Even though SAP has more than 10,000 standard transactions, all companies create their own custom ones. There are different reasons for building custom transactions. For example, a user might need a specific report, a list, or a functionality that isn’t in the system. Sometimes there are even cases where custom transactions with identical functionality of an existing standard transaction are created.
Creating custom transactions isn’t a problem, it is a normal usage of the system. The problem however, is all the potential security issues related to these new transactions.
When building custom programs, the priority is focused on delivering the required functionality to the user, which usually results in security measures being left aside. It is common to find ABAP developers who aren’t concerned with the importance of security or are simply unaware of all the security mechanisms SAP offers to enforce security. They just ensure that the program is working properly based on what the user had requested. Once it’s created, someone else adds the tcode to the user role, and that is it.
So the question is how can we ensure that in our organization custom transactions are built in a secure way?
The answer is easy: Use ABAP security standards – BIZEC APP11 as a guide to create the transactions. Easy to say, but hard to do. The standard includes different types of possible misconfigurations:
- APP-01 ABAP Command Injection
- APP-02 OS Command Injection
- APP-03 Native SQL Injection
- APP-04 Improper Authorization
- APP-05 Directory Traversal
- APP-06 Direct Database Modifications
- APP-07 Cross-Client Database Access
- APP-08 Open SQL Injection
- APP-09 Generic Module Execution
- APP-10 Cross-Site Scripting
- APP-11 Obscure ABAP Code