Industry – Federal Government
Company Size – 700,000 (civ) 1.4M

---

Background

The Theater Enterprise-Wide Logistics System (TEWLS) is an SAP software-based application the U.S. Department of Defense (DOD) Health Agency uses to coordinate medical logistics through a single shared data environment to support all armed forces. It was developed by the U.S. Army and adopted by the DOD.

Challenge

Prove SAP® ABAP code was secure and compliant with DOD standards.

Solution

Onapsis code analysis scans ABAP code across all phases of the development process, reporting any vulnerabilities and providing actionable guidance on how to fix. Low instances of false positives, automated scans, and automatic remediation options significantly reduce the burden on developers to maintain code and prove compliance with DOD standards.

Knowing that vulnerable code could cause an application failure or result in compromising an entire system – which could cost lives – the DOD requires stringent security testing for all software program code before they will grant Authority to Operate (ATO). Because of this, all custom SAP ABAP® applications developed for TEWLS are subject to intense scrutiny. 

Unfortunately, TEWLS couldn’t pass the static code scanning and other tests the DOD requires to gain ATO.TEWLS developers needed to be able to prove the security and compliance of their ABAP code, but available tools were insufficient and had many limitations, including false findings, inconsistent results, limited test scope, no integration with SAP, and no remediation instructions for developers. 

TEWLS teams wasted valuable resources working through false results and were ultimately unable to prove that their code was secure and compliant to finalize DOD ATO.

• Scanned and remediated vulnerabilities quickly
• Decreased number of code corrections required
• Improved developer skills
• Reduced effort and time spent on code reviews
• Ensured all code meets security and compliance requirements

“Onapsis code analysis enables us to prove that our code is secure and compliant … it is accurate, comprehensive and consistent and ensures that all ABAP code meets our high standards.”

CHRISTINE WARRING 
Tewls Sustainment Project Manager, Joint Medical Logistics Functional Development Center (JMLFDC)

Solution

Realizing how much valuable time and resources were being wasted on manual analysis and insufficient tools, which couldn’t help them reach ATO, the DOD started researching automated code scanning options and found their ideal solution with The Onapsis Platform. With Onapsis, the DOD received accurate results, which allowed the TEWLS teams to pass the testing needed to prove their code is safe and secure. Onapsis code assessment is comprehensive and tightly integrated with SAP, and provides detailed remediation instructions when any issues are found. Using data and control flow analysis, modules and content accessed beyond the code selected are also checked for vulnerabilities. This makes the classification of problems more reliable and reduces the number of false-positive reports. 

Code analysis from Onapsis can be integrated seamlessly into the various phases of the development process. A freely configurable workflow guarantees that company-specific compliance policies, for the purposes of verification and correction, can be modeled and logged. Integration into the SAP transport system ensures that the defective code doesn’t end up in the production system. 

While they are programming new code, developers receive constant, interactive feedback and vulnerabilities are flagged immediately. Onapsis code analysis identifies the problematic statement and immediately classifies the corresponding risk. To provide developers with optimum support for rectifying the problem, proposed corrections are displayed for the specific vulnerability. This direct feedback, plus extensive documentation, works to accelerate the developers’ learning curve.