Code security analysis has become one of the most important business segments servicing the secure development of software. Products are pretty mature for every mainstream programming language, and large IT companies have acquired the major technology innovators in that segment.
There is, though, an area of software development that receives little attention, although being quite important for businesses: the so-called customizing of SAP applications. Customization in SAP applications typically means that new application pieces will be added to the SAP standard offering. In many cases existing modules and functionalities will be rewritten at the customer site to optimize their usage for the customer specific business processes. As such, the customization is actually more a development activity and thus may greatly benefit from code security analysis, specifically for compliance purposes.
Most SAP customization projects, though, will take place in SAP’s ERP application suite, and this is mostly written in SAP’s proprietary language called ABAP. There are only a few companies that offer code analysis for ABAP programs, let alone analysis of the security of the developed code. Virtual Forge fills this niche with its flagship product CodeProfiler that analyzes SAP ABAP code for vulnerabilities and, optionally, also for other code quality aspects.
CodeProfiler has reached a mature status, and is currently in the phase of feature enrichment, so beyond the capabilities presented today (excellent performance, easy configuration, predefined content, full integration into SAP development activities) there will be more beneficial functionalities available soon. The ecosystem has reached a good level of maturity with worldwide sales and consulting through SAP and IBM and specific mid-market solution OEM packages.
Security for SAP applications is hard to mandate in real life due to its relatively central but isolated position in most organizations, and even then most IT specialists understand “SAP security” to be limited to good authorization management. Nevertheless, the modification of SAP software poses a high business risk and should therefore be treated with equal care. It is therefore important to establish (business) stakeholders for SAP security before being able to fully leverage the value of CodeProfiler.
Overall, Virtual Forge CodeProfiler is an excellent solution for a small but important niche, and SAP customers that are taking the risk of code vulnerabilities seriously shall consider the product for an evaluation.