Custom code offers great opportunity to tailor SAP systems to a company's requirements. However, with opportunity, there also comes risk. [shutterstock: 625920362, StockPhotosLV]
At Trumpf, an interruption to its SAP system could have serious consequences. This is why the mechanical engineering company, located in southwestern Germany, takes a targeted approach to ensuring seamless system operations. One approach is to use the Virtual Forge CodeProfiler, which identifies risks in custom Abap code.
If the SAP system stands still, so do many processes in the company. This is the situation at Trumpf, a worldwide leading provider of machine tools, lasers, and electronics for industrial applications. The high-tech Group runs its SAP ERP system with just one client – across all international production and development locations, and a majority of the sales organizations.
Multiple internal initiatives
To achieve highly reliable SAP system operation, Trumpf has kicked off a number of internal initiatives, among others harmonizing the SAP authorization roles (SAP SafeT) and professionalizing its software development. Up to this point, IT application development has been predominantly outsourced to service providers on a project basis. Now, it has been consolidated and standardized in an internal organizational unit. Trumpf has also strengthened its internal development capacity, supported in the long term by strategic partners in different development projects. A third initiative introduced the change management solution Conigma CCM from Galileo, satisfying the auditors’ request to improve transparency on changes to the SAP system.
Such weaknesses could offer potential attackers gateways to bring the application to a complete standstill in the worst-case scenario.
In the course of these projects, it became clear that a tool for automatic source code scans was vital. The IT department at Trumpf selected the Virtual Forge CodeProfiler: They were won over by its quality based on the initial code scan alone. The analysis tool detected very critical weaknesses in customer code in the central SAP system. Such weaknesses could offer potential attackers gateways to bring the application to a complete standstill in the worst-case scenario. The implementation of the CodeProfiler followed a clearly structured roadmap and took only four days.
SAP authorizations checked
In its SAP SafeT project for harmonizing the SAP system authorization roles, Trumpf implemented the CodeProfiler to automate checks whether custom Abap developments contain the required authorization checks. This analysis tool can do this much faster, more efficiently and more thoroughly than manual checks can, while ensuring that no unauthorized employees have access to SAP data and who, in turn, could potentially misuse it.
In software development, CodeProfiler is used to check the quality and security of customer-specific ABAP code. Development guidelines that Trumpf largely adopted from CodeProfiler test cases serve as a basis for this. This is because it makes little sense to require programmers to comply with requirements if compliance cannot also be automatically checked.
Technical approval of changes
CodeProfiler is used in combination with the change management tool Conigma CCM from Galileo to check whether changes to the SAP system are correct at a technical level. Trumpf uses Conigma to continuously control and manage changes when transporting data from the development system into the test and productive systems. The goal is to audit-proof the change management processes. For example, Conigma offers an approval workflow that stretches from requirements for changes to the rolled out functions. The Virtual Forge CodeProfiler was integrated into Conigma in order to automatically control whether source code changes comply with development guidelines.
(…) Trumpf did not want to close the door on future SAP developments in this area – a good choice in light of the new functions in NetWeaver 7.5x
While Conigma does offer a prefab CodeProfiler integration, the Trumpf IT department decided on an indirect integration via the Abap Test Cockpit (ATC) from SAP. This is part of a test suite delivered with SAP standard and provides various static code analysis tools. The clincher for the use of ATC was that Trumpf did not want to close the door on future SAP developments in this area – a good choice in light of the new functions in NetWeaver 7.5x.
The ATC integration in Conigma enables an ATC check to be performed within the change requirement process and to control further processing depending on the result. If there are first priority findings, the transport from the development system into the test system can be initially stopped. Currently, the developers are able to manually counteract this and approve the first priority findings. However, going forward, TRUMPF intends to use the ATC Exemption Browser. This automatically checks for first priority findings that must be either removed or approved via the ATC Exemption Browser. This should then limit downstream manual approval steps to organizational and formal issues.
Less time, greater security
The use of the CodeProfiler for technical acceptance of the changes to custom Abap code saves Trumpf a considerable amount of time. While developers used to need five to ten minutes to review one change, they now need just 30 seconds to display one ATC check result. Since between 10 and 15 changes must be checked and approved daily, the time savings is immense. In addition, the use of the code analysis tool means that Trumpf developers can trust that they have not overlooked any errors when approving changes in terms of security and compliance. Because all changes to custom Abap developments are systematically checked, the IT department can be certain that the number of critical code lines is not growing.
Integration of additional test cases in planning
The next step for Trumpf is to integrate additional test cases in the code analyses, especially Hana findings. This is intended to ensure that no constructs are built in new code that work in a traditional database, but not with the pioneering Hana technology.