforcement of ABAPTM Guidelines
Flexible Definition of Gatekeeper Functionality
PPT Masterfolie
zur Erstellung von Präsentationen
©
© 2011
2011 Virtual
Virtual Forge
Forge GmbH
GmbH || www.virtualforge.com
www.virtualforge.com || All
All rights
rights reserved.
reserved.
TMS/ChaRM Integration (SE10)
PPT Masterfolie
zur Erstellung von Präsentationen
©
© 2011
2011 Virtual
Virtual Forge
Forge GmbH
GmbH || www.virtualforge.com
www.virtualforge.com || All
All rights
rights reserved.
reserved.
High Availability
PPT Masterfolie
CodeProfiler is often used in large system landscapes in order to monitor the
zurentire
Erstellung
von Präsentationen
code base (legacy and new ABAP code)


Making this more effective, several CodeProfiler instances can now be flexibly
assigned to several SAP systems (m x n)

That way, scans can be easily parallelized and the high availability of the code
audit infrastructure can be achieved

The implementation of a large scale CodeProfiler infrastructure is now simpler
and “built-in”
©
© 2011
2011 Virtual
Virtual Forge
Forge GmbH
GmbH || www.virtualforge.com
www.virtualforge.com || All
All rights
rights reserved.
reserved.
High Availability
n x m relations between CodeProfiler and SAP® system
PPT Masterfolie
zur Erstellung von Präsentationen
SAP
Q01
SAP
D01
CodeProfiler
CPSERVER1
CPSERVER2
CPTMSSERV1
©
© 2011
2011 Virtual
Virtual Forge
Forge GmbH
GmbH || www.virtualforge.com
www.virtualforge.com || All
All rights
rights reserved.
reserved.
SAP
D02
CodeProfiler
CPSERVER3
CPSERVER4
CPTMSSERV2
SAP
Q02
Dashboard in SAP BI
PPT Masterfolie
zur Erstellung von Präsentationen
©
© 2011
2011 Virtual
Virtual Forge
Forge GmbH
GmbH || www.virtualforge.com
www.virtualforge.com || All
All rights
rights reserved.
reserved.
Dashboard in SAP BI
PPT Masterfolie
zur Erstellung von Präsentationen
©
© 2011
2011 Virtual
Virtual Forge
Forge GmbH
GmbH || www.virtualforge.com
www.virtualforge.com || All
All rights
rights reserved.
reserved.
CodeProfiler is „Ready for Rational“
PPT Masterfolie
zurScans
of Javavon
applications
Erstellung
Präsentationen
 Technical integration
©
© 2011
2011 Virtual
Virtual Forge
Forge GmbH
GmbH || www.virtualforge.com
www.virtualforge.com || All
All rights
rights reserved.
reserved.
Integration IBM AppScan Source Edition
Triage of findings in your ABAPTM Code
PPT Masterfolie
zur Erstellung von Präsentationen
©
© 2011
2011 Virtual
Virtual Forge
Forge GmbH
GmbH || www.virtualforge.com
www.virtualforge.com || All
All rights
rights reserved.
reserved.
Integration IBM AppScan Source Edition
Drill-Down by Vulnerabilities only (all impact levels)
PPT Masterfolie
zur Erstellung von Präsentationen
©
© 2011
2011 Virtual
Virtual Forge
Forge GmbH
GmbH || www.virtualforge.com
www.virtualforge.com || All
All rights
rights reserved.
reserved.
Integration IBM AppScan Source Edition
Drill-Down by Vulnerabilities (High Impact only)
PPT Masterfolie
zur Erstellung von Präsentationen
©
© 2011
2011 Virtual
Virtual Forge
Forge GmbH
GmbH || www.virtualforge.com
www.virtualforge.com || All
All rights
rights reserved.
reserved.
Integration IBM AppScan Source Edition
ABAPTM analysis with data flow, code details and description
PPT Masterfolie
zur Erstellung von Präsentationen
©
© 2011
2011 Virtual
Virtual Forge
Forge GmbH
GmbH || www.virtualforge.com
www.virtualforge.com || All
All rights
rights reserved.
reserved.
PPT
Masterfolie – Certification and References
5.
CodeProfiler
zur Erstellung von Präsentationen
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
CodeProfiler protects SAP®
PPT Masterfolie
zur
Erstellung
vondeveloped
Präsentationen
the
testing
software CodeProfiler,
by the ABAP™ programming language security
Aiming to expand the quality assurance of SAP® software enhancements, SAP® has licensed
specialist, Virtual Forge. This is the first solution on the market that is designed for static
analysis of ABAP™ applications with a specific focus on security and compliance tests.
CodeProfiler offers SAP® customers that have developed their own ABAP™ code, extensive
quality assurance.
“Security is important to us and to our customers. It’s good to see that our
trusted partner Virtual Forge provides a tool for security test automation.
Now all our customers can establish a baseline security level in their ABAP™
code.”
SAP® Executive Board Member Gerhard Oswald (2009)
©
© 2011
2011 Virtual
Virtual Forge
Forge GmbH
GmbH || www.virtualforge.com
www.virtualforge.com || All
All rights
rights reserved.
reserved.
CodeProfiler is SAP® Certified
PPT Masterfolie
CodeProfiler has successfully completed
zurSAP‘s
Erstellung
von Präsentationen
integration certification program.


This proves that CodeProfiler is an
extremely reliable solution for your SAP
environments.

In addition, Virtual Forge is now listed
as an official SAP Software Partner.
©
© 2011
2011 Virtual
Virtual Forge
Forge GmbH
GmbH || www.virtualforge.com
www.virtualforge.com || All
All rights
rights reserved.
reserved.
Linde – Gases Division
PPT Masterfolie
increase the effectiveness and efficiency of our system development at Linde, we mainly work with
zur Erstellung von Präsentationen
external ABAP developers. Ever since we’ve been using CodeProfiler, the developers have become
Linde Group – Gases Division: “It’s very important for us to maintain full control over our coding. To
more aware and are delivering better code quality.” Stephan Sachs, Manager Application Security.
CodeProfiler Benefits for Linde
Efficiency: CodeProfiler allows for an automated ABAP analysis that effectively fulfills the quality
requirements of Linde and its customers.
Control: With the help of CodeProfiler, Linde can ensure highest quality standards when cooperating
with external ABAP developers.
Governance: CodeProfiler provides automated compliance checks that meet the company’s
requirements and process standards. Quality is integrated into the development process and not the
result of arbitrary actions.
Cost Savings: CodeProfiler reduces the risk related to malicious code and minimizes the time needed
for code inspection and debugging. A quality investment that pays: Today, CodeProfiler is an established
quality assurance tool at Linde.
©
© 2011
2011 Virtual
Virtual Forge
Forge GmbH
GmbH || www.virtualforge.com
www.virtualforge.com || All
All rights
rights reserved.
reserved.
SAP® Custom Code Security Service
Powered by Virtual Forge CodeProfiler
PPT Masterfolie
zur Erstellung von Präsentationen
©
© 2011
2011 Virtual
Virtual Forge
Forge GmbH
GmbH || www.virtualforge.com
www.virtualforge.com || All
All rights
rights reserved.
reserved.
PPT
Masterfolie Services
6.
Professional
zur Erstellung von Präsentationen
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Virtual Forge Service Portfolio
PPT Masterfolie
Services:
zur Erstellung von Präsentationen
Virtual Forge supports customers as a “Trusted Advisor” and delivers high quality Professional



Application Audits with the Virtual Forge CodeProfiler
Review and Changes of the development lifecycle
Implementation of the Virtual Forge Development Guidelines into your development
process






ClassroomTraining „Secure ABAPTM Coding“
Project driven Audits
Penetrationtests
Fixing of Vulnerabilities
Coordination of Consulting Partners
Set Up of a transparent Security and Compliance Environment
With Virtual Forge as your Partner for Security and Compliance in ABAP Developments
in small and huge system landscapes and projects you will get value out of a lot of
experiences and expert know how.
©
© 2011
2011 Virtual
Virtual Forge
Forge GmbH
GmbH || www.virtualforge.com
www.virtualforge.com || All
All rights
rights reserved.
reserved.
PPT
Masterfolie
6.
Summary
& Discussion
zur Erstellung von Präsentationen
Feedback is always welcome!
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Why should you use CodeProfiler?!
PPT Masterfolie
zurErstellung
von Präsentationen
Security, Compliance, Performance, Maintainability, Robustness
CodeProfiler is the tool of choice for in-depth ABAPTM analyses

Prioritization helps you to define the mitigation plan
Governance and Compliance in your Development Process

No single line of code enters your SAP®-System without a thorough check (“Code
Firewall”)



Enforcement of Security and Quality standards for ABAP development
Controlled roll-out: tighten scan profile over time in a grace period
Accountability and compliance: exceptions are documents via four-eyes principle
in approval workflow

Possible to integrate CodeProfiler in popular transport management systems
(SAP TMS, Solution Manager ChaRM, Realtech theGuard!, Basis Technologies
Transport Express, etc.)
©
© 2011
2011 Virtual
Virtual Forge
Forge GmbH
GmbH || www.virtualforge.com
www.virtualforge.com || All
All rights
rights reserved.
reserved.
Value Proposition
PPT Masterfolie
Be prepared for von
cyber attacks
and industrial espionage: prevent security
zurErstellung
Präsentationen
Cost effectiveness: running safe business processes
weaknesses and backdoors

Value for money: control externally supplied ABAPTM code
(offshore/nearshore/vendor)



No invest in own content needed, no maintenance of content
State-of-the art security content in the standard release
Always up-to-date content with new releases (active research & continuous updates)
Ease of use: check your ABAP while you write it



Run CodeProfiler as developer while you write code (like “spell checker”)
Run CodeProfiler as QA manager (like “lector of a book”)
Fully integrated in SAP® standard environment: SE80, TMS/ChaRM
©
© 2011
2011 Virtual
Virtual Forge
Forge GmbH
GmbH || www.virtualforge.com
www.virtualforge.com || All
All rights
rights reserved.
reserved.
Value Proposition
PPT Masterfolie
Central control for
new ABAP
code - “gatekeeper” for code in the development
zurErstellung
von
Präsentationen
Being in control: governance & compliance at the process level
TM
process ) - governance at the process level (TMS-Integration)

Approval workflow - compliance regarding coding standards
Use the standard: CodeProfiler is industry ready


Auditors (internal / external) use CodeProfiler in company audits
Customers worldwide use CodeProfiler for QA & Compliance including SAP®,
Siemens, Linde, Munich Re, and many more

Scan your ABAP anytime – in one run: unparalleled analysis speed: up to 6.000
Lines of Code per Second, results available instantly

Gartner selected Virtual Forge as Cool Vendor for the SAP Ecosystem 2011
©
© 2011
2011 Virtual
Virtual Forge
Forge GmbH
GmbH || www.virtualforge.com
www.virtualforge.com || All
All rights
rights reserved.
reserved.
PPT Masterfolie
Your
questions?
zur Erstellung von Präsentationen
VIRTUAL FORGE
Dr. Markus Schumacher
[email protected]
Speyerer Straße 6
69115 Heidelberg
Deutschland
Telefon:
Fax:
+ 49 (0) 6221 86 89 0 - 170
+ 49 (0) 6221 86 89 0 - 101
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
VIRTUAL FORGE Distributor in
Scandinavia
ADSOTECH Scandinavia Oy
[email protected]
Ilmakuja 4 a
02210 ESPOO
Finland
Telefon:
Fax:
+ 358 9 86 78 820
+ 358 9 80 42 811
Download