SAP’s success strongly depends on system integrators and software providers’ ecosystem to help customers set up, integrate, operate, customize, and extend their SAP solutions. Selecting the appropriate third party can be challenging. Many SAP customers looking for software extensions to their SAP solution find orientation on SAP’s certified solution directory.
As of January 29, 2021, there are 1.254 solutions listed. A software vendor needs to ask SAP to certify their solution to be listed. For example, an add-on running on the NetWeaver ABAP© technology requires a software vendor to pay 15k € in the first year and 10k € every subsequent year. Additionally, SAP could ask their customers using 3rd party add-ons to pay extra as part of the NetWeaver Foundation license. As you can see, third-party applications are a business model for SAP.
Why it matters to look at third-party applications from a security perspective
But what’s the customer’s benefit of using certified add-ons? A customer of NO MONKEY asked us to answer from a security point of view. Our customer has taken SAP application security very seriously over the past years, including a setup of rigid controls to assess the SAP software’s security from their third-party providers.
Our customer considered skipping at least some of the assessment efforts when the solution got certified by SAP. Precisely because of the SAP department Integration and Certification Center (ICC) announcement on March 19, 2020, to start security code scans for ABAP© add-ons as part of the certification process. Security researchers criticized SAP for many years as they frequently find severe code security flaws in certified third-party add-ons, especially for ABAP©. With the introduction of the security code scan as part of the certification process, researchers, NO MONKEY, and our customer considered SAP to take security more seriously in the certification process.
To assess the code scan’s effectiveness in the certification process, we reached out to the SAP ICC (email@example.com) on October 21, 2020, to provide the code scan report summaries of three selected ABAP© add-ons certified after July 1, 2020. In the response, the technical consultant asked me to reach out to the vendors, as the test reports “are directly provided to the partners who [has] signed the contracts”. This statement made me curious. Is SAP ICC not archiving the results of the code scan they perform? Furthermore, I didn’t almost believe the following paragraph of the answer: “For ABAP Security check, we provide CVA license [the tool for performing the ABAP code scan] and partners have to make sure that all [..] security issues have to be rectified.”
Does that mean the vendor performs the code scan in their environment and can provide whatever results they want to SAP instead of SAP scanning in a controlled lab environment?
Taking a closer look at the security meaning of different certification levels
As one of the three ABAP© add-ons is an SAP Endorsed App with a so-called premium certification, I raised another query to SAP ICC asking which checks they perform and what requirements have to meet in comparison to the regular add-on certification. Interestingly, the answer was a reference to a slide deck describing the “Security Code Scan Assessment”, which was announced as mandatory for all ABAP© certifications on March 19. I considered the answer to be a misinterpretation of my query. I rephrased my question and asked for the details of the “series of stringent tests” and the requirements to be achieved by premium certifications compared to the regular ones.
The answers to this question started to shine a light on the darkness: “Within premium certification, SAP ICC looks at the full application and not just the integration part. It is an additional level of certification and consists of three main requirements: integration certification tests, cloud quality, and delivery checks and the static security code scan”. OK, regular certification tests only look for integration issues, and actual application checks like code scanning are part of the premium certification, which requires the endorsement of the vendor by SAP. But what about the code scan announced in March for all certificates? The summary document described in the brochure (p. 12) should be non-confidential information about the scan. I reached out to the three vendors to provide me the summary document of the certification code scan. Without being surprised, two of them mention not knowing of any code scan, and the vendor of the premium certified solution, I believe, did not understand the query at all.
After reaching out to SAP ICC once more to get information on what checks the assessment on cloud quality, and delivery includes, I got a final statement:
“In general, we assume that SAP partners develops their application under industry standard secure development practices. Nevertheless, a security code with respect to SAP corporate security guidelines is made available by SAP as an optional/additional service to partners. The security code scan is a mandatory requirement (among host of other requirements) for strategic partner solutions of SAP, Endorsed Apps being one of them.
The detailed checks or requirements of Premium Certification are confidential and are only available to partners undergoing the premium certification. We cannot provide those to another entity.”
Bingo! Security code scans are not mandatory, and what are the “stringent security checks” for premium certifications – SAP ICC better don’t want to be too open about it. To summarize: There are no security controls as part of the regular certification, and for the premium, we only know about the code scan, which the vendor does himself.
A glimpse behind the scenes: Confronting SAP directly with the issue
With this information, I raised a security call on November 2 to SAP’s product security response team (PSRT) about the risk of software supply chain attacks certified via third-party add-ons. The PSRT denied the call on November 4 and let me know that they reached out to the ICC department to discuss my call.
As a result, SAP ICC proposed an appointment four weeks later, which I accepted. In this two-hour call, I was able to get further insights and prove my assumptions:
- SAP ICC, despite the original announcement, considers code scans as optional. As a result of the meeting, they change the statement accordingly.
- A customer cannot verify whether the provided add-on deployment is the certified software or not, except the solution is on SAP’s price list and distributed via SAP’s software deployment platform (aka SAP marketplace). Only a few da of the certified solution directory an on SAP’s price list. There is no cryptographic proof like a digital signature or hash value on the issued certificate.
- Vendors of certified add-ons have to fear legal consequences by SAP when the ICC department recognizes any tampering of code scan results.
- Sometimes ICC performs the code scan for ABAP© add-ons in their lab environment and sometimes the vendor in their environment. Neither case is visible on the issued certificate.
NO MONKEY’s and our customer’s conclusion about the investigation are:
- Only in the case of a premium certified solution distributed from the SAP marketplace is mitigation against the threat of software supply chain attacks.
- There has been little to no ownership and understanding demonstrated by SAP regarding their issued certification’s security sensitivity. As a result, NO MONKEY recommends not considering SAP’s ABAP© solution certification as a security assessment criterion of a vendor or the add-on.
I personally hope that SAP ICC, in light of the latest software supply chain attacks like the SolarWinds case takes more responsibility in its function as an authority for the security of the solution ecosystem.
Supposed you want help in implementing security requirements, assessing your SAP landscape’s security, your providers’ security posture, and software solutions. In that case, NO MONKEY is at your side as your independent SAP security advisor.
You can find the mail exchange with SAP ICC and PSRT here. To respect the privacy of the SAP employees, personally identifiable information has been removed.
What Do You Think?
We’re happy to get in touch with you and learn something about your view. Feel free to send us a message.