develop stable, high-performance applications for sap hana
TRANSCRIPT
run your business safer
HANA Code Scanning – Developing Secure Applications For SAP HANA
Patrick Boch
© 2015, Virtual Forge GmbH. All rights reserved.
SAP HANA: new technology
Introduction
Why is HANA important to SAP
Strategic solution
S/4 HANA „biggest innovation since R/3“
Transition of all new and existing customers to HANA in the mid- to long-term
3
HANA deployment scenarios
HANA as a data mart
Similar to „classic“ BW architecture, HANA gathers data from (several) source systems
HANA in a classic 3-tier architecture
HANA replaces regular relational database
HANA as a technical infrastructure for native applications
New business application platform (S/4 HANA)
4
Understanding HANA security
Introduction
Why is HANA important to Hackers
Content Considerations
Contains business critical data à espionage target
Central to business processes à sabotage target
Technology Considerations
Fraud possibilities
IT / Security has little experience with HANA
6
SAP HANA architecture
7
Risks in SAP HANA
Weaknesses include XSS, SQL injection, ABAP code injection
Web Applications
SAP HANA systems can easily be found on the Internet
Unauthorized access possible
Services can be misused
SAP HANA is still vulnerable to typical web weaknesses
9
Privileged functions are enabled, incl. OS command execution
R-Serve
R is used for statistical and advanced data analysis
SAP HANA connects to R-Serve to utilize R functions
R-serve is a separate host, remote functions enabled
10
Programming needs to be validated for weaknesses
Custom Development
SAP HANA applications are accessible through browsers
New programming languages = increased development complexity
Web applications need to be secured at all levels
11
Developing applications for SAP HANA
Challenges in HANA development
New programming languages for ABAP developers
JavaScript (XSJS)
SQLScript
R
Complex role model
JavaScript developers lack (enterprise) security know how
13
Solutions for SAP HANA
Virtual Forge HANA Security Suite
Optimizing ABAP-Code for HANA Usage (CodeProfiler)
HANA Test Cases (HANA Readiness & Optimization)
Automated Correction („Quick Fix“ and Bulk)
Securing HANA configuration (SystemProfiler´)
Additional platform for SystemProfiler
Test Cases, e.g. communication security, authorization, others
CodeProfiler for HANA
Eclipse and WebIDE Integration
First HANA Code Scanner
15
Virtual Forge CodeProfiler for HANA (CP4H)
Supports SQLScript and XSJS
Direct integration into Eclipse and WebIDE
Incl. documentation and solution approach
Comprehensive Test Case list (currently 22 on XSJS, 17 on SQLScript)
Coming soon: UI5 and R support
Further integration scenarios (HANA projects, CTS+, Finding Management, Cockpit)
16
Take action: We evaluate the current state of your SAP environment for free
Take an instant test Visit www.virtualforge.com
ü Summary of
findings
ü Priorization and
classification of
vulnerabilities
ü Specific examples
of findings
ü Code and system
metrics Quality
Compliance
Security Secure SAP®- systems
Risk Assessment / Penetration Test
• SAP configuration • Custom code
17
Patrick Boch www.virtualforge.com
@Virtual_Forge
Thank you! Feel free to write or call for any questions and requests
18