ABAP Code Vulnerabilities | SAP security | ABAP-Experts.com

Category: Business

SAP security is a great challenge and will be a challenge for many years to come. In order to thoroughly secure an application, all of its components and potential threats need to be understood. SAP security is multi-layered, its building blocks range from infrastructure to application security. In order to break an application, only one flaw may be sufficient in order to compromise an entire environment. Below an overview of all SAP security notes released since 2010, categorized by their vulnerability type. Majority of all vulnerabilities find their origin within insecure ABAP developments. Within this blog article we will in particular zoom in on SQL-injection. What is SQL-injection? In ABAP we have various ways of reading and updating database values. By modifying specific variables or SQL-access clauses one can gain unauthorized access to secured data, or one can even alter data directly on the database. Let’s look at the most basic form of SQL-injection through the use of commonly used open-SQL statements and a selection-screen parameter. The code above may be a textbook example, you may be surprised how often we see such code snippets passing through established QA processes. And to be truly honest, being an ABAP developer myself for more then 20 years, also I have to plead guilty when it comes to introducing certain unwanted vulnerabilities. Besides relatively basic SQL-injection scenarios, using Open-SQL, new technologies also introduce new vulnerabilities. An example here being ABAP managed database procedures, the SQL-scripting functions available within HANA databases. EXEC-statements using variables parts impose a very similar risk as seen with Open-SQL.