In this five part blog series, we discuss the importance of building secure business-critical applications with application security testing. In part one, we shared that while speed is the driving force behind application development, on-time application delivery often comes at the cost of secure development. In our second blog, we explain how application security testing can help validate the work of contractors and third-party developers to ensure they’re writing high quality and secure code. This post will focus on how application security testing can test code for errors to ensure it stays clean.
Clean code is code that is easy to understand and follows secure coding best practices to minimize the risk of vulnerabilities. It is critical to scan existing custom-built code to identify and fix vulnerabilities as well as validate the quality. However, without the right tool, creating clean code can be challenging when faced with the overwhelming demand to build new functionality quickly and get it to production as fast as possible.
Reason 3: Keep Your Code Clean
Organizations that run their business on SAP systems utilize SAP developers to write code and develop custom applications suited to their needs. These developers can be company employees, contractors from third-party consultants, or systems integrators. Development is done using SAP specialized languages and testing tools, often with aggressive timelines and a lack of automation tools to support those efforts.
The increasing complexities and constant changes to get applications out on time make it difficult for developers to keep pace with requirements. The large number of customer specific SAP applications—on average, every SAP system contains two million lines of custom-developed code—also means that any manual reviews conducted are impractical, insufficient, and extremely time consuming. In fact, Onapsis Research Labs found a critical security issue as well as a critical performance issue within every thousand lines of code. This translates to roughly 4,000 critical issues per system and any one of these could result in undetected security vulnerabilities. Each of these issues could potentially cause damage to the company’s operations, finances, or reputation. Poor code quality can also negatively impact the performance of the system. In both cases, discovery of errors late in the development cycle or in production, can result in significant cost.
It is critical for organizations to quickly and automatically identify these errors early in the development cycle, before they reach production, to properly secure their business-critical applications. In the DevSecOps approach, security and quality errors can be identified while developers are still coding. The right tool is key to give developers real-time feedback as they code, helping them fix issues before they pass the code to the next phase. This prevents security-related issues from being considered a time-consuming and costly afterthought.
The adoption of secure coding practices removes commonly exploited vulnerabilities and prevents avenues for cybercriminals to exploit them. Bringing in security from the start helps reduce long-term costs which may arise if an exploit results in the leak of sensitive information. A recent Onapsis Research Labs threat report found evidence that attackers target and exploit unsecured SAP applications using a variety of tactics, techniques, and procedures (TTPs). These attacks are not simply brute-force attempts. Some attacks chain multiple vulnerabilities together—including new vulnerabilities introduced by custom code—in order to target specific applications for nefarious purposes.
It is critical to not only scan existing custom built code and identify and fix vulnerabilities; organizations must continually ensure new code is built well. Alignment to a standardized cybersecurity framework can help ensure your code stays clean such as The NIST Cybersecurity Framework. One of elements of the NIST Cybersecurity Framework is a set of standards, guidelines, and best practices for managing cybersecurity risk. The goal of this framework is to use business drivers to guide cybersecurity activities as well as consider and include cybersecurity risks as part of the organization’s overall risk management process. Organizations should be aware of threats, both internal and external, in developed code as well code in development and should be able to convey potential business impacts and probabilities of impact for published code as well as code in development.
There’s a better way to perform application security testing for your business-critical applications: Onapsis Control. Onapsis Control enables application security testing, including automated code analysis and transport inspection specifically for SAP environments. Control for Code automatically checks custom code for security, compliance, and performance issues. It can be used to identify and automatically remediate issues within existing code as well as identify and remove unused code. Code in development can automatically be analyzed and guidance on issue resolution can be viewed within the development environment. Control for Transports automatically inspects code transports for harmful or incorrectly configured content, including those from third parties. For more information, download our whitepaper.