GRC
HR
SCM
CRM
BI


Article

 

The Security Behind Your SAP Systems: The Secure Software Lifecycle at SAP

by Dr. Jurgen Schneider | SAPinsider

April 1, 2003

by Dr. Jurgen Schneider, SAP AG SAPinsider - 2003 (Volume 4), April (Issue 2)
 

Dr. Jurgen Schneider,
SAP AG

In light of the increasing damage by the exploits of malicious hackers and computer criminals, security vulnerabilities in today’s software have come under scrutiny by product providers, customers, and users alike.1 With growing consumer anxiety about security, product providers have started new strategic initiatives2 aimed at bolstering trust in their products’ reliability, safety, and privacy, and have announced improved developer education, security quality measures, and new tools and response processes.

For a business software provider such as SAP, knowing full well that customers’ daily operations, business processes, and earnings depend on these software products, these goals are not new — although it is good to see these security standards being developed and enforced so broadly. However, with Web-based applications, Java, and open integration now so prominent in SAP offerings, our customers (decisionmakers, IT teams, system administrators, and users) are asking, and rightly so, how we’re responding to the effects of these innovations on SAP security.

SAP adheres to the well-known principle that “Security is a process” — not something you achieve once and for all. So at SAP, our security standards are consistently under review, and we are constantly looking for new ways to complement the procedures, measures, and tools that support the security processes behind our products and technology. This article briefly describes the security standards SAP currently has in place, and the new ones under development, at each of the main phases of a software product’s lifecycle:

  • Security during product design and development
  • Security during product ramp-up and installation
  • Security during product deployment and daily operations

Security During Product Design and Development
Right from the start, the earliest versions of SAP R/3 have included extensive security features: user management, password-based authentication, and authorization features based on authorization objects, profiles, and the AUTHORITY-CHECK ABAP statement. Comprehensive auditing data and reports supported periodic revisions of system configuration and business processes, features that have been a requirement for SAP business software products ever since.

To ensure that this commitment to security is maintained across the full range of SAP solutions and products, including our newest offerings — the Enterprise Portal, Exchange Infrastructure, CRM, SRM, and so on — security standards are built in to all solution production processes.

“Solution production” at SAP defines and controls the steps and phases a software product has to complete: from product definition and requirements specification; to the handovers from product planning to design, from design to development, and from development to testing; and on to final assembly, ramp-up, and support.

During the product definition phase, SAP security standards verify whether a product’s security requirements are captured, and then reflected appropriately in the product’s requirement specifications. These security requirements include:

  • Authenticating users upon system access
  • Controlling access to activities and resources according to users’ business roles and authorizations
  • Supporting privacy and confidential communications
  • Providing audit trail information

As the product moves into design and implementation, checks are in place to determine whether security requirements are met, and security features are tested and delivered to the customer correctly.

The security services and tools are designed, implemented, and supported by developers (who are also security specialists), and then further reviewed periodically by external experts. For both ABAP and Java applications, SAP security standards enforce the use of SAP Web AS-based security services and administration tools, which include:3

  • SAP Profile Generator
  • SAP Trust Manager
  • SAP Logon Ticket
  • SAP Cryptographic Library
  • SAP Web Dispatcher
  • SAP Java Cryptography Toolkit
  • SAP J2EE Engine’s Security Services

Interfaces to SAP security partner products, which are integrated on an OEM basis or offered as complementary solutions, go through extensive review as well.

This emphasis on standardization on the SAP Web Application Server ensures that basic security functions, such as cryptographic algorithms, authentication protocols, or user account data management, are based on a tested technology platform. Wherever an SAP application proposes additional or differing requirements, the development team needs to explicitly justify this and describe in detail how security requirements are still met.

Security During Product Ramp-Up and Installation
Traditionally, SAP application servers were installed in separate network zones, located inside your company’s intranet backend. Access would take place over SAP proprietary protocols with the SAP Graphical User Interface programs and the SAP Remote Function Call (RFC) library. However, with such a setup, sometimes when creating default installations, the convenience of ready-to-use functionality took precedence over the additional configuration steps required for secure administration.

With the introduction of the SAP Web Application Server, the situation has changed considerably. SAP Web Application Server allows direct access to applications using Web protocols, such as HTTP and HTTPS. In addition to the enabling of standard web protocols, setting up connections to the open Internet for collaboration with customers and partners is becoming a standard part of any default installation.

As a result, the default configuration of the SAP Web Application Server is currently undergoing a complete security review. For both the ABAP runtime environment and the J2EE Engine, we are looking at installation directory settings, file permissions, database connection and settings, communication ports used, which services are active per default, and default users and their passwords (and vice versa). Our goal? A locked-down default installation with minimal services active per default and restrictive permission settings for OS resources. We are also investigating how to improve the installation of the cryptographic libraries for ABAP and Java, possibly integrating them directly into the default installation process.4

To help achieve secure installation and configuration for SAP R/3, and for all SAP products built on the SAP Web AS platform, SAP customers and partners can rely on the SAP Security Guide at http://service.sap.com/security.

As part of SAP solution production, each new product is required to provide security information for inclusion in this resource, or to provide a separate product-specific security guide that can also be accessed via a link from the SAP Security Guide.

Security During Product Deployment and Daily Operations
The security review process does not end after a product has been shipped and installed. Even with the security requirements incorporated into the product design and verified during implementation and testing, vulnerabilities may still go undetected until the product is in use. Such vulnerabilities may be due to non-secure installation and administration, or caused by design or programming errors that went undiscovered during design reviews and testing (assuming that software testing can never be 100% complete).

Therefore, SAP maintains two additional resources to support the security of productive installations of SAP products:

  • The entire set of SAP documentation and help manuals, including several chapters on security services and APIs, are available online at the SAP Service Marketplace.5

  • Customers, partners, and community members (or, in fact, anyone with email access) can report potential security problems. They can contact the SAP Security Response Team, either by creating a problem message under component BC-SEC using the SAP Service Frontend6 or by simply sending an email to security@sap.com.

The SAP Security Response Team responds to each reported security concern by analyzing the problem and assessing its severity to determine the appropriate course of action. Once a security problem has been identified, customers are immediately informed about the problem via HotNews and corresponding notes in the SAP Service Frontend, including descriptions of temporary workarounds and possible manual corrections. The SAP Security Response Team also initiates and tracks patch development, and updates customer information as soon as a patch is available.

For more on known security alerts, customers and partners can retrieve this information from the SAP Service Marketplace at http://service.sap.com/security.

Conclusion
Although you won’t necessarily find a catchy name for SAP’s set of security standards, customers and users can be assured that we are constantly looking to improve security and enhance security resources across all phases of our software lifecycle. The requirements of a business software product and the inclusion of the Internet into daily operations clearly demand such processes, and will require even more attention as the software evolves.

SAP invites our customers, partners, and users to contribute to these endeavors, as the participation of all parties can only enhance the security of SAP customers’ business operations.


1 For example, see SAN’s “top 20” list of software vulnerabilities at www.sans.org/top20.

2 See www.microsoft.com/presspass/exec/craig/10-02trustworthywp.asp; www.oracle.com/ oramag/oracle/02-mar/index.html?o22break.html; and www-3.ibm.com/security/index.shtml for some examples of such initiatives.

3 A number of these services and tools have already been described briefly in this column in previous issues of SAP Insider (www.sapinsider.com).

4 Currently, these libraries are downloaded from the SAP Service Marketplace at http://service.sap.com/swcenter.

5 See http://help.sap.com (for SAP customers and partners).

6 See http://service.sap.com --> Support --> Customer Messages (for SAP customers).


Dr. Jürgen Schneider has been involved in the design and implementation of SAP security functions since 1996. Since 1998, he has been the Development Manager for Security in SAP’s Technology Development. He can be reached at j.schneider@sap.com.

An email has been sent to:






More from SAPinsider



COMMENTS

Please log in to post a comment.

No comments have been submitted on this article. Be the first to comment!


SAPinsider
FAQ