Source Code Scan Tools Used at SAP: Detecting and

SAP Security Concepts and Implementation
Source Code Scan Tools Used at SAP
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
Detecting and Eliminating Security Flaws Early On
Table of Contents
4
SAP Makes Code Scan Tools for
ABAP Programming Language Available to
Customers
4
SAP Relies on Coverity Inc.
for C and C++ Code Scanning
4
SAP Draws on HP Fortify
for Static Application Security Testing
5
Source Code Scan Strategy at SAP
6
Making Your Software Development
More Secure
6
Find Out More
2 / 6
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
At SAP, automated source code scans
help to detect and eliminate security flaws
at an early stage in the development cycle.
Prevention is better than cure. At SAP, automated source code scans help to detect and
eliminate security flaws at an early stage in the
development cycle. Customers can use the
same source code scan tools as SAP to make
their own software developments more secure.
Automated source code scan tools enable customers to:
•• Perform in-depth checks consistently, without
human bias
•• Examine source code and assess its quality reliably
and thoroughly
•• Identify the root cause of security-related issues
•• Detect errors early in the development of applications
and add-ons
•• Run and rerun automated tests of large amounts of
code whenever required
3 / 6
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
SAP Makes Code Scan Tools for
ABAP® Programming Language Available to Customers
Benefit from the in-depth source code scanning experience at SAP to cost-effectively enhance the quality of
your own software products. An add-on for the SAP
NetWeaver® Application Server (SAP NetWeaver AS)
component is available for just this purpose. With SAP
NetWeaver AS, add-on for code vulnerability analysis,
customers can benefit from SAP’s experience in identifying common source code–related risks of the top 10
named by the Open Web Application Security Project
(OWASP), an open-source Web application project.
SAP RELIES ON COVERITY INC.
FOR C AND C++ CODE SCANNING
Find out about best practices that can help you boost
your efficiency in developing high-quality software and
performing effective security analyses on the software.
See the case study and interview: SAP Runs Coverity.
SAP DRAWS ON HP FORTIFY
FOR STATIC APPLICATION SECURITY TESTING
Learn about products and services that can help you
protect the applications you develop from security
vulnerabilities. This includes detecting problems as they
crop up and fixing them. See the case study: SAP uses
HP Fortify to help produce secure applications.
4 / 6
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
Source Code Scan Strategy at SAP
The source code scan strategy in effect at SAP has
been mandated by the company’s board of directors
as an integral part of the SAP product security strategy.
The source code scan tools, the scope of testing, and
the scan processes used for each SAP® software
product are defined at the corporate level.
Scanning for security issues can find implementation
errors. Security code scans start early in the product
development cycle at SAP because it is much more
efficient than finding and fixing problems later on in the
development cycle. The scans contribute to building a
stable code structure right from the start.
The source code scan tools deployed at SAP help developers identify vulnerable patterns within the code and
pinpoint the root cause of security issues. In-depth
training supports developers in making effective use
of these tools and in developing security awareness.
Security code scans are static-code analyses that
are run on code without executing the code. For large
software products, these static analyses are the most
cost-effective way of supporting a secure development
lifecycle. Automated code scans enable developers
to assess large amounts of source code. Following
corrective action, developers can rerun the tests with
push-button convenience.
5 / 6
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
The static analyses in SAP product development are
complemented by other test methods, such as dynamic
checks, fuzzing, and penetration testing.
FIND OUT MORE
To learn more about source code scanning tools from SAP,
please contact your SAP representative.
MAKING YOUR SOFTWARE DEVELOPMENT
MORE SECURE
The world’s best-run companies run SAP software. The
openness of SAP extends to the source code scanning
methodologies that help to make SAP software reliable,
robust, and secure. The source code scanning tools used
by SAP are commercially available to SAP customers.
6 / 6
Customers can benefit
from the in-depth
source code scanning
experience at SAP
to cost-effectively
enhance the quality
of their own software
products.
CMP29044 (13/12) © 2013 SAP AG or an SAP affiliate company. All rights reserved.
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG.
The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP AG and its affiliated companies (“SAP Group”) for informational purposes only, without
representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials.
The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying
such products and services, if any. Nothing herein should be construed as constituting an additional warranty.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of
SAP AG in Germany and other countries.
Please see http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices.