Application Security Testing (AST)

This articles maps the criteria for Application Security Testing (AST) defined by Gartner Peer Insights with the capabilities of the Cybersecurity Extension for SAP.

  1. Buyers and sellers of products and services designed to analyze and test applications for security vulnerabilities.

    The Cybersecurity Extension for SAP performs automated vulnerability management, threat detection and incident response for SAP applications. The solution detects security vulnerabilities in SAP programs, application servers, databases, operating systems, and standalone components such as the SAProuter and Web Dispatcher. The solution also monitors and detects indicators of compromise (IOCs) in SAP application logs and triggers alerts and notifications for suspected security incidents and breaches. It includes workflows and best practices for incident response.
  2. Static AST (SAST) technology: Analyzes an application’s source, bytecode or binary code for security vulnerabilities typically at the programming and/or testing software life cycle (SLC) phases.

    The Cybersecurity Extension for SAP performs static application security testing for custom ABAP programs in SAP systems. This supports the detection of code level vulnerabilities including SQL injection, code injection, OS injection, cross-site scripting, directory traversal, and missing authorization checks
  3. Dynamic AST (DAST) technology: Analyzes applications in their dynamic, running state during testing or operational phases. It simulates attacks against an application (typically Web-enabled applications and services), analyzes the application’s reactions and, thus, determines whether it is vulnerable.

    The Cybersecurity Extension for SAP performs dynamic application security testing for custom ABAP programs in SAP systems. This supports the detection of code level vulnerabilities including SQL injection, code injection, OS injection, cross-site scripting, directory traversal, and missing authorization checks
  4. Interactive AST (IAST) technology: Combines elements of SAST and DAST simultaneously. It is typically implemented as an agent within the test runtime environment (for example, instrumenting the Java Virtual Machine [JVM] or .NET CLR) that observes operation or attacks and identifies vulnerabilities.

    The Cybersecurity Extension for SAP performs interactive application security testing for custom ABAP programs in SAP systems through scheduled, automated scans of running programs in SAP systems. This supports the detection of code level vulnerabilities including SQL injection, code injection, OS injection, cross-site scripting, directory traversal, and missing authorization checks
  5. Software Composition Analysis (SCA) technology: Used to identify open-source and third-party components in use in an application and their known security vulnerabilities

    The Cybersecurity Extension for SAP performs Software Composition Analysis (SCA) by detecting vulnerabilities in third party databases and operating systems supporting SAP applications. This includes Oracle, IBM DB2, Microsoft SQL Server, Red Hat Enterprise Linux Server and SUSE Linux Enterprise Server
  6. AST can be delivered as a tool or as a subscription service

    The Cybersecurity Extension for SAP is delivered as a subscription service

Sources:

Cybersecurity Extension for SAP

SAP Certified Solutions Directory

Secure Your Custom Code

Securing Operating Systems

Database Security

Protecting SAP Systems from Ransomware

Cybersecurity Extension for SAP Identifies Signatures of Active Cyberattacks

Securing Linux Platforms for SAP HANA and S/4HANA

Securing the Web Dispatcher

Leave a Reply

Your email address will not be published. Required fields are marked *