SAP Vulnerability Analysis

SAP Code Vulnerability Analyzer: The Vulnerability Analysis Tool from SAP

What is Vulnerability Analysis?

Vulnerability analysis refers to the process and tools used to uncover vulnerabilities that moderately or severely impact the security of its product or system. Through a vulnerability analysis, areas of weakness and potential actions that would exploit those weaknesses are identified, and the effectiveness of additional security measures is assessed.

What is SAP Code Vulnerability Analyzer?

SAP’s primary vulnerability testing tool is SAP Code Vulnerability Analyzer, which scans ABAP source code and identifies security issues. The tool can be used as part of the ABAP test cockpit, the SAP code inspector, and the extended syntax check program. SAP Code Vulnerability Analyzer provides vulnerability checks for SQL injection, code injection, call injection, OS command injection, directory traversal, backdoors and authorizations, and web exploitation. Using the tool’s built-in dataflow detection logic, the number of false positives can be reduced by eliminating findings where the data used in potentially dangerous expressions comes from safe sources.

SAP Code Vulnerability Analyzer: The Vulnerability Analysis Tool from SAP

What is Vulnerability Analysis?

Vulnerability analysis refers to the process and tools used to uncover vulnerabilities that moderately or severely impact the security of its product or system. Through a vulnerability analysis, areas of weakness and potential actions that would exploit those weaknesses are identified, and the effectiveness of additional security measures is assessed.

What is SAP Code Vulnerability Analyzer?

SAP’s primary vulnerability testing tool is SAP Code Vulnerability Analyzer, which scans ABAP source code and identifies security issues. The tool can be used as part of the ABAP test cockpit, the SAP code inspector, and the extended syntax check program. SAP Code Vulnerability Analyzer provides vulnerability checks for SQL injection, code injection, call injection, OS command injection, directory traversal, backdoors and authorizations, and web exploitation. Using the tool’s built-in dataflow detection logic, the number of false positives can be reduced by eliminating findings where the data used in potentially dangerous expressions comes from safe sources.

What Does This Mean for SAPinsiders?

• Add the SAP Code Vulnerability Analyzer to your ABAP test cockpit. When an SAP customer licenses the tool, ABAP developers get an additional option with the ABAP test cockpit  to perform security checks. Developers can then review their code and conduct tests for code robustness, performance, and usability. Martin Müller, Presales Expert Security, SAP Deutschland, and Arndt Lingscheid, Product Manager of SAP Enterprise Threat Detection , SAP SE, stress that without the SAP Code Vulnerability Analyzer, incorrect programming can be missed, resulting in “severe security issues, such as data theft and costly compliance violations.”
• Scan code before it is put into production. “Organizations need visibility at all levels so they can navigate new opportunities and be compliant, responsible, and act with integrity,” explains Bruce Romney, Senior Director of Product Marketing for SAP GRC and Security Solutions. He says that visibility into code before production is vital to prevent vulnerabilities from going undetected. In addition, it can be more time-consuming and costly to fix vulnerabilities post-production.

What other vendors offer application security for SAP products? Some of the other vendors that offer vulnerability analysis for SAP customers include Onapsis, Security Weaver, Virtustream, and Xiting.

LINK TO ABAP LANDING PAGE [CP1]

LINK TO ABAP TEST COCKPIT LP [CP2]

LINK TO SAP ENTERPRISE THREAT DETECTION LP [CP3]