Software breaks. That is inescapable. But intent is important also. Are the bugs in your software there by accident or by design? Ultimately, with regard to development, it comes down to trust. All of the factors outlined below impact the behavior of your in-house programming team and outsourced or offshore partners.
- Fear of detection
- Fear of punishment
- Personal ethics
- Financial reward relative to punishment (hedonistic calculus)
- Cultural perception of intellectual property
- Degree of pejorative emotions towards management or colleagues, for example, envy, resentment, perceived mistreatment, or exploitation
Assume for a minute that everyone on your team is the embodiment of high ethical conduct. What are the most common ways that software breaks? A brief review of the SANs Top Twenty Five Most Dangerous Programming Errors is very instructive and likely to match the errors in your own ABAP code. They divide into three categories:
- Insecure Interaction Between Components
- Risky Resource Management
- Porous Defenses
Within these categories they list twenty five weaknesses. Here are some of the most common:
- Improper Input Validation – this is passing in improper data, for example numbers are permitted in a character field or a field constrained to 5 characters permits an unlimited number.
- Improper Encoding or Escaping of Output – when data is passed between components the original input is altered in order to pass an unintended command to the back end.
- Failure to Preserve SQL Query Structure (aka ‘SQL Injection’) – computers do what they are told not what you want. Queries are modified so that what reaches the database is what the attacker wants, not what the programmer intended. Directly related to the previous error.
- Failure to Preserve Web Page Structure (aka ‘Cross-site Scripting’) – a common attack that injects malicious code into web pages viewed by users. Currently the most common vulnerability of publicly reported security flaws.
- Cross-Site Request Forgery (CSRF) – also known as one-click attack where unauthorized commands are sent from a trusted user post authentication.
- Race Condition – A flaw in which the output in a logic circuit is sufficiently delayed so that an attacker can write his or her output first and control the results, like the parking space you lost at the mall.
- Error Message Information Leak – this is where detailed information on an error is passed back to the user. This can reveal sensitive information or information that can be used to exploit the system.
- Improper Access Control (Authorization) – a common problem that violates the principle of least privilege. Users have more authorization than they need to do their work.
- Hard-Coded Password – a password is stored sometimes to make life easier for the developer, instead it makes life easier for the criminal.
- Insecure Permission Assignment for Critical Resource – World readable configuration settings. If they exist your users will find them.
- Execution with Unnecessary Privileges – a program executes with more privileges than it needs to complete its task; malicious users exploit this to the get program to execute other things for their benefit.
How many of the above exist in your ABAP code? What is your degree of confidence?
Risk Mitigation
At this point it should be obvious that if you haven’t reviewed your ABAP source code you have accepted a high level of risk. A plan of action to reduce it is necessary. A relatively small amount of custom code can be audited internally. For those with larger code bases who also choose to audit internally the work should be prioritized as follows:
- Potential for Financial Loss
- Mission Criticality
- Degree of External Exposure (downstream and upstream analysis)
- Common Programming Errors Ease of Exploitation Determination.
As a rule of thumb, the work effort is approximately one day per fulltime equivalent (FTE) per each thousand lines of code, so it would take one code auditor working full time to examine and remediate 50,000 lines of code fifty work days, or just over two calendar months.
