Dismiss
InnovationQ will be updated on Sunday, Oct. 22, from 10am ET - noon. You may experience brief service interruptions during that time.
Browse Prior Art Database

SAP Security Scanning Solution

IP.com Disclosure Number: IPCOM000239320D
Publication Date: 2014-Oct-29
Document File: 5 page(s) / 347K

Publishing Venue

The IP.com Prior Art Database

Abstract

Disclosed is a method which can perform several scans to programs and identify security issues. It can scan programs and tables, checking and mapping them to the desired transaction codes. As this solution aims to be a complete security package, authorization checks are also placed into consideration. The main idea is that an input list will go through 3 stages of scanning. First, the programs and transaction codes are validated, mapped and given a transport request. All other programs that have errors are removed from the list and do not go through the next process. All the programs that pass are then fed into the second stage, which recommends authorization object based on selection screen fields, fields in report’s select statement, or the key fields of the accessed tables. Lastly, these programs are scanned for any static text that should not be present on any of the programs.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 33% of the total text.

Page 01 of 5

SAP Security Scanning Solution

    Security is an aspect that any company should not take for granted. As such, it is important to lockdown or at least to minimize access to objects that can be exploited by malicious users. As access to the ABAP editor and data browser by end-users could be a potential threat, it might be a good idea to disable their access to it. With this in mind, it is a good idea for programs to have assigned transaction codes and correct authorization objects.

    This disclosure can perform several scans to programs and identify security issues. It can scan programs and tables, checking and mapping them to the desired transaction codes. As this solution aims to be a complete security package, authorization checks are also placed into consideration. An authorization check is a basic SAP Security practice that old systems may have misused or may not have used at all. To remedy this, the solution can also scan each program to be able to recommend possible authorization objects and fields to be applied to it. Lastly, the solution can also scan for static text, which should be avoided during development.

    A SAP Standard Report ('RPR_ABAP_SOURCE_SCAN') does provide functionality to scan ABAP source code. But unlike this standard report, the invention is not limited to only finding strings in ABAP code. The solution differentiates itself by providing added searches (like hard-coded user names) and other scan functionalities.

    A similar patent is US20120017280A1 which is also detects security defects in the source code. It checks processing and database tables, while the disclosed tool includes checks for authorization and transaction code configuration. This proposed solution is more advanced since it will be packaged with additional solutions that deliver an end-to-end approach from scanning, fixing, testing, and documentation. Source code is just part of the checks by this solution. The disclosure's approach is also purely SAP-based, making it easier to deploy and implement.

    The disclosure offers main automated solutions rather than three repetitive, time-consuming manual tasks: manually assigning transaction codes, checking each report to recommend authorization objects for each, and looking for hard-coded values in each program.

    The main idea is that an input list will go through 3 stages of scanning. First, the programs and transaction codes are validated, mapped and given a transport request. All other programs that have errors are removed from the list and do not go through the next process. All the programs that pass are then fed into the second stage, which recommends authorization object based on selection screen fields, fields in report's select statement, or the key fields of the accessed tables. Lastly, these programs are scanned for any static text that should not be present on any of the programs.

    The major advantage of the solution is that it tries to achieve minimal interactions between the user and the sys...