Technology Toolkit 2021 is a technical white paper describing core technologies that are being researched and developed by Samsung SDS R&D Center. We would like to introduce in this paper a total of seven technologies concerning AI, Blockchain, Cloud, and Security with details on their technical definition, key features, differentiating points, and use cases to give our readers some insights into our work.
With the arrival of 4th industrial revolution era and digital transformation becoming a necessity rather than a choice for organizations and businesses, non-face-to-face work environment is expanding more than ever, especially so with Covid 19 pandemic. Moreover, as the digital transformation accelerates, life without IT is now unimaginable, but unfortunately it has led to higher security risks and more cyber-crimes with hackers exploiting this opportunity to launch cyber-attacks. Most of security vulnerabilities occur during the application development phase in other word, coding, so the best way to prevent security risks would be to pay close attention from design and development phase.
However, in today’s market wherein product lifespan is becoming shorter and the resulting burden on product development and cost is growing, companies can easily neglect security issues. As a result, the need has become greater for automated DevSecOps (DevOps+Security) technology that allows developers to identify and remove security bugs in development phase. If security bug analysis and removal tool can be incorporated and automated in development operation cycle, it will free up developers to better focus their attention on product development itself and in the end, increase productivity and save a lot of money on troubleshooting. Nowadays, it's easy to find global leading companies that are either adopting or internalizing such tool for their infrastructure due to these beneficial reasons.
We have been using our very own security bug detection tool – a tool that we built using program semantic analysis technology - for our Java program inspections for several years. Since 2020, we have added the language support for ABAP, a de facto programming language in ERP projects, and integrated it into CAFA+, the Samsung SDS’s standard code inspection tool for ABAP, to enable inspection for code quality and security weaknesses in a single tool.
The security bug inspection feature offered by CAFA+ incorporates Abstract Interpretation technology, a representative static analysis technique that analyzes codes without executing a program. In particular, Taint Analysis built on top of Abstract Interpretation allows us to infer data inflow path by analyzing data flow. This allows us to detect data from unreliable source such as values entered by an arbitrary user so that we could prevent them from penetrating into sensitive areas like SQL execution statements and be exploited by an attacker. Security vulnerabilities such as XSS, SQL Injection, and Path Traversal all are of the same type and our Taint Analysis function allows us to perform error-free inspection that is unmatchable to simple syntax pattern inspection of the past. CAFA+ further enhances the accuracy of detection by leveraging Variable Analysis in predicting the range of variable values and presence of constants, and using the findings in areas such as conditional branch statements analysis.
CAFA+ is ABAP code quality and security vulnerability inspection tool that’s built upon our 15 years of know-hows for ERP development and operation. We have continued to build a robust security response system, reacting quickly to changes in SAP ABAP technology environment.
Our technology supports new HANA DB environment and the latest ABAP 7.5 syntax. It automatically identifies codes that need to be modified for migration to HANA DB and accurately analyzes security bugs written in new ABAP 7.5 syntax.
Our CAFA+ provides about 150 code inspection rules and this number keeps on growing thanks to years of our ERP operation know-hows. These inspection rules allow us to provide our developers with support that they need to ensure safe and quality coding. These rules are used to 1) check for developers’ compliance with basic development standards, 2) address design issues like low maintainability resulting from high code complexity or improper modularization, 3) handle performance degradation issues like codes that have the potential to be executed indefinitely or expensive statements that are repeatedly executed, and 4) inspect abnormal termination issues like uncaught exceptions.
We’ve listened to the voices of our on-site developers for a year concerning issues such as authentication bypass, incorrect password use, and SQL statement injection and we used the findings towards our handling of security defects that are occurring frequently and have high impact. We go beyond of just providing simple result to our developers but provide easy-to-understand explanations and specific examples of counter-measures we took, subsequently, minimizing the time and efforts that they put into their work and still enhance their work quality.
As shown below, CAFA+ offers our customers more varied functions than the default code inspection function offered in SAP platform.
First, our tool provides about 150 code inspection rules and security vulnerability inspection function currently applied in development and operation of ERP for Samsung Group. It enables to us to improve customers’ code security and reinforce maintenance & repair process with inspection rules that have been refined with years of our on-site experience.
Second, our tool scores individual inspection result and provides a quantified comprehensive quality index. Unlike most of other tools that only provides item-by-item compliance status, CAFA+ provides quantified result in single quality index that’s useful in setting quality gate standard.
Third, our tool can customize inspection items and action policies to meet the needs of organizations and projects at hand. Most CAFA+ functions can be configured through SAP GUI environment familiar to ABAP developers, and administrators are free to establish policies according to the needs, quality requirement, and on-site situation of each project and thus boost the efficiency of project.
Fourth, developers can easily use the tool at any time with simple manipulation of menu items without leaving SAP environment. The tool allows developers to check for issues every time they code a function or save a file and as a result, they can acquire safe coding habit in no time.
We can use CAFA+ not only as a development security tool for SAP development projects but also as an operational security tool for operation projects. Because it can be executed with just a few click of a button without having to leave SAP environment, CAFA+ provides real-time quality enhancement environment where a coding developer or inspecting operator can perform quality and security inspection using one-stop process. This helps to eliminate all the inspection processes that are not needed thereby shortening inspection time and improving productivity in general. Moreover, integrated batch inspection (weekly, monthly) function allows QAO and security personnel to automatically perform full inspection of SW quality and security, leading to an improvement in work efficiency and quality standard.
We implemented a methodology that reflects code inspection and tuning from the point when we first launched ERP business. We built our own CAFA+ that supports the latest ABAP syntax and HANA DB environment to allow us to quickly respond to changes in SAP technology environment. There are many individual tools that are applicable to areas such as security vulnerability check, program structure analysis, program performance prediction, and program maturity index measurement, but CAFA+ is the only integrated ABAP inspection platform that is capable of performing all these functions at once.
 Gartner, “DevSecOps: How to Seamlessly Integrate Security Into DevOps”
 Capers Jones, Applied Software Measurements, McGraw-Hill, 1996-2008
▶ The content is proected by law and the copyright belongs to the author.
▶ The content is prohibited to copy or quote without the author's permission.
SW Security Team at Samsung SDS R&D Center
As SW security expert at Samsung SDS, he is involved in malicious code detection and counter-attack technology and automated program analysis technology for security bug detection.
If you have any inquiries, comments, or ideas for improvement concerning technologies introduced in Technology Toolkit 2021, please contact us at email@example.com.
Are you concerned about IT strategies that can support corporate innovation and growth? Enjoy the total ERP services from the establishment of IT strategies based on the most recent technologies related to the management strategies to the innovation of work process, system establishment and system operation. Korea's most professional ERP consulting experts will provide the customized ERP services that are in line with the global trend based on the accumulated experience and knowledge asset for over 20 years.