pdfreaders.org

1000 Projects later: Security Code Scans at SAP

by Rüdiger Bachmann and Achim D. Brucker

Static Code Analysis (SCA) is an important means for detecting software vulnerabilities at an early stage in the software development lifecycle. The wide-spread introducing static code analysis at a large software vendor is challenging. Besides the technical challenges, e.g., caused by the large number of software development projects, large number of used programming languages (e.g., ABAP, C, Objective-C, ...), the use of dynamic programming models such as HTML5/JavaScript, there are also many non-technical challenges, e.g, creating security awareness among the developers, organizing trainings, integration of static code analysis into the development and maintenance processes. In this talk, we report the experiences we made while introducing static code analysis at SAP AG.

Keywords:
Categories:
Documents:

QR Code for talk:brucker.ea:1000projekte:2012.Please cite this article as follows:
Rüdiger Bachmann and Achim D. Brucker. 1000 Projects later: Security Code Scans at SAP. German OWASP Day, 07. nov. 2012.
(slides) (handout) (BibTeX) (Share article on LinkedIn. Share article on CiteULike. )

BibTeX
@Talk{ talk:brucker.ea:1000projekte:2012,
abstract_de = {Statische Code Analyse (SCA) spielt in einem sicheren Softwareentwicklungsprozess (SDL) eine wichtige Rolle um m{\"o}gliche Sicherheitsschwachstellen bereits zur Entwicklungszeit zu finden und zu beheben. Die gro{\ss}fl{\"a}chige Einf{\"u}rung statischer Code Analyse bei einem gro{\ss}en Softwarehersteller stellt eine gro{\ss}e Herausforderung dar. Neben den technischen Schwierigkeiten durch die schiere Anzahl und Gr{\"o}{\ss}e der Softwareprojekte, der Vielzahl unterschiedlicher Programmiersprachen (ABAP, C, Objective-C, ...) oder die Verwendung dynamischer Programmiermodelle wie sie z.B. bei HTML5/JavaScript {\"u}blich sind, ergeben sich auch nicht-technische Probleme wie die Schaffung des notwendigen Problembewusstseins, Schulung der Mitarbeiter im Umgang der verwendeten Tools, Einbindung der Analyse in vorhandene Entwicklungs- und Wartungsprozesse. In diesem Vortrag berichten wir von unseren Erfahrungen in der gro{\ss}fl{\"a}chigen Einf{\"u}hrung von statischer Code Analyse innerhalb der SAP AG.},
abstract_en = {Static Code Analysis (SCA) is an important means for detecting software vulnerabilities at an early stage in the software development lifecycle. The wide-spread introducing static code analysis at a large software vendor is challenging. Besides the technical challenges, e.g., caused by the large number of software development projects, large number of used programming languages (e.g., ABAP, C, Objective-C, ...), the use of dynamic programming models such as HTML5/JavaScript, there are also many non-technical challenges, e.g, creating security awareness among the developers, organizing trainings, integration of static code analysis into the development and maintenance processes. In this talk, we report the experiences we made while introducing static code analysis at SAP AG.},
author = {R{\"u}diger Bachmann and Achim D. Brucker},
day = {07},
event = {German OWASP Day},
handout = {https://www.brucker.ch/bibliography/download/2012/talk-brucker.ea-1000projekte-2012-2x2.pdf},
isodate = {2012-11-07},
lecturer = {Achim D. Brucker},
month = {nov},
slides = {https://www.brucker.ch/bibliography/download/2012/talk-brucker.ea-1000projekte-2012.pdf},
title = {1000 Projects later: Security Code Scans at SAP},
title_de = {1000 Projekte sp{\"a}ter: Sicherheitscodesans in der SAP},
url = {https://www.brucker.ch/bibliography/abstract/talk-brucker.ea-1000projekte-2012},
year = {2012},
}