// //

Secure Programming Guidelines

You know the Secure Programming Guidelines but you want to do more? Well, here are my top priority security recommendations for developing secure ABAP applications:

New database tables

  1. Assign table authorization group Usually you create 3 table authorization groups per application:
    a) for customizing tables (C)
    b) for master data and transaction data or other application data (A)
    c) for system data (S)

    You can use the report RDDPRCHK (or RDDTDDAT_BCE) to analyze the settings. Use transaction SM30 for view V_BRG_54 to maintain authorization groups respective view V_DDAT_54 to maintain authorization group assignments. Maintain authorization groups http://help.sap.com/saphelp_nw70/helpdata/en/a7/5134d2407a11d1893b0000e8323c4f/frameset.htm Maintain authorization group assignments http://help.sap.com/saphelp_nw70/helpdata/en/a7/5134df407a11d1893b0000e8323c4f/frameset.htm
  2. Set the maintenance flag, which controls SE16 am SM30, correctly Data Browser/Table View Maintenance http://help.sap.com/saphelp_nw70/helpdata/en/a6/03883acb00d768e10000000a114084/content.htm
  3. Activate table logging for customizing table or create a change document object for master data. You can use the report RDDPRCHK (or RDDTDDAT_BCE) to analyze the settings. Check the settings of profile parameter rec/client and the tp parameter RECCLIENT, too. Activate/Deactivate Table Change Logging  http://help.sap.com/saphelp_nw70/helpdata/en/7e/c81ebb52c511d182c50000e829fbfe/frameset.htm  Note 1916 Logging table changes in R/3  https://service.sap.com/sap/support/notes/1916  Note 84052 R3trans: Table logging https://service.sap.com/sap/support/notes/84052  
  4. Create specialized SM30 maintenance views instead of offering maintenance using SE16 and add additional authorization checks if required. Create a Maintenance Dialog http://help.sap.com/saphelp_nw70/helpdata/en/a1/e4521aa2f511d1a5630000e82deaaa/frameset.htm Event 25: At the Start of the Maintenance Dialog http://help.sap.com/saphelp_nw70/helpdata/en/c2/703037301f327ae10000009b38f839/frameset.htm 

New transactions

  1. Assign authorization object with appropriate field values in the definition of the transaction using transaction SE93 Authorization Checks http://help.sap.com/saphelp_nw70/Helpdata/en/52/67129f439b11d1896f0000e8322d00/frameset.htm
  2. Enter authorization proposals using transaction SU24 Check Indicators http://help.sap.com/saphelp_nw70/helpdata/en/52/671470439b11d1896f0000e8322d00/frameset.htm
  3. If the transaction is a report transaction and you have decided that the authorization check for the transaction is important: Check the authorization again using function AUTHORITY_CHECK_TCODE within the code of the report.

New BAPI / RFC Function

  1. Ensure that application specific authorization checks are executed
  2. Put critical and non-critical RFC functions into separate function groups.

New Web UI

See Secure Programming Guide chapter “Secure User Interface” http://help.sap.com/saphelp_nw70/helpdata/en/58/4d767ed850443c891ad27208789f56/frameset.htm

Critical ABAP statements

Have a close look at critical ABAP statements. You can use the Code Inspector, transaction SCI, to search for such statements in custom code.

  • INSERT REPORT / GENERATE SUBROUTINE POOL These statements allow to create arbitrary code. Avoid anything which would enable users to inject ABAP code. INSERT REPORT http://help.sap.com/abapdocu_70/en/ABAPINSERT_REPORT.htm GENERATE SUBROUTINE POOL http://help.sap.com/abapdocu_70/en/ABAPGENERATE_SUBROUTINE_POOL.htm
  • CALL TRANSACTION The statement CALL TRANSACTION does not check the authorization of the current user to execute the called transaction automatically. To do this, either the calling (preferred) or the called program must call function module AUTHORITY_CHECK_TCODE. You can replace CALL TRANSACTION by calling function ABAP4_CALL_TRANSACTION, too. This function executes all neccessary authorization checks. CALL TRANSACTION http://help.sap.com/abapdocu_70/en/ABAPCALL_TRANSACTION.htm
  • CALL 'SYSTEM'This statement sends operation system commands to the application server which are then executed by the powerfull user ADM. With some critical C functions, the system automatically performs an authorization check. If the user does not have the appropriate authorization, a runtime error occurs. You can check the authorization with the function module AUTHORITY_CHECK_C_FUNCTION, too. CALL cfunc http://help.sap.com/abapdocu_70/en/ABAPCALL-.htm 

Generic functionality

Avoid developing generic functionality which enables the user to choose any target table, file, report or transaction. Have a close look to these statements:

  • Generic access to tables using SELECT … FROM (variable) http://help.sap.com/abapdocu_70/en/ABAPFROM_CLAUSE.htm
  • Generic access to files using OPEN DATASET variable http://help.sap.com/abapdocu_70/en/ABAPOPEN_DATASET.htm
  • Generic execution of reports using SUBMIT (variable) http://help.sap.com/abapdocu_70/en/ABAPSUBMIT.htm
  • Generic execution of transactions using CALL TRANSACTION variable http://help.sap.com/abapdocu_70/en/ABAPCALL_TRANSACTION.htm

Frank Buchholz is security evangelist for securing SAP systems.

Reblogged from ABAP Development Standards concerning Security


Publicar un comentario

Nota Importante: los comentarios son para agradecer, comentar o sugerir cambios (o hacer preguntas) sobre el artículo de arriba.

SAP y el logotipo de SAP son marcas comerciales registradas de SAP AG en Alemania y en varios otros países. No estamos afiliados ni relacionados con ninguna división o subsidiaria de SAP AG.