SlideShare a Scribd company logo

10 GOLDEN RULES FOR CODING AUTHORIZATION CHECKS IN ABAP

Virtual Forge
Virtual Forge

The document outlines ten essential rules for performing authorization checks in ABAP, aimed at protecting SAP systems from unauthorized access and manipulation. It emphasizes best practices such as ensuring checks are context-specific, reliant on standard functions, and checked against currently logged-in user credentials. Additionally, the document provides examples of common mistakes in custom code and offers guidance on securing applications against potential vulnerabilities.

Technology
1 of 19
1
2
3
4
5
6
Most read
7
8
Most read
9
10
Most read
11
12
13
14
15
16
17
18
19
10 GOLDEN RULES FOR CODING AUTHORIZATION CHECKS IN ABAP
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Dr. Markus Schumacher © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. March 18, Heidelberg SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage Ten golden rules for coding authorization checks in ABAP Andreas Wiegenstein
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Andreas Wiegenstein (Twitter: @codeprofiler)  Founder of Virtual Forge (Heidelberg), responsible for R&D  SAP Security Researcher, active since 2003  Received Credits from SAP for 66 reported 0-day Vulnerabilities  Speaker at international Conferences  SAP TechEd (USA & Europe), DSAG (Europe)  BlackHat (Europe), Hack in the Box (Europe)  Troopers (Europe), IT Defense (Europe), RSA (USA)  Co-Author of „Sichere ABAP Programmierung" (SAP Press, 2009)  Co-Author of "ABAP Best Practices Guideline (DSAG, 2013/2014)  Created training class WDESA3 (ABAP Security) @ SAP University My car, my house, my boat, … I am with
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Authorizations in Custom Code Ongoing survey, results as of March 12, 2014
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Golden Rule #1 Perform authority checks General advice  Check with your business department, if (and which) authorizations are required in order to execute the business logic you provide.  As a fallback, analyze code that is similar to your business process for authorization checks.  If authority checks are required for your custom business logic, add them to your code. On average there are 866 missing authority checks in custom code.
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Golden Rule #1 Perform authority checks (cont’d) Specific advice  Don't rely on S_RFC authorizations. They only determine, *if* a function module can be invoked remotely. They are by no means related to the specific business logic of your custom code. You don't want users with S_RFC * authorizations to be able to issue purchase orders or to raise someone's salary. Auditors don't like this either...  Don't rely on authorization groups assigned to reports. They are usually coarse grained, as the same authorization group is used for multiple programs. And they are not necessarily related to the specific business logic of your custom code.  Always check start authorizations when using CALL TRANSACTION, as no implicit start authorization check is performed by the kernel.  Function module AUTHORITY_CHECK_TCODE  Since 740: CALL TRANSACTION … WITH AUTHORITY-CHECK
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Golden Rule #2 Perform authority checks according to SAP standard functionality General advice  Always use functionality based on the ABAP command AUTHORITY- CHECK in order to perform authorization checks. (A common bad practice is to base authorizations on usernames.) On average there are 187 hard-coded username checks in custom code.
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Golden Rule #3 Check the result of an authority check General advice  Always check the result of sy-subrc after you perform an AUTHORITY-CHECK. sy-subrc with value zero means authorization sufficient.  Since other ABAP commands also change sy-subrc, make sure to perform the sy-subrc check *immediately* after the AUTHORITY- CHECK. On average there are 13 broken authority checks in custom code.
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Golden Rule #4 Perform authority checks for the user that is actually logged on General advice  Only check the authorization of the currently logged on user (by avoiding the optional parameter FOR USER). On average there are 2 ‘alias’ authority checks in custom code.
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Golden Rule #5 Always use APIs instead of AUTHORITY-CHECK, if they exist General advice  Always use specialized API functions for authorization checks instead of AUTHORITY-CHECK. Specific advice  Use AUTHORITY_CHECK_TCODE instead of S_TCODE  Use AUTHORITY_CHECK_DATASET instead of S_DATASET / S_PATH On average there are 92 insufficient authority checks in custom code.
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Golden Rule #6 Declare all fields of the authorization object General advice  Always use specialized API functions for authorization checks instead of AUTHORITY-CHECK. Specific advice  Always make sure to specify all fields of the authorization object you check.  If there are fields you don't want to check, mark them as DUMMY in order to make your intentions explicit. No meaningful statistical information available at this time.
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Golden Rule #7 Don't use DUMMY values in important fields General advice  Do not use DUMMY values in important authorization fields like 'ACTVT' On average there are 8 DUMMY authority checks (ACTVT) in custom code.
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Golden Rule #8 Don't program privileging authorization checks AUTHORITY-CHECK OBJECT 'S_DEVELOP' ID 'DEVCLASS' FIELD '*' ID 'OBJTYPE' FIELD 'PROG' ID 'OBJNAME' FIELD lv_prog ID 'P_GROUP' DUMMY " Field not required in this context ID 'ACTVT' FIELD '03'. IF sy-subrc = 0. READ REPORT lv_prog INTO lt_code. ENDIF. General advice  Avoid "*" values in authorization fields, as they force administrators to grant unnecessarily high privileges to users On average there are 2 privileging authority checks (ACTVT) in custom code.
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Golden Rule #9 Make authorization checks early in your business logic General advice  If an authorization check is required for a given business logic, it should be checked as early as possible No meaningful statistical information available at this time.
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Golden Rule #10 Perform authorization checks in order to avoid dumps Specific advice  Always make sure to test for S_DATASET and S_PATH authorizations before you open a server-side file. No meaningful statistical information available at this time.
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Further Information Blog Post “Ten golden rules for ABAP authorization checks” https://www.virtualforge.com/en/blog/post/ten_golden_rules_authorizations_en.html
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Twitter: @codeprofiler © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Thank you for your attention Andreas Wiegenstein CTO
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Insert CTA Header MISSED THE BIZEC SAP SECURITY WORKSHOP AT TROOPERS14 CONFERENCE? CLICK HERE FOR A RETROSPECTIVE + ALL PRESENTATIONS FOR FREE DOWNLOAD
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Disclaimer SAP, R/3, ABAP, SAP GUI, SAP NetWeaver and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. The authors assume no responsibility for errors or omissions in this document. The authors do not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. The authors shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of this document. No part of this document may be reproduced without the prior written permission of Virtual Forge GmbH. © 2014 Virtual Forge GmbH.

More Related Content

What's hot (20)

PDF
Dialog programming ABAP
Jefferson Mutuva
 
PPT
Oracle Fusion Payments
Berry Clemens
 
DOC
Abap coding standards
surendra1579
 
PPT
SAP HANA Overview
Sitaram Kotnis
 
PDF
Internal tables in sap
Dharma Raju
 
PPT
Chapter 01 user exits
Kranthi Kumar
 
PPT
ABAP Open SQL & Internal Table
sapdocs. info
 
PPT
SAP ABAP - Needed Notes
Akash Bhavsar
 
PPTX
OData: A Standard API for Data Access
Pat Patterson
 
PDF
Sap transport procedures and best practices
MILUDW
 
PDF
Abap Questions
Kaustav Pyne
 
PPTX
Fiori Presentation
Steven Zeraua
 
PDF
Laravel Introduction
Ahmad Shah Hafizan Hamidin
 
PPTX
Java script
Shyam Khant
 
PPT
BRF+ Walk through
Dhivya Baskaran
 
PDF
SAP Banking Loan Management- FS 210
Jeetendra Tyagi
 
PDF
#OOW16 - Risk Management Cloud / GRC General Session
Dane Roberts
 
PDF
Overview of SAP HANA Cloud Platform
Vitaliy Rudnytskiy
 
PDF
Financials Cloud Expenses
Juan Carlos Valencia Villena
 
PDF
ReactJS Tutorial For Beginners | ReactJS Redux Training For Beginners | React...
Edureka!
 
Dialog programming ABAP
Jefferson Mutuva
 
Oracle Fusion Payments
Berry Clemens
 
Abap coding standards
surendra1579
 
SAP HANA Overview
Sitaram Kotnis
 
Internal tables in sap
Dharma Raju
 
Chapter 01 user exits
Kranthi Kumar
 
ABAP Open SQL & Internal Table
sapdocs. info
 
SAP ABAP - Needed Notes
Akash Bhavsar
 
OData: A Standard API for Data Access
Pat Patterson
 
Sap transport procedures and best practices
MILUDW
 
Abap Questions
Kaustav Pyne
 
Fiori Presentation
Steven Zeraua
 
Laravel Introduction
Ahmad Shah Hafizan Hamidin
 
Java script
Shyam Khant
 
BRF+ Walk through
Dhivya Baskaran
 
SAP Banking Loan Management- FS 210
Jeetendra Tyagi
 
#OOW16 - Risk Management Cloud / GRC General Session
Dane Roberts
 
Overview of SAP HANA Cloud Platform
Vitaliy Rudnytskiy
 
Financials Cloud Expenses
Juan Carlos Valencia Villena
 
ReactJS Tutorial For Beginners | ReactJS Redux Training For Beginners | React...
Edureka!
 

Viewers also liked (20)

PDF
Implementasi kartu jakarta sehat
Joan Mahulae
 
PDF
Elvens kall
Ilyas Qadri Ziaee
 
PPTX
Ferreteria gutierrez 1
carmitagarcia
 
DOC
150527 cuestionario evaluación club de internet i
Roberto GARCÍA ARRIBAS
 
PDF
Proyecto de verano delicias
Cáritas Diocesana de Zaragoza
 
PPT
Helpedia 2.0
Helpedia
 
PDF
Phone android jelly bean
Jose Luis Fernandez
 
PDF
Carta de España Nº 674 Septiembre 2011
Cext
 
PPT
Comte de Rius, Química
clara87
 
PDF
Nbolmnf
Rashid Ahmad Sheikh
 
PPTX
Optymalizacja aplikacji ASP.NET
Bartlomiej Zass
 
PDF
En torno a la cultura escrita – margaret meek- Leidy Melo
Leidy Melo
 
PPTX
Equipo de trabajo de Hospital Pirovano - Jornada "Convivencia Escolar para un...
PrensaDMB
 
PPTX
Cómo hacer sal de colores.
Ritamv91
 
DOCX
Caracteristicas de los modulos fotovoltaicos
Karolayn Farfan Cruz
 
PPTX
Paso a paso: Como hacer una pagina en Jimdo
Gabriel Tibaquira
 
PDF
Manual del-equipo-para-kendo
clubkendovigo
 
PPT
Training Needs Analysis Modified
Phil Mayor
 
PDF
Catalog LEICA Silverline | Optics Trade | 2014
Optics-Trade
 
PPTX
Seminar Social Media Marketing WS11/12
Marco Jakob
 
Implementasi kartu jakarta sehat
Joan Mahulae
 
Elvens kall
Ilyas Qadri Ziaee
 
Ferreteria gutierrez 1
carmitagarcia
 
150527 cuestionario evaluación club de internet i
Roberto GARCÍA ARRIBAS
 
Proyecto de verano delicias
Cáritas Diocesana de Zaragoza
 
Helpedia 2.0
Helpedia
 
Phone android jelly bean
Jose Luis Fernandez
 
Carta de España Nº 674 Septiembre 2011
Cext
 
Comte de Rius, Química
clara87
 
Nbolmnf
Rashid Ahmad Sheikh
 
Optymalizacja aplikacji ASP.NET
Bartlomiej Zass
 
En torno a la cultura escrita – margaret meek- Leidy Melo
Leidy Melo
 
Equipo de trabajo de Hospital Pirovano - Jornada "Convivencia Escolar para un...
PrensaDMB
 
Cómo hacer sal de colores.
Ritamv91
 
Caracteristicas de los modulos fotovoltaicos
Karolayn Farfan Cruz
 
Paso a paso: Como hacer una pagina en Jimdo
Gabriel Tibaquira
 
Manual del-equipo-para-kendo
clubkendovigo
 
Training Needs Analysis Modified
Phil Mayor
 
Catalog LEICA Silverline | Optics Trade | 2014
Optics-Trade
 
Seminar Social Media Marketing WS11/12
Marco Jakob
 
Ad

Similar to 10 GOLDEN RULES FOR CODING AUTHORIZATION CHECKS IN ABAP (20)

PDF
The how and why of patch management by N-able
Solarwinds N-able
 
PDF
Server pac 101
Marna Walle
 
PPTX
StarForce ProActive for Business
StarForce Technologies
 
PDF
Cloud native Microservices using Spring Boot
Sufyaan Kazi
 
PPTX
My Personal DevOps Journey: From Pipelines to Platforms
VMware Tanzu
 
PPTX
How to Write a Request for Proposal (RFP) for Web Content Management
Percussion Software
 
PPTX
Introduction of ARMule and a live demo - AutoRABIT at Tri-Valley Salesforce D...
AutoRABIT
 
PDF
Automating your ms world part 3 a brand new way to monitor with am ps web
Solarwinds N-able
 
PDF
Kickstart Your Next No-Code Web App with FME 2022.2
Safe Software
 
PDF
Application Security Management with ThreadFix
Virtual Forge
 
PPTX
Unit Tests and Test Seams for abap Hamburg June 2017 presented
Rainer Winkler
 
PDF
Introducing Keyword-driven Test Automation
TechWell
 
PPTX
Webinar: Mass Additions – R12 Asset Management
iWare Logic Technologies Pvt. Ltd.
 
PPTX
Make synthetic monitoring a critical part of your IT monitoring strategy: Why...
eG Innovations
 
PPTX
Vizag Virtual Meetup #7: Trending API Topics for 2022
Ravi Tamada
 
PDF
Dissecting and Attacking RMI Frameworks
Onapsis Inc.
 
PDF
SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis Overview
SAP Technology
 
PDF
N able - 5 things to look for in msp automation platform
Solarwinds N-able
 
PPTX
WordCamp LA 2014- Writing Code that Scales
SpectrOMTech.com
 
PPTX
Programmable infrastructure with FlyScript
Riverbed Technology
 
The how and why of patch management by N-able
Solarwinds N-able
 
Server pac 101
Marna Walle
 
StarForce ProActive for Business
StarForce Technologies
 
Cloud native Microservices using Spring Boot
Sufyaan Kazi
 
My Personal DevOps Journey: From Pipelines to Platforms
VMware Tanzu
 
How to Write a Request for Proposal (RFP) for Web Content Management
Percussion Software
 
Introduction of ARMule and a live demo - AutoRABIT at Tri-Valley Salesforce D...
AutoRABIT
 
Automating your ms world part 3 a brand new way to monitor with am ps web
Solarwinds N-able
 
Kickstart Your Next No-Code Web App with FME 2022.2
Safe Software
 
Application Security Management with ThreadFix
Virtual Forge
 
Unit Tests and Test Seams for abap Hamburg June 2017 presented
Rainer Winkler
 
Introducing Keyword-driven Test Automation
TechWell
 
Webinar: Mass Additions – R12 Asset Management
iWare Logic Technologies Pvt. Ltd.
 
Make synthetic monitoring a critical part of your IT monitoring strategy: Why...
eG Innovations
 
Vizag Virtual Meetup #7: Trending API Topics for 2022
Ravi Tamada
 
Dissecting and Attacking RMI Frameworks
Onapsis Inc.
 
SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis Overview
SAP Technology
 
N able - 5 things to look for in msp automation platform
Solarwinds N-able
 
WordCamp LA 2014- Writing Code that Scales
SpectrOMTech.com
 
Programmable infrastructure with FlyScript
Riverbed Technology
 
Ad

More from Virtual Forge (20)

PDF
How the U.S. Department of Defense Secures Its Custom ABAP Code
Virtual Forge
 
PDF
How Pratt & Whitney Streamlined Their ABAP Security and Quality Code Review P...
Virtual Forge
 
PDF
SAP HANA Security: New Technology, New Risks
Virtual Forge
 
PPTX
Stabile und performante Anwendungen für SAP HANA entwickeln
Virtual Forge
 
PDF
Develop Stable, High-Performance Applications for SAP HANA
Virtual Forge
 
PDF
ABAP Qualitäts-Benchmark: Eine Analyse von über 200 SAP Installationen
Virtual Forge
 
PDF
Is your SAP system vulnerable to cyber attacks?
Virtual Forge
 
PDF
How to assess the risks in your SAP systems at the push of a button
Virtual Forge
 
PDF
Case Study: Ensuring the Quality and Security of Custom SAP Applications at t...
Virtual Forge
 
PDF
Uninvited Guests: Why do hackers love our SAP landscapes?
Virtual Forge
 
PDF
Ungebetene Gäste: Warum lieben Hacker aus aller Welt unsere SAP Landschaften?
Virtual Forge
 
PPTX
Case Study: Automated Code Reviews In A Grown SAP Application Landscape At EW...
Virtual Forge
 
PDF
Case Study: Automatisierte Code Reviews in einer gewachsenen SAP-Applikations...
Virtual Forge
 
PDF
Risks of Hosted SAP Environments
Virtual Forge
 
PDF
Case Study: ABAP Development Life Cycle and Governance at THE GLOBE AND MAIL ...
Virtual Forge
 
PDF
Die Top 5 Mythen der SAP Sicherheit
Virtual Forge
 
PDF
Mobile Trends And The New Threats - Is Your SAP System Vulnerable to Cyber At...
Virtual Forge
 
PDF
ABAP Code Qualität - Best Practices
Virtual Forge
 
PDF
Best Practices for Ensuring SAP ABAP Code Quality and Security
Virtual Forge
 
PDF
Case Study: Automating Code Reviews for Custom SAP ABAP Applications with Vir...
Virtual Forge
 
How the U.S. Department of Defense Secures Its Custom ABAP Code
Virtual Forge
 
How Pratt & Whitney Streamlined Their ABAP Security and Quality Code Review P...
Virtual Forge
 
SAP HANA Security: New Technology, New Risks
Virtual Forge
 
Stabile und performante Anwendungen für SAP HANA entwickeln
Virtual Forge
 
Develop Stable, High-Performance Applications for SAP HANA
Virtual Forge
 
ABAP Qualitäts-Benchmark: Eine Analyse von über 200 SAP Installationen
Virtual Forge
 
Is your SAP system vulnerable to cyber attacks?
Virtual Forge
 
How to assess the risks in your SAP systems at the push of a button
Virtual Forge
 
Case Study: Ensuring the Quality and Security of Custom SAP Applications at t...
Virtual Forge
 
Uninvited Guests: Why do hackers love our SAP landscapes?
Virtual Forge
 
Ungebetene Gäste: Warum lieben Hacker aus aller Welt unsere SAP Landschaften?
Virtual Forge
 
Case Study: Automated Code Reviews In A Grown SAP Application Landscape At EW...
Virtual Forge
 
Case Study: Automatisierte Code Reviews in einer gewachsenen SAP-Applikations...
Virtual Forge
 
Risks of Hosted SAP Environments
Virtual Forge
 
Case Study: ABAP Development Life Cycle and Governance at THE GLOBE AND MAIL ...
Virtual Forge
 
Die Top 5 Mythen der SAP Sicherheit
Virtual Forge
 
Mobile Trends And The New Threats - Is Your SAP System Vulnerable to Cyber At...
Virtual Forge
 
ABAP Code Qualität - Best Practices
Virtual Forge
 
Best Practices for Ensuring SAP ABAP Code Quality and Security
Virtual Forge
 
Case Study: Automating Code Reviews for Custom SAP ABAP Applications with Vir...
Virtual Forge
 

Recently uploaded (20)

PDF
Windsurf Meetup Ottawa 2025-07-12 - Planning Mode at Reliza.pdf
Pavel Shukhman
 
PPTX
Top Managed Service Providers in Los Angeles
Captain IT
 
PDF
How Startups Are Growing Faster with App Developers in Australia.pdf
India App Developer
 
PDF
Empowering Cloud Providers with Apache CloudStack and Stackbill
ShapeBlue
 
PDF
Fl Studio 24.2.2 Build 4597 Crack for Windows Free Download 2025
faizk77g
 
PPTX
Building a Production-Ready Barts Health Secure Data Environment Tooling, Acc...
Barts Health
 
PPTX
WooCommerce Workshop: Bring Your Laptop
Laura Hartwig
 
PPTX
Extensions Framework (XaaS) - Enabling Orchestrate Anything
ShapeBlue
 
PDF
Impact of IEEE Computer Society in Advancing Emerging Technologies including ...
Hironori Washizaki
 
PDF
Women in Automation Presents: Reinventing Yourself — Bold Career Pivots That ...
DianaGray10
 
PDF
Apache CloudStack 201: Let's Design & Build an IaaS Cloud
ShapeBlue
 
PDF
SFWelly Summer 25 Release Highlights July 2025
Anna Loughnan Colquhoun
 
PDF
Français Patch Tuesday - Juillet
Ivanti
 
PDF
Log-Based Anomaly Detection: Enhancing System Reliability with Machine Learning
Mohammed BEKKOUCHE
 
PDF
NewMind AI - Journal 100 Insights After The 100th Issue
NewMind AI
 
PDF
CloudStack GPU Integration - Rohit Yadav
ShapeBlue
 
PDF
Rethinking Security Operations - SOC Evolution Journey.pdf
Haris Chughtai
 
PPTX
UiPath Academic Alliance Educator Panels: Session 2 - Business Analyst Content
DianaGray10
 
PDF
Smart Air Quality Monitoring with Serrax AQM190 LITE
SERRAX TECHNOLOGIES LLP
 
PPTX
MSP360 Backup Scheduling and Retention Best Practices.pptx
MSP360
 
Windsurf Meetup Ottawa 2025-07-12 - Planning Mode at Reliza.pdf
Pavel Shukhman
 
Top Managed Service Providers in Los Angeles
Captain IT
 
How Startups Are Growing Faster with App Developers in Australia.pdf
India App Developer
 
Empowering Cloud Providers with Apache CloudStack and Stackbill
ShapeBlue
 
Fl Studio 24.2.2 Build 4597 Crack for Windows Free Download 2025
faizk77g
 
Building a Production-Ready Barts Health Secure Data Environment Tooling, Acc...
Barts Health
 
WooCommerce Workshop: Bring Your Laptop
Laura Hartwig
 
Extensions Framework (XaaS) - Enabling Orchestrate Anything
ShapeBlue
 
Impact of IEEE Computer Society in Advancing Emerging Technologies including ...
Hironori Washizaki
 
Women in Automation Presents: Reinventing Yourself — Bold Career Pivots That ...
DianaGray10
 
Apache CloudStack 201: Let's Design & Build an IaaS Cloud
ShapeBlue
 
SFWelly Summer 25 Release Highlights July 2025
Anna Loughnan Colquhoun
 
Français Patch Tuesday - Juillet
Ivanti
 
Log-Based Anomaly Detection: Enhancing System Reliability with Machine Learning
Mohammed BEKKOUCHE
 
NewMind AI - Journal 100 Insights After The 100th Issue
NewMind AI
 
CloudStack GPU Integration - Rohit Yadav
ShapeBlue
 
Rethinking Security Operations - SOC Evolution Journey.pdf
Haris Chughtai
 
UiPath Academic Alliance Educator Panels: Session 2 - Business Analyst Content
DianaGray10
 
Smart Air Quality Monitoring with Serrax AQM190 LITE
SERRAX TECHNOLOGIES LLP
 
MSP360 Backup Scheduling and Retention Best Practices.pptx
MSP360
 

10 GOLDEN RULES FOR CODING AUTHORIZATION CHECKS IN ABAP

  • 2. © 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Dr. Markus Schumacher © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. March 18, Heidelberg SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage Ten golden rules for coding authorization checks in ABAP Andreas Wiegenstein
  • 3. © 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Andreas Wiegenstein (Twitter: @codeprofiler)  Founder of Virtual Forge (Heidelberg), responsible for R&D  SAP Security Researcher, active since 2003  Received Credits from SAP for 66 reported 0-day Vulnerabilities  Speaker at international Conferences  SAP TechEd (USA & Europe), DSAG (Europe)  BlackHat (Europe), Hack in the Box (Europe)  Troopers (Europe), IT Defense (Europe), RSA (USA)  Co-Author of „Sichere ABAP Programmierung" (SAP Press, 2009)  Co-Author of "ABAP Best Practices Guideline (DSAG, 2013/2014)  Created training class WDESA3 (ABAP Security) @ SAP University My car, my house, my boat, … I am with
  • 4. © 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Authorizations in Custom Code Ongoing survey, results as of March 12, 2014
  • 5. © 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Golden Rule #1 Perform authority checks General advice  Check with your business department, if (and which) authorizations are required in order to execute the business logic you provide.  As a fallback, analyze code that is similar to your business process for authorization checks.  If authority checks are required for your custom business logic, add them to your code. On average there are 866 missing authority checks in custom code.
  • 6. © 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Golden Rule #1 Perform authority checks (cont’d) Specific advice  Don't rely on S_RFC authorizations. They only determine, *if* a function module can be invoked remotely. They are by no means related to the specific business logic of your custom code. You don't want users with S_RFC * authorizations to be able to issue purchase orders or to raise someone's salary. Auditors don't like this either...  Don't rely on authorization groups assigned to reports. They are usually coarse grained, as the same authorization group is used for multiple programs. And they are not necessarily related to the specific business logic of your custom code.  Always check start authorizations when using CALL TRANSACTION, as no implicit start authorization check is performed by the kernel.  Function module AUTHORITY_CHECK_TCODE  Since 740: CALL TRANSACTION … WITH AUTHORITY-CHECK
  • 7. © 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Golden Rule #2 Perform authority checks according to SAP standard functionality General advice  Always use functionality based on the ABAP command AUTHORITY- CHECK in order to perform authorization checks. (A common bad practice is to base authorizations on usernames.) On average there are 187 hard-coded username checks in custom code.
  • 8. © 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Golden Rule #3 Check the result of an authority check General advice  Always check the result of sy-subrc after you perform an AUTHORITY-CHECK. sy-subrc with value zero means authorization sufficient.  Since other ABAP commands also change sy-subrc, make sure to perform the sy-subrc check *immediately* after the AUTHORITY- CHECK. On average there are 13 broken authority checks in custom code.
  • 9. © 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Golden Rule #4 Perform authority checks for the user that is actually logged on General advice  Only check the authorization of the currently logged on user (by avoiding the optional parameter FOR USER). On average there are 2 ‘alias’ authority checks in custom code.
  • 10. © 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Golden Rule #5 Always use APIs instead of AUTHORITY-CHECK, if they exist General advice  Always use specialized API functions for authorization checks instead of AUTHORITY-CHECK. Specific advice  Use AUTHORITY_CHECK_TCODE instead of S_TCODE  Use AUTHORITY_CHECK_DATASET instead of S_DATASET / S_PATH On average there are 92 insufficient authority checks in custom code.
  • 11. © 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Golden Rule #6 Declare all fields of the authorization object General advice  Always use specialized API functions for authorization checks instead of AUTHORITY-CHECK. Specific advice  Always make sure to specify all fields of the authorization object you check.  If there are fields you don't want to check, mark them as DUMMY in order to make your intentions explicit. No meaningful statistical information available at this time.
  • 12. © 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Golden Rule #7 Don't use DUMMY values in important fields General advice  Do not use DUMMY values in important authorization fields like 'ACTVT' On average there are 8 DUMMY authority checks (ACTVT) in custom code.
  • 13. © 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Golden Rule #8 Don't program privileging authorization checks AUTHORITY-CHECK OBJECT 'S_DEVELOP' ID 'DEVCLASS' FIELD '*' ID 'OBJTYPE' FIELD 'PROG' ID 'OBJNAME' FIELD lv_prog ID 'P_GROUP' DUMMY " Field not required in this context ID 'ACTVT' FIELD '03'. IF sy-subrc = 0. READ REPORT lv_prog INTO lt_code. ENDIF. General advice  Avoid "*" values in authorization fields, as they force administrators to grant unnecessarily high privileges to users On average there are 2 privileging authority checks (ACTVT) in custom code.
  • 14. © 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Golden Rule #9 Make authorization checks early in your business logic General advice  If an authorization check is required for a given business logic, it should be checked as early as possible No meaningful statistical information available at this time.
  • 15. © 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Golden Rule #10 Perform authorization checks in order to avoid dumps Specific advice  Always make sure to test for S_DATASET and S_PATH authorizations before you open a server-side file. No meaningful statistical information available at this time.
  • 16. © 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Further Information Blog Post “Ten golden rules for ABAP authorization checks” https://www.virtualforge.com/en/blog/post/ten_golden_rules_authorizations_en.html
  • 17. © 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Twitter: @codeprofiler © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Thank you for your attention Andreas Wiegenstein CTO
  • 18. © 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Insert CTA Header MISSED THE BIZEC SAP SECURITY WORKSHOP AT TROOPERS14 CONFERENCE? CLICK HERE FOR A RETROSPECTIVE + ALL PRESENTATIONS FOR FREE DOWNLOAD
  • 19. © 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Disclaimer SAP, R/3, ABAP, SAP GUI, SAP NetWeaver and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. The authors assume no responsibility for errors or omissions in this document. The authors do not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. The authors shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of this document. No part of this document may be reproduced without the prior written permission of Virtual Forge GmbH. © 2014 Virtual Forge GmbH.