Powered by Virtual Forge Solutions:
Integrate Security into the Development of SAP HANA Applications
Introduction
Product Owner and Developer of CodeProfiler for HANA
Many years of practical experience in security engineering and software
development
High performance computing and distributed systems
Practical cryptographic systems
Secure programming in Java and C
2
Dr. Yun Ding
Developing SAP HANA applications is challenging
New programming languages: SQLScript, XSJS JavaScript, SAPUI5,
Node.js…
New development environments: SAP HANA Studio, Web IDE, …
CodeProfiler for SAP HANA (CP4H)
Detects software errors in early stages of development:
reduces cost to repair defects
Integrates into different stages of development lifecycle
Currently scans SQLScript and XSJS JavaScript
Integrated into Eclipse and SAP HANA Studio
3
Poll question 1
Which languages are most important for your HANA applications?
o SQLScript
o XSJS JavaScript
o SAPUI5
o Node.js
o Others
4
Poll question 2
Which development environment do you use?
o Eclipse + SAP HANA Tools
o SAP HANA Studio
o SAP HANA Web-based Development Workbench
o SAP Web IDE Personal Edition
o SAP Web IDE for SAP HANA
5
Components of CodeProfiler 4 HANA
6
Implementation Testing Transition Requirement Maintenance Design
Batch Scanner Eclipse plugin Finding Manager
Transport Management
System Integration
7
Architecture
Eclipse Plugin
Batch Scanner
HANA Server
export HANA packages
Finding Manager
upload scan results
TMS Integration
query scan results
CP4H Eclipse Plugin
“Spell check” in Eclipse editor (Luna, Mars, Neon)
8
Automatically scans
single files
Instant feedback
Recursively scans
multiple complete
HANA packages
Creates PDF reports
CP4H Batch Scanner
9
Repeated scanning of large number of HANA systems in the console
GUI for building the configuration file
Exports scan results in PDF, XML, CSV, …
Uploads scan results to Finding Manager
CP4H Batch Scanner
HTTPS connections to HANA servers
10
CP4H Batch Scanner
11
Encrypts plaintext credentials in the configuration with password
based encryption (PBKDF2)
Finding Manager
12
Client side: browser based, SAPUI5 application
Server side: persists findings and audit trail in SAP HANA database,
XSJS JavaScript
Role-based access control for auditing of findings
Workflow of CP4H TMS Integration
13
Quality OK?
Target HANA System (QA/Production)
Source HANA System (Development)
1. Release transport
CTS+ with CP4H TMS Integration
2. Automatic scan by CP4H
3a. Yes: allow transport
3b. No: reject transport
QA
CP4H TMS Integration
Releases or blocks transport requests based on scan status
14
ADMIN
ADMIN
ADMIN
CP4H Scan Service
Scanner JCO
Enhancements of the CTS+ Transport Organizer
Asynchronous processing of scan requests
Queuing, multiple parallel running CP4H scanners
Enhancement of Transport Organizer
15
Disclaimer
© 2017 Virtual Forge GmbH. All rights reserved.
Information contained in this publication is subject to change without prior notice.
These materials are provided by Virtual Forge and serve only as information.
SAP, ABAP and other named SAP products and services as well as their respective logos are trademarks or
registered trademarks of SAP AG in Germany and other countries worldwide.
All other names of products and services are trademarks of their respective companies.
Virtual Forge accepts no liability or responsibility for errors or omissions in this publication. From the
information contained in this publication, no further liability is assumed. No part of this publication may be
reproduced or transmitted in any form or for any purpose without the express permission of Virtual Forge
GmbH, Germany or Virtual Forge Inc. The General Terms and Conditions of Virtual Forge apply.