|  |
|
|
Secure ABAP Programming |
|
|
|
Finally, there is a book on ABAP security. Written by the Virtual Forge employees Andreas Wiegenstein, Dr. Markus Schumacher, Sebastian Schinzel and Frederik Weidemann, it contains best practices for secure ABAP programming. Readers will learn how to identify, mitigate and avoid insecure programming techniques in ABAP. The book covers all relevant ABAP programming styles: classical ABAP, ABAP OO, Web Dynpro ABAP and Business Server Pages.
|
|
|
|
|
|
 |
|
It is available at SAP Press or Amazon, but currently in German language only.
Virtual Forge also maintains a Wiki for this book. If you like to read this book in English, this is where you can raise your voice.
About the book's content:
|
|
| - |
Attack surface of ABAP programs |
| - |
Filtering, Validation, Encoding and Indirection Best Practices |
| - |
Missing and hard-coded authorizations |
| - |
Generic and dynamic ABAP code |
| - |
SQL-Injection, Directory Traversal, System Command Injection |
| - |
Web browsers and other Frontends |
| - |
XSS, XSRF, Forceful Browsing, Phishing, HTTP Response Tampering |
| - |
File and database access |
| - |
SAP GUI, BSPs, Web Dynpro ABAP |
| - |
External user interfaces and systems |
|
|
|
|
|
The primary cause for security defects in business applications is insecure code. ABAP applications are no exceptions. Exploiting security defects in code can have devastating results like data theft, industrial espionage and sabotage.
|
|
|
|
"Unbreakable" ABAP? |
|
|
|
The book demonstrates that although "normal" ABAP programs are written in a pretty robust way, they will always be as insecure as the one remaining defect in the code or in the design that has not been taken care of.
|
|
|
|
The Top Ten of false assumptions |
|
|
|
Verify your assumptions about ABAP security with ten simple questions: You will immediately know, where you should take action.
|
|
|
|
Complete coverage |
|
|
|
Procedural ABAP, ABAP Objects, Business Server Pages or Web Dynpro: In whatever way you write ABAP code, the book shows the corresponding risks and mitigation strategies in a step-by-step way.
|
|
|
|
Detailed Threats |
|
|
|
With this book you will learn about many common threats you should brace your custom applications for: SQL-Injection, Directory Traversal, Cross-Site Request Forgery, ABAP Code Injection and Forceful Browsing – to name a few. Attackers already know how to exploit them …
|
|
|
|
From practical experience for practical use |
|
|
|
Numerous listings, examples and check lists make it much easier for you to write ABAP programs that withstand attacking attempts.
|
|
|
| | | |
|
|
|
|
The free e-mail newsletter from the security experts of Virtual Forge. The issues contain comments and discussions on recent topics & trends about security in the context of business applications. |
|
|  Subscribe | |
|
| | |
| | |
|
|
|
|
CodeProfiler is also available as a service (SaaS) where you can upload your ABAP code in a secure way and get the results online.
|
|
| Go to SaaS | |
|
| | |
|
|
|
|
The free e-mail newsletter from the security experts of Virtual Forge. The issues contain comments and discussions on recent topics & trends about security in the context of business applications. |
|
| Subscribe | |
|
| |
|
- the Newsletter
homepage