Hazard source customer code

E-3: Mr. Wiegenstein, how did you discover the security gaps in the Abap code you wrote yourself?

Andreas Wiegenstein: In order to gain transparency about the proportion and quality of customer code in SAP systems, Virtual Forge continuously carries out a global benchmark.

We are currently evaluating the anonymized scans of more than 300 SAP customer systems. Companies of all sizes and industries, primarily in Germany and the USA, were involved in this most comprehensive study of its kind to date.

E-3: What are the most important benchmark results?

Wiegenstein: First of all, we discovered that each SAP production system contains an average of around two million lines of self-written Abap code, which customers use to adapt the standard SAP functions to their business processes.

The fact that we found numerous errors in every customer code without exception that could jeopardize the security and stability of an SAP system is highly alarming.

Around 2,000 critical errors can be assumed per SAP system, which make companies vulnerable to attacks and can also cause problems during compliance audits.

E-3: In which areas are these weaknesses to be found?

Wiegenstein: For the most part, these are poorly programmed or missing authorization checks. These vulnerabilities alone would be enough to cause major damage to a company, as employees can access information without being authorized to do so - a great deal of abuse can be committed.

Even worse, however, is to be feared from really serious security errors - the so-called killer errors - in Abap's own developments. We have currently discovered an average of 16 of these in every SAP system - significantly more than in previous years.

E-3: What is so dangerous about these "killer bugs"?

Wiegenstein: Every single one of these killer bugs is so critical that it can be exploited by attackers to take complete control of the system.

SAP customer code offers numerous gateways for stealing, deleting or manipulating entire databases and thus, for example, falsifying a company's balance sheet results or completely sabotaging or simply switching off the SAP system.

The economic damage this can cause is enormous. Just think, for example, that the companies affected are liable for any damage caused by the theft of sensitive employee or customer data. At the same time, such incidents can lead to significant reputational damage.

E-3: Do you know how many SAP security incidents are actually caused by defective customer code?

Wiegenstein: Unfortunately, no, because it is usually not possible to fully prove after an attack which vulnerability allowed the attacker to penetrate the SAP system in the first place.

Was it a defect in the customer code, in the SAP standard code or in the system or firewall installation? What makes it even more difficult to analyze the cause is that many companies only discover that their SAP applications have been hacked after some time, for example during routine checks or by chance.

E-3: How do faulty Abap developments occur in the first place?

Wiegenstein: In principle, two groups can be considered as culprits, namely the company's own developers or consulting firms that supply the company with the required SAP enhancements.

Errors can find their way into the customer code unintentionally - for example, through programmers who do not remember to include the necessary authorization checks.

On the other hand, of course, it also happens that errors are deliberately introduced, for example by frustrated employees who want to take revenge on their employer, or by external programmers who use them to gain access to confidential company information.

E-3: So customer code attacks can also be carried out by external hackers?

Wiegenstein: Of course. It is by no means true that SAP systems are only accessible via the internal network, as many SAP administrators still claim.

Our benchmark also comes to the conclusion that only 0.3 percent of in-house Abap developments in a company can be accessed via the Internet. However, several cases have already been reported in which certain Trojans were infiltrated with purchased Abap code, allowing business-critical SAP data to be leaked.

For example, a company received self-written Abap code from an external company that aggregated the results of the accounting runs at the end of each month and sent them to an external e-mail address. A classic case of computer crime!

E-3: How can SAP customers protect themselves against the risks of their own Abap code?

Wiegenstein: As the examples show, conventional precautions such as firewalls, anti-virus software and good passwords are by no means sufficient to close potential gateways to Abap customer code.

It is also not enough for companies to ensure that their employees' roles and authorizations are configured correctly. Rather, targeted strategies and measures are required to clean up the code of errors and avoid future risks.

First of all, it is advisable for customers to subject Abap's in-house developments to thorough scans. This can be done using special testing software that automatically identifies existing errors and risks and, as far as possible, corrects them straight away. Such scans usually only take a few minutes.

E-3: What measures should companies take in the long term?

Wiegenstein: Several approaches need to be taken, both organizational and technical. To prevent errors at the programming stage, in-house developers should undergo special Abap security training and adhere to special programming guidelines, such as those of the German Federal Office for Information Security (BSI).

If code is bought in from outside, companies must ensure that appropriate quality standards are included in contracts with suppliers, checked and also demanded. In addition, SAP in-house developments should no longer go live in future if they still contain errors that are critical for the company.

The specifications also include the prompt installation of SAP security patches and ongoing monitoring of all SAP systems in order to detect attacks as quickly as possible. Despite all precautionary measures, suitable emergency plans are essential in order to counter attacks as quickly and effectively as possible.

E-3: What benefits does your Abap Quality Benchmark offer in this context?

Wiegenstein: Our benchmark is an ongoing study. It aggregates the findings from a large number of anonymized scan results provided to us by SAP customers.

As these figures provide statistical information about the quality of Abap customer code, the more SAP users take part, the more meaningful the benchmark will be. We welcome every company that takes part. Our analysis gives the companies themselves the opportunity to gain an insight into the state of their self-written code in the shortest possible time.

To do this, the customer code of a selected SAP system is scanned in its entirety. As a result, the company receives a test report that shows five examples of errors per error type.

This often reveals vulnerabilities that affect not only the security but also the performance of an SAP system. Our experience shows that many systems are not only more secure after the customer code has been corrected, but also run much more stable and faster.

E-3: Mr. Wiegenstein, thank you very much for the interview.