KuppingerCole Product Research
Note
by Prof. Dr. Sachar Paulus |
March 2012
Virtual Forge CodeProfiler
KuppingerCole – Product Research Note – Virtual Forge CodeProfiler
Report No.: 70583
KuppingerCole Product Research Note
Virtual Forge CodeProfiler
by Prof. Dr. Sachar Paulus | [email protected] | March 2012
Content
1. Executive Summary
3
2. Highlights
4
3. Customer Challenges and Industry Status
5
3.1 Customer Challenges
5
3.2 Industry Status
6
3.3 Mapping of Challenges/Status
6
4. Product Evaluation
7
5. Success factors
9
6. Roadmap
10
7. Vendor and Ecosystem
11
8. Summary and Recommendation
12
9. Glossary
13
KuppingerCole Product Research Note – Virtual Forge CodeProfiler
Report No.: 70583
Page 2 of 14
1.
Executive Summary
Code security analysis has become one of the most important business segments
servicing the secure development of software. Products are pretty mature for every
mainstream programming language, and large IT companies have acquired the major
technology innovators in that segment.
There is, though, an area of software development that receives little attention,
although being quite important for businesses: the so-called customizing of SAP
applications. Customization in SAP applications typically means that new application
pieces will be added to the SAP standard offering. In many cases existing modules and
functionalities will be rewritten at the customer site to optimize their usage for the
customer specific business processes. As such, the customization is actually more a
development activity and thus may greatly benefit from code security analysis,
specifically for compliance purposes.
Most SAP customization projects, though, will take place in SAP’s ERP application suite,
and this is mostly written in SAP’s proprietary language called ABAP. There are only a
few companies that offer code analysis for ABAP programs, let alone analysis of the
security of the developed code. Virtual Forge fills this niche with its flagship product
CodeProfiler that analyzes SAP ABAP code for vulnerabilities and, optionally, also for
other code quality aspects.
CodeProfiler has reached a mature status, and is currently in the phase of feature
enrichment, so beyond the capabilities presented today (excellent performance, easy
configuration, predefined content, full integration into SAP development activities)
there will be more beneficial functionalities available soon. The ecosystem has reached
a good level of maturity with worldwide sales and consulting through SAP and IBM and
specific mid-market solution OEM packages.
Security for SAP applications is hard to mandate in real life due to its relatively central
but isolated position in most organizations, and even then most IT specialists understand
“SAP security” to be limited to good authorization management. Nevertheless, the
modification of SAP software poses a high business risk and should therefore be treated
with equal care. It is therefore important to establish (business) stakeholders for SAP
security before being able to fully leverage the value of CodeProfiler.
Overall, Virtual Forge CodeProfiler is an excellent solution for a small but important
niche, and SAP customers that are taking the risk of code vulnerabilities seriously shall
consider the product for an evaluation.
KuppingerCole Product Research Note – Virtual Forge CodeProfiler
Report No.: 70583
Page 3 of 14
2.
Highlights

Unique offering with highly
specialized SAP ABAP know how

Automatic fixing of issues available
on project basis

Also covers non-security related
domains such as compliance and
code quality

Requirements engineering version
of vulnerabilities for mandating
secure outsourced development

Integrated into SAP’s development
processes and practices (transport
management, development
workbench, analytics)

Compelling technical roadmap

Ecosystem sales through IBM & mid
market partners
Business risk interpretation of
every identified vulnerability with
predefined content

Security researcher program in
place

Only ABAP based SAP products and
systems are covered

Configuration on each SAP system
required

The organizational prerequisites to
successfully use the product with
its full potential are demanding


Report interfaces to all major code
quality management tools

Workflow integration for risk
acceptance processes

In-memory architecture for high
performance analysis

Fast setup and initial configuration
for first analysis results
KuppingerCole Product Research Note – Virtual Forge CodeProfiler
Report No.: 70583
Page 4 of 14
3.
Customer Challenges and Industry Status
3.1 Customer Challenges
SAP software is widely used in almost every industry segment, for a variety of
application areas, such as accounting, production planning or supplier management, to
name a few. A major success factor for SAP software is its excellent flexibility and
extensibility. Many customers apply so-called customizing to modify and/or complement
the shipped standard with individual modifications. From this perspective, SAP software
cannot only be seen as standard software, but also as a development environment with
pre-existing templates and business structures.
Although SAP has a very good reputation in terms of software security – a recent
benchmarking among members of the SAFECODE initiative reported an excellent status
with respect to the maturity of secure development processes, being 2nd just after
Microsoft – and software quality in general, there is a customer need for checking and
validating the security and quality of code used by customers in SAP systems. In the
classical software development business, this is the area of code analyzers.
Code analyzers try to address the problem that, during the development process,
software engineers rarely take security into account. Since 2002, the industry has
developed a number of good security development practices, for example, threat
modeling as part of a secure design process, or secure deployment to ensure a secure
configuration of software when in use. Code analyzers help automating the test process
during development, and perform an analysis of the source code to try and detect
potential vulnerabilities. Code analyzers may be static or dynamic, depending on
whether they can take run-time information into account when performing their analysis
work.
Now one might argue that there is no real need for a code analyzer, since one might
think that SAP systems typically are used internally at customer sites, and so no hacker
can get access to SAP systems. This is no longer true, SAP systems are in most cases well
connected to the Internet through a number of external-facing business process
applications. Moreover, SAP systems are no longer considered to be esoteric by the
hacker community, there is a fast growing interest in SAP systems and how to break into
them.
A major driver for scanning SAP code is for Compliance reasons. Since more and more
SAP custom development is outsourced to offshore locations, it is important to check
especially that security-related aspects have been addressed well such as, e.g., the
correct usage of authorization check statements. Code security analysis seen this way
turns into a supplier control tool.
KuppingerCole Product Research Note – Virtual Forge CodeProfiler
Report No.: 70583
Page 5 of 14
3.2 Industry Status
Products in this area have only recently covered code scanning for SAP. Of course, SAP in
the meantime uses all kinds of development languages, notably JAVA and C#/.NET,
which can be covered by mature code scanning solutions. But SAP has used for decades a
self-developed specific application interpreter language called ABAP, that is similar to
COBOL with extensions to support object-oriented programming, which has not been
addressed by code analyzers until only recently.
The code analyzer market is divided into a number of different areas, that all have some
overlap to each other, specifically in the SAP environment. A major divide is the
separation into security (and Compliance) focused code scanners, and standard qualityoriented code scanners.
In the area of security code analyzers, there has recently been a market restructuring,
with some of the major IT players, notably HP and IBM, having acquired specialized code
scanning companies, such as Fortify, Ounce Labs and SPI Dynamics. As such, there is no
large independent security code scanning company available any more. This shows the
great interest of the market in gaining experience in code scanning for improving the
security and quality of software.
3.3 Mapping of Challenges/Status
Fortify, formerly the largest independent vendor of code analyzers, now an HP company,
also has an ABAP scanner. But since the focus of Fortify is to offer scanning engines for
all important software languages, and to allow an integrated view on those, there is
generic support for ABAP scanning, but the focus on integration and interoperability with
SAP specifics such as SAP Transport or SAP BI Analytics is rather limited.
Specifically for SAP, one needs in addition to consider the services offered by SAP as
part of their remote support offering. There is a code analysis engine called Code
Inspector available with SAP software that is used by SAP-internal development teams,
which also performs a number of security checks, moreover this offering is free of use
for SAP customers. This solution has two major disadvantages: it does not scan standard
code developed by SAP – although customers actually might modify this as well – and it
does produce a large number of potentially false positives.
Another product area that needs to be considered is the one of standard quality
application code scanners, such as e.g. CAST software. These vendors target a holistic
view of software quality management and work with KPIs and dashboards. There are a
number of vendors with specifics for SAP, but there is little focus on security and
compliance until now.
Consequently, there are relatively few alternatives for SAP customers who wish to use a
code analyzer for SAP ABAP code, and there is currently only one vendor, Virtual Forge,
that is both experienced in scanning code for vulnerabilities as well as used to the
specifics of running SAP applications. As such, Virtual Forge CodeProfiler presents a
strong USP, since it can be used to perform code security analysis in SAP environments
the way that ABAP developers are used to.
KuppingerCole Product Research Note – Virtual Forge CodeProfiler
Report No.: 70583
Page 6 of 14
4.
Product Evaluation
The CodeProfiler product uses data and control flow analysis in combination with a
comprehensive rule set that covers many data sources and dangerous ABAP
statements to identify potential issues.
Data flow analysis is a technique that first identifies data sources, i.e. code snippets
where (external / untrusted) data is read into variables. It then analyzes whether
there are any connections between a data source and a potentially dangerous
statement. Any identified connection (data flow) indicates that the dangerous
statement is most likely exploitable. The implementation of the data flow analysis is
done using the definition and comparison to a grammar, specifically for the ABAP
language. Data flow is modeled using relations, and can be scanned in both
directions, from dangerous statements to input fields and vice versa.
In addition to data and control flow analysis, the product applies further sanity tests
like type checks, authority checks, usage of regular expresses etc. As a result the
product can prioritize the findings so that the mitigation process can be made more
efficient.
An important differentiator of the product is that it does not only identify security
vulnerabilities, but does moreover recognize other types of issues related to different
domains, such as compliance, maintainability, robustness and performance. As such,
CodeProfiler already covers a large set of non-functional aspects and can therefore
not be considered as being a pure security tool. It is rather a more generic code
analysis tool that enables organizations to produce code of good quality.
The CodeProfiler product offers the full set of functionality that enables organizations
that develop SAP ABAP code not only to discover vulnerabilities, but also to fix them
and stay in control of the corrected software during the development lifecycle. To
achieve this goal, CodeProfiler is completely developed in a way to make use of and
thus integrate into the standard maintenance tools offered by SAP, such as the
transport management system, the development workbench or the analytics
framework.
In SAP landscapes, software is „transported“ from development systems to test
systems, and from test systems to production systems. To achieve control over the
code, CodeProfiler comes with an extension to the standard transport management
system, which needs explicit approval to transport code with identified findings.
Thus, potentially dangerous code can still be used (e.g. because of risk acceptance
criteria), but the approval will be documented for compliance reasons. In this way
CodeProfiler acts like an application level firewall scanning for vulnerabilities or bad
programming content between the different deployment instances of an SAP system.
The major development environment for ABAP applications, the development
workbench, is extended to contain CodeProfiler scanning functionality, so that
developers can check the sanity and code quality of their modules on the fly. It is also
possible (e.g. in case CodeProfiler is used by an auditor) to use CodeProfiler in batch
mode; in this case it is very easy to configure CodeProfiler operations with SAP
standard tools.
KuppingerCole Product Research Note – Virtual Forge CodeProfiler
Report No.: 70583
Page 7 of 14
CodeProfiler moreover allows displaying the results in a dashboard fashion. This is
important to enable managers to rapidly grasp the situation, and be alerted to focus
on the real critical aspects of a scanning report. To achieve this, CodeProfiler makes
use of the standard SAP BI analytics functionality coming with SAP systems. These can
be displayed within the SAP system, with drill down functionality, or automatically
sent in office or PDF formats to specific users.
Besides the integration into the standard SAP tools and frameworks, both the
configuration as well as the results can also be used with specialized, external tools,
such as IBM Rational, Basis Technologies Transport Express, REALTECH’s theGuard!,
and of course with the standard SAP maintenance tool SAP Solution Manager.
The initial configuration of the CodeProfiler product for one target SAP system is
pretty fast. There is no need for configuring rule sets, since these come with the
product. Within a few hours, a CodeProfiler installation can be up and running in
productive mode. A drawback though is that the product must be configured
separately on each SAP system. Thankfully, the configuration information can be
transported automatically from one system to another, yet needs to be adapted to
system specific needs.
The separate configuration is a consequence of the technical architecture of
CodeProfiler. The architecture is optimized for maximum speed and flexibility and
separates configuration and report elements from the pure scanning engine. The
scanning engine is running on a separate system (standalone JAVA based, no complex
JAVA server needed) and has no user interface. Multiple instances on the same or
different machines can be used to parallelize the scanning process using Round-Robin
scheduling. All input/output management and configuration is kept on the SAP system
to be analyzed. The communication between the SAP systems and the scanning
engines is realized using RFC with pre-defined users with dedicated authorizations.
The scanning engine uses an in-memory architecture to boost the scanning process
which allows it to scan up to several thousand code lines per second, with up to 200
Million code lines in a scanning block in-memory. As a reference, a large
multinational organization scans all SAP ABAP code in all its systems (several hundred)
once a week. The major benefit of using CodeProfiler is, though, that the results can
be correlated to business risk. In comparison to many other code scanning tools that
identify potential security weaknesses, CodeProfiler allows associating a business risk
to each finding; this is in part due to the nature of the ABAP language, and in part to
the research work of Virtual Forge that associates a business risk to every identified
finding.
Furthermore, to reduce the number of false positives, CodeProfiler extends the
standard presentation means in terms of probability and impact by separating the
issues in different categories, namely those which are definitively a flaw (the
probability is > 95%) and two subtypes of findings with lower probability. The
prioritization within these separate groups of findings is then only done according to
the (business) impact. An additional feature that is currently only available on
request in a project type of work is the ability to automatically fix issues. According
to first real life analyses, up to 70% (mostly commonly made errors such as forgotten
authorization checks or insecure direct object references) can be easily fixed
automatically. This also works perfectly for findings in the non-security domains.
KuppingerCole Product Research Note – Virtual Forge CodeProfiler
Report No.: 70583
Page 8 of 14
5.
Success factors
To use the product successfully, a number of conditions need to be met.
First of all, one needs a recipient of the scanning reports, i.e. someone who is
interested in the results of the scanning process and who will take and/or initiate
action to fix the issues identified. This is by no means trivial. In many organizations
taking care of SAP operations, there is no one responsible for security or even quality.
On the other hand, most Information Security Officers, while often being responsible
for overall Information Security, do not have a handle on the security of SAP systems.
In such cases, first CodeProfiler results may create some awareness about the
problem, but to sustainably improve the situation a corresponding responsibility is
necessary to be established first.
Second, the SAP operations team needs to support the installation and operation of
CodeProfiler. Due to its restrictive nature, specifically regarding the compliance
approval step in the transport management, in many cases it might get rejected by
developers or even system administrators in the first place. So either there is support
from the operations team that is convinced about the value of the tool, or senior IT
management needs simply to mandate it.
Last, and this is specifically important to the usage of CodeProfiler with outsourced
SAP development, it is literally of no value to check for security issues – or findings
from other non-functional domains – if there is no corresponding requirement
communicated to the outsourcing partner. Correspondingly, Virtual Forge offers
customers a version of their rule set in a „requirements“ version that can be added to
outsourcing contracts.
KuppingerCole Product Research Note – Virtual Forge CodeProfiler
Report No.: 70583
Page 9 of 14
6.
Roadmap
The current roadmap of the CodeProfiler product can be divided into three
development directions: extension of the non-security aspects, integration of dynamic
code analysis elements and automatic correction.
The existing capabilities of the product in terms of non-functional requirements other
than security will be further extended. Among others, compliance-related aspects
specifically will be improved, such as EuroSOX or Basel II testing patterns.
Since the primary technology used is data flow analysis, there is an inherent risk of
having many false positives. An important approach for further reducing the number
of false positives is to use run-time information to reflect the identified potential
flaws against the actual usage context. In SAP systems, using the so-called Data
Dictionary (DDIC) can primarily do this. This furthermore allows to perform coverage
analysis and so to enrich the risk quantifiers for a better risk ranking of the findings.
An existing feature that is currently only available on a project-per-project basis is
auto-correction. For vulnerabilities or other findings that may allow for some
automatic code correction (such as, e.g., adding an authorization check depending on
the calling module), corresponding code is inserted automatically. There is ongoing
research to extend this capability to a substantial number of detected vulnerabilities.
Overall, the roadmap is compelling technology-wise and, since customers have
initiated most of these developments, this shows the great interest of the market in
advancing the corresponding capabilities. The company Virtual Forge is in a typical
feature enrichment phase, and as long as customers mandate these incremental
innovations, there is room for growth. One might, though, be a bit skeptical about
the absence of non-ABAP code analysis technology, since the SAP portfolio grows year
over year, and the fraction of ABAP code is, although huge in size, shrinking slowly.
KuppingerCole Product Research Note – Virtual Forge CodeProfiler
Report No.: 70583
Page 10 of 14
7.
Vendor and Ecosystem
Virtual Forge was founded in 2001 in Mannheim, Germany, and started as a SAP
security code analysis consulting company. Over time, Virtual Forge has developed
itself into a product vendor, by productizing its experience in scanning ABAP
programs. Recently, Virtual Forge was named “Cool Vendor” by one of the leading
analyst firms, for the reason that the company fills a niche that even the software
vendor SAP does not address.
Virtual Forge’s financial success is based on organic growth with a turnover of 3 Mil
EUR in 2010. The company strategy is to offer a complete solution for SAP ABAP
specific code scanning. The company is privately owned, and the operating margin is
invested year-after-year into growth. The internal structure is optimized for short
product cycles, including agile development processes to integrate customer
requirements early in the process. A customer community management is in
preparation.
The sales strategy of Virtual Forge is a mixed model between direct sales (primarily
Germany and central Europe, soon U.S.) and indirect sales. The product is available
through IBM’s global software business and as an OEM version specifically tuned for
the mid-market via REALTECH. The solution sold by IBM fits the other offerings in that
area well (specifically IBM Rational AppScan, formerly Ounce Labs) and the results are
displayed in the IBM Rational dashboard tools. For international customers, the first
level support is available through IBM on a worldwide basis.
Existing customers are ranging from large SMEs to multinational corporations. The
main application area is to scan ABAP code developed by SAP customers during the socalled customization of SAP systems. Scanning code of third party software and
modified code of the SAP standard are fast growth areas. SAP itself uses CodeProfiler,
both for SAP-internal applications as well as for SAP product development.
The predefined content that comes with CodeProfiler is the result of joint research
activities with the SAP security researcher community. A specific research
department within Virtual Forge actively searches for SAP/ABAP vulnerabilities,
performs analysis and identifies potential countermeasures. This content is fed into
the product; these descriptions are updated twice per year. In parallel,
vulnerabilities are published according to a responsible disclosure strategy to inform
SAP customers in general. An interesting service is that customers, to mandate secure
coding from coding subcontractors, can also use this content in a version to be added
to their contracts.
To get CodeProfiler up and running some configuration is needed. To cover this
consulting demand, Virtual Forge has a small consulting group, but also works with
companies like akquinet, REALTECH, Adventier (USA) or – via the international
software sales – IBM. Virtual Forge’s ecosystem has become well developed over the
last few years. The switch from a consulting to a product company, although typical
for European startups to assure organic growth, has its pitfalls specifically with
regards to the partner landscape. But ultimately, the move to partner with IBM for a
worldwide sales and consulting offering shows a strong maturity in that respect.
KuppingerCole Product Research Note – Virtual Forge CodeProfiler
Report No.: 70583
Page 11 of 14
8.
Summary and Recommendation
To sum up, CodeProfiler from Virtual Forge is a unique product, covering a niche
market that has been left over by SAP. One might argue that other programming
languages are not supported, but the value of CodeProfiler is exactly the high level of
adjustment to SAP ABAP specific risks. The in-memory architecture is optimized for
high industrial usage, indicating professional software development. The breadth of
options for operating the product shows the interest of customers, specifically
running it integrated into their standard maintenance and development processes.
Finally, with the reselling agreement with IBM, CodeProfiler shows strong market
maturity.
Consequently – and since there is no real alternative to the product – companies
interested in scanning newly developed or modified SAP code should definitively have
a look at CodeProfiler – or at its mid-market OEM version shipped with REALTECH
theGuard!.
KuppingerCole Product Research Note – Virtual Forge CodeProfiler
Report No.: 70583
Page 12 of 14
9.
Glossary
Code Security Analysis: The process of analyzing source code of software in order to
identify potential security weaknesses.
SAP Customizing: The process of adapting standard SAP software to the specific
requirements of a customer. Often includes modification of original coda and addition
of new code.
Software Transport: The process of moving code from one development stage to the
next, e.g. from “test” to “production”.
Security Researcher Program: A program of a software manufacturer to keep in
touch with security researchers that try to identify vulnerabilities in code.
Quoting information and data from Kuppinger Cole Ltd.: Individual sentences and sections may be used in internal
documents and presentations exclusively for internal communication within the company without the explicit
permission of Kuppinger Cole Ltd. Use of large sections or the complete document requires previous written
permission from Kuppinger Cole Ltd. and may include the payment of royalties. External publication of documents
and information by Kuppinger Cole Ltd. in advertisements, press reports or other marketing material generally
requires previous written permission from Kuppinger Cole. A draft of the relevant documents should be provided.
Kuppinger Cole Ltd. reserves the right to refuse external use for any reason. © Kuppinger Cole Ltd. 2004-2012.
Reproduction forbidden unless authorized. For additional copies, please contact [email protected]
KuppingerCole Product Research Note – Virtual Forge CodeProfiler
Report No.: 70583
Page 13 of 14
The Future of Information Security – Today.
KuppingerCole supports IT professionals with outstanding expertise in
defining IT strategies and in relevant decision making processes.
As a leading analyst company KuppingerCole provides first-hand
vendor-neutral information. Our services allow you to feel comfortable
and secure in taking decisions essential to your business.
Kuppinger Cole Ltd.
Headquarters
Arnheimer Str. 46
D-40489 Düsseldorf | Germany
Phone
Fax
+49 (211) 23 70 77 – 0
+49 (211) 23 70 77 – 11
www.kuppingercole.com
KuppingerCole, founded in 2004, is a
leading Europe-based analyst company for
identity focused information security, both
in classical and in cloud environments.
KuppingerCole stands for expertise,
thought leadership, and a vendor-neutral
view on these information security market
segments, covering all relevant aspects like
Identity and Access Management (IAM),
Governance,
Risk
Management
and
Compliance (GRC), IT Risk Management,
Authentication and Authoriza- tion, Single
Sign-On, Federation, User Centric Identity
Management, eID cards, Cloud Security and
Management, and Virtualization.
For further information, please contact [email protected]