Secure Programming - Java

This documentation provides an overview of how to develop secure applications based on the SAP NetWeaver platform. It describes common security errors and weaknesses to watch out for as well as approved procedures so that your application functions "securely".

The target group of this documentation is Java developers who are developing applications based on the SAP NetWeaver platform. This guide is primarily aimed at developers in the IT departments of customers, consulting houses, and partners.

This documentation is divided into the following sections:

• Secure Programming
  • Password Security
  • Secure Communication
  • Secure Store & Forward Mechanism (SSF)
  • Logging and Tracing
  • SAP Virus Scan Interface
• Secure User Interface
  • Cross-Site Scripting (XSS)
  • SQL Injection
  • Input Validation
  • Canonicalization
  • Directory Traversal
  • URL Encoding and Manipulation
  • Cookie Manipulation

For each topic mentioned above the security vulnerability is described. Then any standard solutions that exist from the SAP NetWeaver platform are presented, including functions and interfaces that need to be used. If no solution is available from the SAP NetWeaver platform, recommendations are provided about appropriate security measures to take. In addition, example code is provided where appropriate and links to existing documentation are given.

All descriptions of secure programming and all sample code (for the purposes of this clause hereinafter referenced together as the "Examples") contained in this document are for illustrative purposes only. These Examples have not been thoroughly tested under all conditions. SAP, therefore, cannot guarantee or imply reliability, serviceability, or function of these Examples. Any use of these Examples is at your own risk and responsibility and SAP shall not be liable for any damages caused by the use of such Examples unless such damages have been caused by SAP's gross negligence or willful misconduct.