If you’ve travelled through any of the world’s major airports over the last 10 years, you will almost certainly have seen examples of SAP’s seminal advertising campaign, in which the company showcases some of its most prestigious clients. By building great products, delivering tremendous customer value and publically associating itself with its high-profile customers, SAP has been able to establish itself as a global superbrand in its own right. No wonder, then, that SAP places so much emphasis on securing its software code, as this is all part of SAP defending its excellent brand reputation. Here follows a short blog about Coverity’s role within SAP’s Secure Development Lifecycle and the impact development testing has made on securing SAP’s code for risk mitigation and development efficiency.
Not only is SAP the global market leader in enterprise application software, it is also the 25th most valued brand in the world according to Interbrand. The company has partnered with Coverity to help transform its Secure Development Lifecycle and reduce the risk of brand damaging security issues through the adoption of development testing. In order to fulfil its board-level mandate for secure software, SAP has introducedCoverity within its development lifecycle to automate development testing so developers can quickly and easily find and fix quality and security defects as early as possible in the development phase. In doing so, the organization is helping development teams to focus on product security and is significantly bolstering its Secure Development LifeCycle initiative by moving fixing security issues earlier in the software lifecycle. Finding and fixing issues as early as possible contributes significantly to the effectiveness of the development process and at the same time positively influences product quality and security.
By empowering software developers to fix common yet potentially critical defects, Coverity is providing SAP’s development teams with greater visibility into security risks early in the product lifecycle. Development Testing serves as a natural complement to other security testing methods implemented at SAP such as vulnerability scanning and penetration testing. This helps SAP’s developers and security experts to more effectively share information and work together towards the common strategic goal of secure software.
“Many of the world’s largest companies run their business based on SAP software products. Software security is tremendously important for our customers and for us,” said Gerold Hübner, Chief Product Security Officer at SAP. “By doing business with SAP, our customers are placing their trust in their business—and their brand—in us. If security was compromised it would be to the detriment of both SAP’s brand and our customer’s brand.”
SAP relies on Coverity to help secure the C and C++ code used in its ABAP kernel, the underlying infrastructure of flagship products such as ERP®, CRM®, SCM® and SRM® and its Strategic Database Solution, HANA®. Finding security defects as early as possible is critical due to the associated cost and time to fix problems. Due to the volume and complexity of code developed, manual code reviews aren’t a scalable testing method for SAP. An automated software security testing solution was required for SAP.
The key aspects of the Coverity solution that developers like the most are analysis accuracy, speed of analysis, ease of use, and actionable remediation advice. For development testing to be successful, developers need it to fit within their existing workflow, don’t want to waste time wading through too many false positive results, and need to easily understand how to fix the problem. All of these factors help SAP’s developers to prioritize and fix potentially serious security defects earlier in the process and in less time.
“Coverity is the means to exchange information between developers and security experts. By understanding how developers work and bringing technology that they will embrace in their workflow, it creates more collaboration between development and security teams,” said Uwe Sodan, Security Code Analysis Team Lead at SAP. “Coverity enables developers to produce secure code and gives developers a more positive attitude about addressing security, which ultimately leads to fixing security issues early and protecting SAP’s and our customer’s brands.”
Sodan continued, “It’s not just about finding issues – the most important thing is to be able to fix the defects quickly and efficiently. Developers need to understand why it was found and what they need to do to fix it. Providing the right information to both find and fix security defects in development reduces re-work time and cost.”
Hübner continued, “Secure coding is best achieved by positive empowerment of development teams rather than a strict governance approach. Development testing is now part of everyday life at SAP. It fits in perfectly with our culture of individual responsibility and innovation – and it makes our highly skilled developers even more effective. At SAP, there is no compromise on security. We are committed to providing secure products to our customers and Coverity is a cornerstone in our ability to deliver secure code as part of our Secure Development Lifecycle efforts.”
In summary, Coverity and development testing is helping SAP transform its Secure Development Lifecycle. SAP is moving security testing into development to build a new level of collaboration between development teams and its central security team, providing a means for these teams to rally around the common goal of mitigating software risks early in the development cycle. This not only creates a more effective security process within SAP, but ultimately links development testing to strategic business outcomes such as brand reputation. We are honored to be a critical part of SAP’s process transformation and applaud its innovation.