SAP Integration and Certification Center – Security Code Scanning Confirmation
Get a confirmation, that you have successfully scanned your ABAP coding with SAP NetWeaver Application Server, add-on for code vulnerability analysis.
Software vendors that have licensed the SAP NetWeaver Application Server, add-on for code vulnerability analysis (CVA) can get a written confirmation from SAP ICC, that a given software package has been scanned successfully, and no Prio1 and no Prio2 security issues were detected.
Information and Licensing
As of today, CVA covers 4 of the most important source code related topics (according OWASP Top 10, see details online) not covered by SAP ABAP framework otherwise:
- A1: injection attacks: SQL, OS or code injection
- A4: insecure direct object references: directory traversal attacks
- A7: missing access control: call transaction without authorization check (ABAP 7.4x only)
- A9: insecure usage of functions of the SAP NetWeaver AS ABAP:
unsupported encoding functions against XSS or other attacks.
A2, A3 and A8 are already covered by SAP framework.
To get further details of CVA, please read the following SAP Insiders Article.
To learn more about licensing possibilities, please contact your assigned Partner Service Advisor (PSA) or contact SAP Test Demo Development Licenses.
- ICC consultant gives first introduction into configuration and usage of CVA within the ABAP Test Cockpit.
- ICC consultant checks ABAP coding together with vendor, remotely on vendor’s landscape.
- Vendor gets written confirmation from SAP ICC that coding packages were successfully scanned, and no Prio1 and no Prio2 security issues were detected.
To get the CVA introduction and confirmation service, vendor must have officially licensed the CVA.
The price is 5.000 Euro to get one written confirmation for an arbitrary collection of ABAP coding and objects in one package or transport request.
Integration into ABAP Add-On Deployment Certification
Software vendors that have licensed CVA and have subscribed to the ABAP Service Package can get the service for free as part of every ABAP Add-On Deployment Certification.
For successfully scanned and certified ABAP Add-Ons, SAP would add the confirmation directly on the certificate.
Apply for ICC Services right away - please fill in the SAP ICC online application form
SAP Application Development partner directory: Certified solutions can be found in the SAP Application Development partner directory.