...
- within the SAP server (local), (SAPEX Local use - Baselines) or
- from within an external server (remote) (SAPEX Remote use - Analysis outside the SAP Server)
- a combination of both (hybrid) (SAPEX Hybrid approach)
...
Info | ||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Therefore, the approach to integrate SAP and Kiuwan consists on
Operational Models
|
How it works
When SAPEX components (programs, function modules, support classes, OS commands) are installed on the target SAP system, the user may perform the following operations:
- Extract source code
- Either by running a program within SAP server (
ZKW_SAPEX_CODE
) , or remotely (using thesapexCode.xml
script), extracted code can be analyzed with Kiuwan Local Analyzer. - The code elements to extract could be based on transport requests / tasks, packages, and the type and name of the element (programs, function modules, classes, web dynpro components, etc.)
- Either by running a program within SAP server (
- Extract system information ("metadata")
- Metadata are used by Kiuwan rules to search for defects and vulnerabilities
- For example, to ensure that authorization is performed properly, information about authorization objects and authorization groups (extracted from TOBJ and TDDAT tables) is used by many security checks in Kiuwan.
- Metadata extraction could be performed either by running a program within SAP Server (
ZKW_SAPEX_METADATA
) , or remotely (using thesapexMetadata.xml
script).
Perform analysis on extracted source code
Within a SAP system with Kiuwan Local Analyzer deployed, by running the
ZKW_ANALYSIS
program. It offers the possibility for extracting source code before analysis.
Add automated audits before releasing changes
SAP's Change and Transport System (CTS) may register an implementation for the CTS_REQUEST_CHECK 'classic' BAdI.
Source code extraction, analysis and evaluation of audit checkpoints may be performed before accepting (or rejecting) the release of a change request / task, according to organizational quality and security standards.
...