In the developer boudoir I – CVA in the cloud

SAP Code Vulnerability Analyzer in CloudATC

Barthel knows where to get the must

At a time when cyber security incidents are becoming increasingly common, recent reports highlight the importance of robust security mechanisms.

Two examples from many.

A vice admiral of the German Armed Forces recently warned of the increase in cyber attacks, as reported in an article by Thomas Daum. In addition, a report by InfoGuard showed that Swiss industrial companies in particular are the target of cyber attacks.

These developments make security, alongside freedom from errors and usability, a decisive strategic component in software development.

SAP has established the secure SDL (secure Software Development Lifecycle) for this purpose. But since SAP applications have offered the possibility for customer extensions or in-house developments since R/2 times, a large security gap opens up in the hopefully secure SAP applications.

Honestly: Which SAP customer can put his hand in the fire that his own developments are secure, that no developer has left a gap or even forgotten a backdoor in the code.

I have really experienced something like this: “ “, and this in a productive application! I didn’t even mean any harm, just a comfortable slipper. The whole structured transportation thing was simply too cumbersome for the gentleman. In most cases, the reason for many security vulnerabilities is not malice but convenience.

But the project environment also contributes to unsafe code. Projects have strict budget and time constraints: What counts for the project manager is to implement the promised functions within the planned project duration. There is probably not much time left for security. Sad but true: secure code is invisible and therefore does not promote careers.

In fact, in this sapinsider.org report on cyber security threats to SAP systems, Custome Code Vulnerability appears in the upper midfield.

Many solution providers have discovered this use case for themselves and offer their services or products for validating custom code. This includes SAP itself with the SAP Code Vulnerability Analyzer (CVA). This is the SLIN_SEC check variant in the Code Inspector and can therefore be easily integrated into the development workflow with the ABAP Test Cockpit (ATC). SAP uses it itself to check over 500 million lines of code.

Great, I say to myself. Let’s try it out – But why are the checks inactive?

I discover that this check variant is a component that requires a license: SAP material number 7019502. I take a quick look at the SAP price list and have to sit down. A shock! Five users are to cost CHF 249,225.00! Five! And then there are the annual maintenance costs!

Everyone I told this to visibly dropped their jaw. No chance of even thinking about releasing budget for this in the company – if you’re not a bank!

Sunny with clouds

I was electrified when I heard during a presentation by Olga Dolinskaya that the CVA within the Custom Code Migration App on the BTP ABAP Environment (affectionately known as Steampunk ) is free of license costs. There are only costs for this ABAP instance on the BTP (Business Technology Platform), which are not insignificant, but much lower than the material number 7019502.

You can even use an ABAP instance with free_tier service plan for this, even if this unfortunately has the limitation of only 10 ATC runs. But still…

Clearly a carrot to lure us into the cloud, but what a tasty one!

I’m about to pounce on our sandbox tenant. Supposedly the setup is easier than on premise (see picture). But far from it, if you have to start with Adam and Eve: Install Cloud Connector, install BTP ABAP Environment, connect everything together.

I’m drowning in guides and documentaries. Either there is too much, or there are gaps. You would need a consultant. Ops, I am myself. Well, it’s time to grit your teeth and fight your way through.

My first attempt to set up a dedicated subaccount failed, because unfortunately I had selected cf-eu10 as the “region“, only to realize later that it was not enough to switch on Cloud Foundry, no, you have to get the Cloud Foundry Service (Free Tier). And on the day I tried it, it was not (yet?) offered for cf-eu10. So I had to delete everything again, because I couldn’t find a way to change the region of a subaccount afterwards.

The fact that the various services are not equally available in all regions is a recurring annoyance.

My second attempt with region cf-eu20 finally succeeded.

Then we continued in the fresh ABAP instance, the connection to the ABAP system had to be created – here one longs for the simplicity of an SM59! But I finally did it, now I know how to do it.

I was looking forward to my first run. The CVA is behind a custom code analysis project of the Custom Code Migration App.

The app correctly detects our customer namespace /BLUWRKS/.

Our sandbox system does not have much custom code, so there are only thirteen findings:

The result is a long hit list with practically no workflow options. But still…

The Prio 1 hit, by the way, was generated by the CRM WebUI extension tool, the AXT, and therefore belongs in the exception list when it becomes available:

For many objects, you can display the location in question with a single click:

First, the hit is opened in the adt service on the development system.

However, a button is provided to open the location in the Eclipse editor:

SAP announced with great fanfare that there is now an ATC Configurator app, but it can only be used to change a few attributes and the priority of the checks. I can only hope that the app will be further enriched, because as things stand today (Q3 2023) it is hardly usable.

What to do?

Everything is set up, the CVA in the cloud ATC works. However, the result is somewhat unwieldy, as it does not offer any workflow options for distributing the work on the results list.

So you have to think through and organize the procedure well, especially if you make use of the ABAP free tier service plan, as you only have 10 ATC runs free. Because every development system needs its own run.

Proposal

The first call of the CVA should be set up as a small internal project with clear roles and responsibilities. The development lead should take the lead here, and each line-of-business development team should have a senior developer dedicated to this. This IT project can be managed with the help of a cloud ALM project, for example. For example, you can create dedicated roles:

You can also create suitable workstreams:

The system groups and deployment plans, with which you can also control the ABAP systems within the project in terms of transport within releases, are only hinted at here. The same applies to the deliverables of a project. After all, there should still be material left over for another blog.

I would work through the priority 1 cases as a whole team in order to gain a shared awareness of the cases and make jointly supported decisions.

In the case of priority 2 and 3 hits, I would download the results list as an Excel file and separate and distribute it into further files according to responsibilities. Package” and “Processor” can be used as criteria for the distribution. Here, too, you can distribute Excel work packages within the Cloud ALM project using project tasks:

The individual developers are controlled via sub-tasks and can set the status individually. There is also a direct link to test management and, of course, to the final deployment in the production system.

If you like the convenience of jumping directly to the local ATC service, you can find your hits in the cloud app by filtering and open them from there in the editor(Eclipse with the ABAP Developer Tools, ADT).

Usage data is useful, but as long as uncalled but unsafe coding is present in the production system, it must be corrected – or deleted.

The “scoping” of the Custom Code Migration App is superfluous, as it is only used during an actual migration with the help of the Software Update Manager (SUM).

The findings from the checks should be incorporated into the company’s own programming guidelines.

A new control run after, say, a year should produce a much smaller hit list.

One final note. Custom Code Management has been talking about “projects” since time immemorial in SAP Gui. And since time immemorial, these CCM projects have had no connection with the “real” projects that aim to deliver a result within a given time with staff and budget. Both are (unfortunately) not linked to each other.

Have fun!

Avatar photo

Riccardo Escher

Riccardo is a Senior ALM Consultant and has in-depth knowledge of all areas of Solution Manager and ABAP development. He has extensive experience in the areas of ChaRM and the Solution Manager Test Suite.
blueworks Logo

Certified
Business Transformation
Professionals.

© blueworksgroup 2024. All rights reserved.

blue.works® and alm360® are registered trademarks in the European Union and Switzerland.
SAP is a registered trademark of SAP SE.