At SAP TechEd10 in Berlin I presented an Expert Lounge session on Security. Some "repeat offenders" turned up from last year and a little crowd of frustrated BPXers looking for hacks gathered over time as well :-) People again asked me to share the presentation information and notes to solutions. Here they are.
1st topic: Introduction to Security on SDN….
There is nothing new in the security area this year, except the content on SCN gathered during the time lapse and if you used it as an information source. For those not yet familiar with SDN: Within the Security & Identity Management category you can find a wealth of security related information and usefull tools, such as:
- Moderated forums, wikis, blogs, articles, workspaces, partner information in the EcoHub and the SAP Career Center which is a job board focusing exclusively for SAP related employment. There is a dedicated category for security jobs.
- A collection of threads: FAQ's, intros and memorable discussions and insights from SAP subject matter experts (also from SAP) which you won’t find elsewhere in the internet.
- The SCN SAP Security functionality wishlist for developments is producing some fruit as well (3 developments approved) in the wiki and the wiki content is growing with usefull information. SAP Note # 11 also recommends using this route (but not to Acknowledgments to Security Researchers!).
2nd topic: New object S_TABU_NAM > See SAP Note 1434284 : New information about table access concept.
New authorization object S_TABU_NAM controls via the name of the table.
- Requires that S_TABU_DIS (auth group) first fails.
- Performed centrally in FM VIEW_AUTHORITY_CHECK (only..)
- Does not affect redundantly coded authority-checks.
- SU53 will produce “red herrings” in the last failed check.
- SU24 proposals based on S_TABU_DIS
- Entries in table TSTCA will “auto correct” SU24 in lower release levels.
- Keep an eye out for the "package concept" implications for tables which belong to packages (and might have interfaces!). The developer trace warnings will help you further to heed these warnings...
3rd topic) Security zones via S_ICF… see SAP Note 1281504 : Authorization check for SICF services (and RFC destinations).
- Authorization object S_ICF implemented as a client side access to call a target destination, regardless of the function being called.
- Service and RFC connections can be grouped into security zones for client side access to call the destination, regardless of the application used (e.g. CUA, eCATT, CCMS, BPM, SE37, etc...)
- Use case for SolMans is obvious...
4th topic) New trace features-> see Trace
SAP Note 1373111: Improvements to authorization trace.
- Reason codes are provided for sy-subrc.
- Application object disabled for transaction in SU24.
- Application object globally disabled in TOBJ.
- Success against FOR USER construct shown.
SAP Note 543164: Special tracing feature in SAP.
- Population of SU24 via “original data”.
- Application objects and values recorded with context.
- Tip: Use a clean “QAS” system and transfer to DEV.
- Note: This is a guru tool and you must first read the documentation and understand SU24.
5th topic) Patch Tuesday and custom code… New initiative from SAP to plan security related patching on a monthly basis.
- Check your emails for the term "Patch Tuesday"
- Covers SAP code and indirectly customer coding using documented and released SAP API functions.
What about the “black hole” of customer and partner products "in the wild"...?
- QA procedures: Typically only formal checks for signatures.
- Manual reviews: Cumbersome and time consuming.
- Code Inspector: Standard tool with static rules.
- Code Profiler: Guru tool used by SAP on their own code with security focus (commercial product).
Matt Billingham’s recommendations in his Virtual Community Day session from 2009 on The ancient and noble art of code reviews are still worth gold here for sustainability of code quality (beyond security boundaries). A good tool makes developers even better (or less worse from the security perspective of good software... :-)