Currently Being Moderated

SAP Integration and Certification Center – Security Code Scanning Confirmation

Get a confirmation, that you have successfully scanned your ABAP coding with SAP NetWeaver Application Server, add-on for code vulnerability analysis.

 

Software vendors that have licensed the SAP NetWeaver Application Server, add-on for code vulnerability analysis (CVA) can get a written confirmation from SAP ICC, that a given software package has been scanned successfully, and no Prio1 and no Prio2 security issues were detected.

 

 

Information and Licensing

As of today, CVA covers 4 of the most important source code related topics (according OWASP Top 10, see details online) not covered by SAP ABAP framework otherwise:

 

  • A1: injection attacks: SQL, OS or code injection
  • A4: insecure direct object references: directory traversal attacks
  • A7: missing access control: call transaction without authorization check (ABAP 7.4x only)
  • A9: insecure usage of functions of the SAP NetWeaver AS ABAP:

       unsupported encoding functions against XSS or other attacks.

 

       A2, A3 and A8 are already covered by SAP framework.

 

To get further details of CVA, please read the following SAP Insiders Article.

 

To learn more about licensing possibilities, please contact your assigned Partner Service Advisor (PSA) or contact SAP Test Demo Development Licenses.

 

 

Benefits

  • ICC consultant gives first introduction into configuration and usage of CVA within the ABAP Test Cockpit.
  • ICC consultant checks ABAP coding together with vendor, remotely on vendor’s landscape.
  • Vendor gets written confirmation from SAP ICC that coding packages were successfully scanned, and no Prio1 and no Prio2 security issues were detected.

 

Prerequisites

To get the CVA introduction and confirmation service, vendor must have officially licensed the CVA.

 

 

Price List

The price is 5.000 Euro to get one written confirmation for an arbitrary collection of ABAP coding and objects in one package or transport request.

 

 

Integration into ABAP Add-On Deployment Certification

Software vendors that have licensed CVA and have subscribed to the ABAP Service Package can get the service for free as part of every ABAP Add-On Deployment Certification

 

 

For successfully scanned and certified ABAP Add-Ons, SAP would add the confirmation directly on the certificate.

 

 

Details of SAP NetWeaver Application Server, add-on for code vulnerability analysis

 

Details of ABAP Service Package and ABAP Add-On Deployment Certification

 

Apply for ICC Services right away - please fill in the SAP ICC online application form

 

SAP Application Development partner directory: Certified solutions can be found in the SAP Application Development partner directory.

Comments

Delete Document

Are you sure you want to delete this document?