Which applications are particularly vulnerable?
One of the distinguishing features of SAP applications is that they can be adapted precisely to the needs and processes of each individual company through custom coding. Using API interfaces (also known as ABAP customer exits in the SAP environment), developers can write their own code in order to modify the SAP standard applications or set up their processes.
But it is precisely this flexibility that carries great risks. To understand why, you have to know more about the conditions under which custom coding is usually developed. All projects have a tight budget and have to be completed quickly. In the context of quality assurance, usually only the desired functionality is tested. Issues such as code quality and program security are often ignored.
The main reason for this lack of quality assurance is that most companies simply don’t have enough personnel to ensure that good coding practices are adhered to. Especially when many developers – both internal and external – are working through a huge amount of code conversions in large initiatives such as S/4HANA implementations (Brownfield, Bluefield or Greenfield). Best practices are usually well known – often there are even programming guidelines – but the people in charge might not have the time to check, if the developers follow them.
How code reviews increase program security
This is where code reviews come into play: Specially trained consultants accompany the implementation process. They scan the custom code for anomalies and are thus able to uncover unsafe coding practices, potential security gaps and misconfigurations, so that SQL injections, for example, cannot take effect in the first place.
And even if bad coding doesn’t lead to intentional system manipulation: the loss of release capability due to bad custom code often results in an enormous increase in project costs.
Another critical aspect of SAP system security is authorization management: in our experience, 20% of custom code has no checks at all, and another 50% has incorrect or inadequate checks. If this code is then automatically migrated to the new S/4HANA system during a brownfield migration, the security vulnerabilities often remain undetected in the system for years. A professional code review therefore also includes this check.