Tools
From Secure ABAP
We know many tools that can be used to identify vulnerabilities in your ABAP code. We have organized the list of tools according to the structure of the development cycle as discussed in the book in Chapter Methodologies and Tools for Developing Secure Software (page 65 ff). This list is work in progress and we are happy adding more content - just get in touch.
Contents |
Specification: Threat Modeling
Freemind
Freemind is a open-source tool for creating mindmaps. It's written in Java and has a comprehensive set of shortcuts. Thus you can use it documenting complex structures in a short timeframe. This approach, however, requires sound knowledge in the field of threat modeling since there are no templates or documentation for creating threat models. The tool can be downloaded here.
Microsoft Threat Modeling Tool
The Microsoft Threat Modeling Tool contains predefined content for threat modeling. However, it's not as flexible like Freemind. Therefore, there are some limitations on using the tool in SAP-related threat scenarios. The tool is available here.
Design and Implementation: Libraries
SAP Cryptolib
The SAP Cryptolib is needed in order to encrypt data transmitted to the SAP Application Server. You can download the library from the SAP Service Marketplace. If you want to use HTTPS or SNC, you must install the SAP Cryptolib. Due to export restrictions the SAP Cryptolib is not installed by default in some SAP systems.
Output Encoding Library
The SAP ABAP standard provides an encoding library. The class CL_HTTP_UTILITY provides several encoding functions that are needed in order to implement protection against Cross-Site Scripting attacks. The library is available since Kernel-Patch 87 for Basis 6.40 and Patch 21 for Basis 7.00. SAP Note 866020 provides more information.
