Solved: ABAP Code Inspector & Security

Former Member · ‎08-09-2011

All:

I am currently looking into the Code Inspector that is built into SAP that allows developers to run test/checks on their code related to performance, syntax, and as noted "security". I am trying to track down what exactly the "security" is being checked. I am running tests on my internal SAP systems to see how it acts, but I wanted to get any feedback from the security community on a few things

1) What "security" checks does the Code Inspector actual check for?

2) Is there an location with updated documentation from SAP (not dated 2002) which speaks to the security componet, not just mentioned it?

3) Any useful use-cases within the security community that your organization/clients are using?

Thanks,

Matt Urban

Former Member · ‎08-10-2011

You can also enter the keyword from the variant into transaction ABAPDOCU to read more about how it works and why it can be dangerous.

Cheers,

Julius

mvoros · ‎08-10-2011

Hi,

if you display a check variant in SCI there is info linked to each node (icon with I). For example calling C-routine is a security risk. Also dynamic statements are good example of security risk. You need to validate input properly before executing dynamic statement. Not sure about documentation but documentation available in SCI seems OK to me.

On one project we used SCI to check any custom development (not only security). It helped us to increase quality of custom development. Especially, with less skilled developers.

Cheers

Former Member · ‎08-10-2011

You can also enter the keyword from the variant into transaction ABAPDOCU to read more about how it works and why it can be dangerous.

Cheers,

Julius