Technology Toolkit 2021 is a technical white paper describing core technologies that
are being researched and developed by Samsung SDS R&D Center. We would like to introduce in this paper a total of
seven technologies concerning AI, Blockchain, Cloud, and Security with details on their technical definition, key
features, differentiating points, and use cases to give our readers some insights into our work.
With the arrival of 4th industrial revolution era and digital transformation becoming a necessity rather than a
choice for organizations and businesses, non-face-to-face work environment is expanding more than ever, especially so
with Covid 19 pandemic. Moreover, as the digital transformation accelerates, life without IT is now unimaginable, but
unfortunately it has led to higher security risks and more cyber-crimes with hackers exploiting this opportunity to
launch cyber-attacks. Most of security vulnerabilities occur during the application development phase in other word,
coding, so the best way to prevent security risks would be to pay close attention from design and development
However, in today’s market wherein product lifespan is becoming shorter and the resulting burden on product development and cost is growing, companies can easily neglect security issues. As a result, the need has become greater for automated DevSecOps (DevOps+Security) technology that allows developers to identify and remove security bugs in development phase. If security bug analysis and removal tool can be incorporated and automated in development operation cycle, it will free up developers to better focus their attention on product development itself and in the end, increase productivity and save a lot of money on troubleshooting. Nowadays, it's easy to find global leading companies that are either adopting or internalizing such tool for their infrastructure due to these beneficial reasons.
We have been using our very own security bug detection tool – a tool that we built using program semantic analysis technology - for our Java program inspections for several years. Since 2020, we have added the language support for ABAP, a de facto programming language in ERP projects, and integrated it into CAFA+, the Samsung SDS’s standard code inspection tool for ABAP, to enable inspection for code quality and security weaknesses in a single tool.
The security bug inspection feature offered by CAFA+ incorporates Abstract Interpretation technology, a
representative static analysis technique that analyzes codes without executing a program. In particular, Taint
Analysis built on top of Abstract Interpretation allows us to infer data inflow path by analyzing data flow. This
allows us to detect data from unreliable source such as values entered by an arbitrary user so that we could prevent
them from penetrating into sensitive areas like SQL execution statements and be exploited by an attacker. Security
vulnerabilities such as XSS, SQL Injection, and Path Traversal all are of the same type and our Taint Analysis
function allows us to perform error-free inspection that is unmatchable to simple syntax pattern inspection of the
past. CAFA+ further enhances the accuracy of detection by leveraging Variable Analysis in predicting the range of
variable values and presence of constants, and using the findings in areas such as conditional branch statements
String user =request.getParameter('user'); Statement st = conn.createStatement(); String query ='SELECT*FROM User where userId='+user+''; ResultSet res = st.executeQuery(qyery) - executeQuery: Vulnerable funcion - (qyery): Parameters that could be problematic
CAFA+ is ABAP code quality and security vulnerability inspection tool that’s built upon our 15 years of
know-hows for ERP development and operation. We have continued to build a robust security response system, reacting
quickly to changes in SAP ABAP technology environment.
Our technology supports new HANA DB environment and the latest ABAP 7.5 syntax. It automatically identifies codes
that need to be modified for migration to HANA DB and accurately analyzes security bugs written in new ABAP 7.5
DB : Supports ABAP code inspection in HANA DB environment: row-store DB Oracle, DB2 and column-store DB UI : Supports code quality inspection in backend area of Flore web environment and SAP GUI environment Ver : Supports new syntax-based code inspection for NetWeaver 7.5 plus (the latest ABAP version)HANA DB Code inspeciton
1. HANA DB Inspection Rule, 2. Target HANA DB, 3. Defect Derected
Our CAFA+ provides about 150 code inspection rules and this number keeps on growing thanks to years of our ERP
operation know-hows. These inspection rules allow us to provide our developers with support that they need to ensure
safe and quality coding. These rules are used to 1) check for developers’ compliance with basic development
standards, 2) address design issues like low maintainability resulting from high code complexity or improper
modularization, 3) handle performance degradation issues like codes that have the potential to be executed
indefinitely or expensive statements that are repeatedly executed, and 4) inspect abnormal termination issues like
We’ve listened to the voices of our on-site developers for a year concerning issues such as authentication
bypass, incorrect password use, and SQL statement injection and we used the findings towards our handling of security
defects that are occurring frequently and have high impact. We go beyond of just providing simple result to our
developers but provide easy-to-understand explanations and specific examples of counter-measures we took,
subsequently, minimizing the time and efforts that they put into their work and still enhance their work quality.
As shown below, CAFA+ offers our customers more varied functions than the default code inspection function offered in
First, our tool provides about 150 code inspection rules and security vulnerability inspection function currently applied in development and operation of ERP for Samsung Group. It enables to us to improve customers’ code security and reinforce maintenance & repair process with inspection rules that have been refined with years of our on-site experience.
Second, our tool scores individual inspection result and provides a quantified comprehensive quality index. Unlike most of other tools that only provides item-by-item compliance status, CAFA+ provides quantified result in single quality index that’s useful in setting quality gate standard.
Third, our tool can customize inspection items and action policies to meet the needs of organizations and projects at hand. Most CAFA+ functions can be configured through SAP GUI environment familiar to ABAP developers, and administrators are free to establish policies according to the needs, quality requirement, and on-site situation of each project and thus boost the efficiency of project.
Fourth, developers can easily use the tool at any time with simple manipulation of menu items without leaving SAP environment. The tool allows developers to check for issues every time they code a function or save a file and as a result, they can acquire safe coding habit in no time.
We can use CAFA+ not only as a development security tool for SAP development projects but also as an operational
security tool for operation projects. Because it can be executed with just a few click of a button without having to
leave SAP environment, CAFA+ provides real-time quality enhancement environment where a coding developer or inspecting
operator can perform quality and security inspection using one-stop process. This helps to eliminate all the
inspection processes that are not needed thereby shortening inspection time and improving productivity in general.
Moreover, integrated batch inspection (weekly, monthly) function allows QAO and security personnel to automatically
perform full inspection of SW quality and security, leading to an improvement in work efficiency and quality
We implemented a methodology that reflects code inspection and tuning from the point when we first launched ERP
business. We built our own CAFA+ that supports the latest ABAP syntax and HANA DB environment to allow us to quickly
respond to changes in SAP technology environment. There are many individual tools that are applicable to areas such as
security vulnerability check, program structure analysis, program performance prediction, and program maturity index
measurement, but CAFA+ is the only integrated ABAP inspection platform that is capable of performing all these
functions at once.
 Gartner, “DevSecOps: How to Seamlessly Integrate Security Into DevOps”
 Capers Jones, Applied Software Measurements, McGraw-Hill, 1996-2008
▶ The content is proected by law and the copyright belongs to the author.
▶ The content is prohibited to copy or quote without the author's permission.
SW Security Team at Samsung SDS R&D Center
As SW security expert at Samsung SDS, he is involved in malicious code detection and counter-attack technology and automated program analysis technology for security bug detection.
If you have any inquiries, comments, or ideas for improvement concerning technologies introduced in Technology Toolkit 2021, please contact us at email@example.com.