Application Security for Every Scale
my.defence
Cloud computing was not designed for security, although organizations such as Cloud Security Alliance (CSA) and Open Web Application Security Project (OWASP) are making great strides in helping the industry solve the myriad security problems confronting cloud computing. The benchmark guidelines established by the CSA in the document, Guidance for Critical Areas of Focus in Cloud Computing, is a great first step. This white paper is intended to pick up where the CSA guide left off in terms of defining what a distributed web application firewall (dWAF) should look like in order to meet the standards set within the CSA document.
CODEPROFILER from Virtual Forge from VirtualForge is a tool for automated security analysis of ABAP source code. ABAP is one of the most powerful and widely used high-level languages for business applications. SAP customers have developed large own ABAP programs which are the backbone of their company in the IT landscape. Therefore, a key question in these companies is, how you can measure the security quality of your custom code in complex, constantly changing IT landscapes. The only effective way to control security risks in big and constantly changing amounts of code is automated source code analysis.
CODEPROFILER is the first product worldwide that provides automated security testing for ABAP, BSP and Web Dynpro ABAP applications. Its database contains patterns of the relevant (in)secure coding practices for ABAP. That database, combined with the unique analysis engine enable CODEPROFILER to find known insecure coding practices in ABAP programs with a very high reliability.
CODEPROFILER captures the know-how, methodology and best practices of more than 6 years of in-depth SAP security analysis and research. The results of the tool are presented in comprehensive reports that show the impact of vulnerabilities, where they appear and how you can fix them.
Besides this reports the security vulnerabilities are exported in a XML file, which is imported as a proposal for security rules into the Web Application Firewall hyperguard from art of defence.
hyperguard is a software based latest-generation enterprise Web application firewall with attack detection and attack protection functions that are freely configurable. It enables centralized security monitoring, reporting and alerting and provides custom protection for your Web applications against external attacks.
hyperguard can be used in a highly flexible way and with its cluster-capability and client-capable administration, it is also suitable for protecting large, distributed Web infrastructures. As a plug-in for all common Web server, Java EE-Application-server and as well for a lot of other products of the infrastructure or as a virtual appliance,
hyperguard offers a very flexible deployment and it runs invisible without an own IP-address, therefore it is protected from a direct attack.
With the interaction of CODEPROFILER and hyperguard you can implement an immediate protection of SAP applications. The integrated solution allows a more stress-free fixing of the source code in a scheduled maintenance timeframe. Customers can also realize a „Pre-Vendor-Patch“ and run their applications with less risk. Besides, the solution helps you to minimize new vulnerabilities since mitigation projects don’t need to be scheduled with time pressure. Beyond the Web topics in SAP environments, a protection of RFC and SAP GUI applications can also be achieved. In total the combined solution protects against security bugs and guarantees medium term code quality (compliance for secure programming).
