SAP systems are popular targets of cyber attacks. The consequences are usually severe, ranging from high financial losses to the sabotage of critical business processes. But how can companies prevent them? In this article we explain the particular role of code review.
Friday, July 28, 10:30 a.m.: Mr. Smith, the IT manager from our last article, is sitting in the conference room at the company headquarters, talking to his team and external consultants. An exhausting and nerve-racking time lies behind them: just recently, the company was hit by a serious cyber attack.
Now that the threat has been contained and all systems are working again, the company wants to check their cyber security from the ground up. To do this, he has called in a consulting firm, whose experts are now explaining the following:
SQL injection: one of the most common entry points
In SQL injection, hackers use vulnerabilities in the application layer to access and manipulate information in a database. And this is how it works: Most web-based applications (including many SAP applications) use Structured Query Language (SQL) to store information in databases or to retrieve it.
If cybercriminals manage to sneak malware into certain SQL statements, they can change the intended behavior of the database, access and modify unauthorized data or even compromise the entire database.
Which applications are particularly vulnerable?
One of the distinguishing features of SAP applications is that they can be adapted precisely to the needs and processes of each individual company through custom coding. Using API interfaces (also known as ABAP customer exits in the SAP environment), developers can write their own code in order to modify the SAP standard applications or set up their processes.
But it is precisely this flexibility that carries great risks. To understand why, you have to know more about the conditions under which custom coding is usually developed. All projects have a tight budget and have to be completed quickly. In the context of quality assurance, usually only the desired functionality is tested. Issues such as code quality and program security are often ignored.
The main reason for this lack of quality assurance is that most companies simply don’t have enough personnel to ensure that good coding practices are adhered to. Especially when many developers – both internal and external – are working through a huge amount of code conversions in large initiatives such as S/4HANA implementations (Brownfield, Bluefield or Greenfield). Best practices are usually well known – often there are even programming guidelines – but the people in charge might not have the time to check, if the developers follow them.
How code reviews increase program security
This is where code reviews come into play: Specially trained consultants accompany the implementation process. They scan the custom code for anomalies and are thus able to uncover unsafe coding practices, potential security gaps and misconfigurations, so that SQL injections, for example, cannot take effect in the first place.
And even if bad coding doesn’t lead to intentional system manipulation: the loss of release capability due to bad custom code often results in an enormous increase in project costs.
Another critical aspect of SAP system security is authorization management: in our experience, 20% of custom code has no checks at all, and another 50% has incorrect or inadequate checks. If this code is then automatically migrated to the new S/4HANA system during a brownfield migration, the security vulnerabilities often remain undetected in the system for years. A professional code review therefore also includes this check.
Better safe than sorry
With the help of external consultants, Mr. Smith identified and eliminated the vulnerabilities in the company’s SAP applications. In the future, he and his team will pay special attention to the security of their systems.