Tracking down risks in customer code
![[shutterstock.com:558399481, alphaspirit]](https://e3mag.com/wp-content/uploads/2017/09/shutterstock_558399481.jpg)
If the SAP system is at a standstill, many processes in the company are at a standstill. This is how the situation can be described at Trumpf, a leading global supplier of machine tools, lasers and electronics for industrial applications.
This is because the high-tech group, headquartered in Ditzingen near Stuttgart, operates its central SAP ERP system with just one client - across all international production and development sites as well as a large part of the sales organizations.
Several internal initiatives
To achieve high reliability of SAP system operation, Trumpf launched several internal initiatives, including harmonization of SAP authorization roles (SAP SafeT) and professionalization of software development.
Previously mainly outsourced to service providers on a project basis, IT application development was consolidated and standardized in an in-house organizational unit.
To this end, Trumpf increasingly built up internal development capacities, which are supported by strategic partners in various development projects over the long term.
A third initiative involved the introduction of Galileo's Conigma CCM change management solution to meet auditors' demands for better traceability of changes to the SAP system.
During these projects, it became clear that a tool for automatic source code scans was indispensable. The IT managers at Trumpf decided on Virtual Forge CodeProfiler, whose quality they had already convinced themselves of during an initial code scan.
The analysis tool detected highly critical vulnerabilities in the customer code of the central SAP system. These could provide potential attackers with gateways to, in the worst case, completely shut down the application. The introduction of the CodeProfiler followed a clearly structured roadmap and took only four days.
SAP authorizations checked
In the SAP SafeT project to harmonize SAP authorization roles, Trumpf used CodeProfiler to automatically check whether Abap's own developments also contain the required authorization checks.
With this analysis tool, this can be implemented significantly faster, easier and more thoroughly than with manual controls. This ensures that no unauthorized employees can access SAP data and thus possibly misuse it.
In software development, CodeProfiler is used to check the quality and security of the customer's own Abap code. The basis for this is formed by development guidelines, which Trumpf has largely derived from the CodeProfiler test cases. After all, it makes little sense to give the programmers certain specifications if it is not possible to automatically check whether these are actually adhered to.
Technical release of changes
In combination with the change management tool Conigma CCM from Galileo, the CodeProfiler is used to check changes to the SAP system for their technical correctness.
Trumpf uses Conigma to consistently control and manage changes during transport from development to test and production systems.
The goal is to make the change management processes audit-proof. Thus, Conigma offers an approval workflow that ranges from requirements to changes to rolled-out functions.
Virtual Forge's CodeProfiler has been integrated into Conigma to automatically check whether source code changes have been made in compliance with development guidelines.
Although Conigma offers a ready-made CodeProfiler integration, the IT managers at Trumpf opted for an indirect integration via SAP's Abap Test Cockpit (ATC).
This is a test suite delivered in the SAP standard that provides various static code analysis tools. The decisive factor for using ATC was that Trumpf did not want to block the way for future SAP developments in this area - a good choice in view of the new functions in NetWeaver 7.5x.
The ATC integration in Conigma makes it possible to perform an ATC check within the change request process and to control the further process depending on the result.
If Prio 1 findings are included, the transport from the development system to the test system can initially be prevented. Currently, it is possible for developers to manually counteract this and also release the Prio 1 findings.
In the future, however, Trump plans to use the ATC Exemption Browser. This will automatically check whether there are any Prio 1 findings that need to be either removed or approved via the ATC Exemption Browser. The downstream manual approval step should then be limited to organizational and formal issues.
Less time, more safety
By using CodeProfiler for technical approval of changes to Abap customer code, Trumpf saves considerable time. Whereas developers used to need five to ten minutes to review a change, they now only need around 30 seconds to view an ATC check result.
Since between ten and 15 changes have to be checked and released every day, the time advantage is immense. In addition, the use of the code analysis tool gives the Trumpf developers the good feeling of not having overlooked any security and compliance errors during their releases.
Since all changes to Abap's own developments are systematically checked, IT managers can be sure that the number of critical code points will not increase.
In the next step, Trumpf wants to integrate further test cases into the code analyses, above all Hana findings. This is to ensure that no constructs are built into the new coding that work on a classic database but not with the forward-looking Hana technology.
