Dr. Jurgen Schneider,
In light of the increasing damage by the exploits of malicious hackers
and computer criminals, security vulnerabilities in today’s software
have come under scrutiny by product providers, customers, and users alike.1
With growing consumer anxiety about security, product providers have started
new strategic initiatives2 aimed at bolstering
trust in their products’ reliability, safety, and privacy, and have
announced improved developer education, security quality measures, and
new tools and response processes.
For a business software provider such
as SAP, knowing full well that customers’ daily operations, business
processes, and earnings depend on these software products, these goals
are not new — although it is good to see these security standards
being developed and enforced so broadly. However, with Web-based applications,
Java, and open integration now so prominent in SAP offerings, our customers
(decisionmakers, IT teams, system administrators, and users) are asking,
and rightly so, how we’re responding to the effects of these innovations
on SAP security.
SAP adheres to the well-known principle
that “Security is a process” — not something you achieve
once and for all. So at SAP, our security standards are consistently under
review, and we are constantly looking for new ways to complement the procedures,
measures, and tools that support the security processes behind our products
and technology. This article briefly describes the security standards
SAP currently has in place, and the new ones under development, at each
of the main phases of a software product’s lifecycle:
- Security during product design and development
- Security during product ramp-up and installation
- Security during product deployment and daily operations
Security During Product Design and Development
Right from the start, the earliest versions of SAP R/3 have included extensive
security features: user management, password-based authentication, and
authorization features based on authorization objects, profiles, and the
AUTHORITY-CHECK ABAP statement. Comprehensive auditing data
and reports supported periodic revisions of system configuration and business
processes, features that have been a requirement for SAP business software
products ever since.
To ensure that this commitment to security
is maintained across the full range of SAP solutions and products, including
our newest offerings — the Enterprise Portal, Exchange Infrastructure,
CRM, SRM, and so on — security standards are built in to all solution
“Solution production” at SAP
defines and controls the steps and phases a software product has to complete:
from product definition and requirements specification; to the handovers
from product planning to design, from design to development, and from
development to testing; and on to final assembly, ramp-up, and support.
During the product definition phase, SAP
security standards verify whether a product’s security requirements
are captured, and then reflected appropriately in the product’s
requirement specifications. These security requirements include:
- Authenticating users upon system access
- Controlling access to activities and resources according to users’
business roles and authorizations
- Supporting privacy and confidential communications
- Providing audit trail information
As the product moves into design and implementation,
checks are in place to determine whether security requirements are met,
and security features are tested and delivered to the customer correctly.
The security services and tools are designed,
implemented, and supported by developers (who are also security specialists),
and then further reviewed periodically by external experts. For both ABAP
and Java applications, SAP security standards enforce the use of SAP Web
AS-based security services and administration tools, which include:3
- SAP Profile Generator
- SAP Trust Manager
- SAP Logon Ticket
- SAP Cryptographic Library
- SAP Web Dispatcher
- SAP Java Cryptography Toolkit
- SAP J2EE Engine’s Security Services
Interfaces to SAP security partner products,
which are integrated on an OEM basis or offered as complementary solutions,
go through extensive review as well.
This emphasis on standardization on the
SAP Web Application Server ensures that basic security functions, such
as cryptographic algorithms, authentication protocols, or user account
data management, are based on a tested technology platform. Wherever an
SAP application proposes additional or differing requirements, the development
team needs to explicitly justify this and describe in detail how security
requirements are still met.
Security During Product Ramp-Up and Installation
Traditionally, SAP application servers were installed in separate network
zones, located inside your company’s intranet backend. Access would
take place over SAP proprietary protocols with the SAP Graphical User
Interface programs and the SAP Remote Function Call (RFC) library. However,
with such a setup, sometimes when creating default installations, the
convenience of ready-to-use functionality took precedence over the additional
configuration steps required for secure administration.
With the introduction of the SAP Web Application
Server, the situation has changed considerably. SAP Web Application Server
allows direct access to applications using Web protocols, such as HTTP
and HTTPS. In addition to the enabling of standard web protocols, setting
up connections to the open Internet for collaboration with customers and
partners is becoming a standard part of any default installation.
As a result, the default configuration
of the SAP Web Application Server is currently undergoing a complete security
review. For both the ABAP runtime environment and the J2EE Engine, we
are looking at installation directory settings, file permissions, database
connection and settings, communication ports used, which services are
active per default, and default users and their passwords (and vice versa).
Our goal? A locked-down default installation with minimal services active
per default and restrictive permission settings for OS resources. We are
also investigating how to improve the installation of the cryptographic
libraries for ABAP and Java, possibly integrating them directly into the
default installation process.4
To help achieve secure installation and configuration for SAP R/3, and for
all SAP products built on the SAP Web AS platform, SAP customers
and partners can rely on the SAP Security Guide at http://service.sap.com/security.
As part of SAP solution production, each new product is required
to provide security information for inclusion in this resource,
or to provide a separate product-specific security guide that can
also be accessed via a link from the SAP Security Guide.
Security During Product Deployment and Daily Operations
The security review process does not end after a product has been shipped
and installed. Even with the security requirements incorporated into the
product design and verified during implementation and testing, vulnerabilities
may still go undetected until the product is in use. Such vulnerabilities
may be due to non-secure installation and administration, or caused by
design or programming errors that went undiscovered during design reviews
and testing (assuming that software testing can never be 100% complete).
Therefore, SAP maintains two additional
resources to support the security of productive installations of SAP products:
- The entire set of SAP documentation and help manuals, including several
chapters on security services and APIs, are available online at the
SAP Service Marketplace.5
- Customers, partners, and community members (or, in fact, anyone with
email access) can report potential security problems. They can contact
the SAP Security Response Team, either by creating a problem message
under component BC-SEC using the SAP Service Frontend6
or by simply sending an email to email@example.com.
The SAP Security Response Team responds
to each reported security concern by analyzing the problem and assessing
its severity to determine the appropriate course of action. Once a security
problem has been identified, customers are immediately informed about
the problem via HotNews and corresponding notes in the SAP Service Frontend,
including descriptions of temporary workarounds and possible manual corrections.
The SAP Security Response Team also initiates and tracks patch development,
and updates customer information as soon as a patch is available.
|For more on known security alerts, customers and
partners can retrieve this information from the SAP Service Marketplace
Although you won’t necessarily find a catchy name for SAP’s
set of security standards, customers and users can be assured that we
are constantly looking to improve security and enhance security resources
across all phases of our software lifecycle. The requirements of a business
software product and the inclusion of the Internet into daily operations
clearly demand such processes, and will require even more attention as
the software evolves.
SAP invites our customers, partners, and
users to contribute to these endeavors, as the participation of all parties
can only enhance the security of SAP customers’ business operations.
1 For example,
see SAN’s “top 20” list
of software vulnerabilities at www.sans.org/top20.
2 See www.microsoft.com/presspass/exec/craig/10-02trustworthywp.asp;
oramag/oracle/02-mar/index.html?o22break.html; and www-3.ibm.com/security/index.shtml
for some examples of such initiatives.
3 A number of these services and tools have already
been described briefly in this column in previous issues of SAP Insider
4 Currently, these libraries are downloaded from the
SAP Service Marketplace at http://service.sap.com/swcenter.
5 See http://help.sap.com
(for SAP customers and partners).
6 See http://service.sap.com --> Support --> Customer
Messages (for SAP customers).
Dr. Jürgen Schneider has been involved in the design and implementation
of SAP security functions since 1996. Since 1998, he has been the Development
Manager for Security in SAP’s Technology Development. He can be
reached at firstname.lastname@example.org.