ABAP Development Standards concerning Security

You know the Secure Programming Guidelines but you want to do more?

Well, here are my top priority security recommendations for developing secure ABAP applications:

New database tables
 
1. Assign table authorization group
    Usually you create 3 table authorization groups per application:
    a) for customizing tables (<appl>C)
    b) for master data and transaction data or other application data (<appl>A)
    c) for system data (<appl>S)

You can use the report RDDPRCHK (or RDDTDDAT_BCE) to analyze the settings.
Use transaction SM30 for view V_BRG_54 to maintain authorization groups respective view V_DDAT_54 to maintain authorization group assignments.

Maintain authorization groups
http://help.sap.com/saphelp_nw70/helpdata/en/a7/5134d2407a11d1893b0000e8323c4f/frameset.htm
Maintain authorization group assignments
http://help.sap.com/saphelp_nw70/helpdata/en/a7/5134df407a11d1893b0000e8323c4f/frameset.htm

2. Set the maintenance flag, which controls SE16 am SM30, correctly

    Data Browser/Table View Maintenance
    http://help.sap.com/saphelp_nw70/helpdata/en/a6/03883acb00d768e10000000a114084/content.htm
3. Activate table logging for customizing table or create a change document object for master data.

    You can use the report RDDPRCHK (or RDDTDDAT_BCE) to analyze the settings.

    Check the settings of profile parameter rec/client and the tp parameter RECCLIENT, too.

Activate/Deactivate Table Change Logging 
http://help.sap.com/saphelp_nw70/helpdata/en/7e/c81ebb52c511d182c50000e829fbfe/frameset.htm 
Note 1916 Logging table changes in R/3 
https://service.sap.com/sap/support/notes/1916 
Note 84052 R3trans: Table logging
https://service.sap.com/sap/support/notes/84052  
4. Create specialized SM30 maintenance views instead of offering maintenance using SE16 and add additional authorization checks if required.

Create a Maintenance Dialog
http://help.sap.com/saphelp_nw70/helpdata/en/a1/e4521aa2f511d1a5630000e82deaaa/frameset.htm
Event 25: At the Start of the Maintenance Dialog
http://help.sap.com/saphelp_nw70/helpdata/en/c2/703037301f327ae10000009b38f839/frameset.htm 
 
New transactions
 
1. Assign authorization object with appropriate field values in the definition of the transaction using transaction SE93

Authorization Checks
http://help.sap.com/saphelp_nw70/Helpdata/en/52/67129f439b11d1896f0000e8322d00/frameset.htm
2. Enter authorization proposals using transaction SU24

Check Indicators
http://help.sap.com/saphelp_nw70/helpdata/en/52/671470439b11d1896f0000e8322d00/frameset.htm
3. If the transaction is a report transaction and you have decided that the authorization check for the transaction is important: Check the authorization again using function AUTHORITY_CHECK_TCODE within the code of the report.

New BAPI / RFC Function

  1. Ensure that application specific authorization checks are executed
  2. Put critical and non-critical RFC functions into separate function groups.

New Web UI

See Secure Programming Guide chapter "Secure User Interface"
http://help.sap.com/saphelp_nw70/helpdata/en/58/4d767ed850443c891ad27208789f56/frameset.htm

Critical ABAP statements

Have a close look at critical ABAP statements
 
 -  INSERT REPORT / GENERATE SUBROUTINE POOL
These statements allow to create arbitrary code. Avoid anything which would enable users to inject ABAP code.

INSERT REPORT
http://help.sap.com/abapdocu_70/en/ABAPINSERT_REPORT.htm
GENERATE SUBROUTINE POOL http://help.sap.com/abapdocu_70/en/ABAPGENERATE_SUBROUTINE_POOL.htm
-  CALL TRANSACTION
The statement CALL TRANSACTION does not check the authorization of the current user to execute the called transaction automatically. To do this, either the calling (preferred) or the called program must call function module AUTHORITY_CHECK_TCODE.

CALL TRANSACTION
http://help.sap.com/abapdocu_70/en/ABAPCALL_TRANSACTION.htm

Generic functionality

Avoid developing generic functionality which enables the user to choose any target table, file, report or transaction. Have a close look to these statements:

 - Generic access to tables to SELECT … FROM (variable)
    http://help.sap.com/abapdocu_70/en/ABAPFROM_CLAUSE.htm
 - Generic access to files using OPEN DATASET variable
    http://help.sap.com/abapdocu_70/en/ABAPOPEN_DATASET.htm
 - Generic access to reports using SUBMIT (variable)
    http://help.sap.com/abapdocu_70/en/ABAPSUBMIT.htm
 - Generic access to transactions using CALL TRANSACTION variable
    http://help.sap.com/abapdocu_70/en/ABAPCALL_TRANSACTION.htm
 
source: sdn. sap. com
author: Frank Buchholz is security evangelist for securing SAP systems.

No comments:

Post a Comment