/devtoberfest-2021-security-coding-challenge

The sample in this repository has "built-in" security flaws for you to discover and fix during the Security Week Coding Challenge.

Primary LanguageABAP

Devtoberfest 2021 Security Week Coding Challenge

Welcome to the coding challenge that accompanies Devtoberfest Week 4, Security.

Description

To expand on the general security concepts of Devtoberfest Week 4, we also want to provide some practical exercises for both the ABAP and SAP Cloud Application Programming Model environment. You can choose to tackle the ABAP challenge, the CAP challenge or both of them.

ABAP

All of the ABAP content is contained within the /src folder. We also have ABAPGit configuration within the root of this project. So you can clone this entire project and only the ABAP content should be brought into your system. The content has been tested on the SAP BTP, ABAP environment (Steampunk) trial, but it is generally enough that it could be used as starting templates for this challenge in recent release on premise systems as well with only some minor adjustments for the target data model. Also each of challenge classes are relatively simple and self contained. You could also just use the community ABAP tools extensions for Visual Studio Code and perform this code challenge locally (or via GitHub Codespaces) without access to a backend ABAP system.

This challenge consists of three ABAP classes all of which have typical security issues when working with dynamic SQL. Your challenge is to improve this code; keeping it still dynamic but improve the safety of the code.

SAP Cloud Application Programming Model

The rest of the content in this challenge is an SAP Cloud Application Programming Model project within the /cap folder. This is an already built project with the basic sample data model. It can be cloned locally into VSCode or into the SAP Business Application Studio or you can edit it directly from GitHub Codespaces. It is configured to run with SQLite, so no backend HANA dependencies are necessarily needed to start.

This is a perfectly normal, although simple, CAP project. However it lacks certain security features that are available to the Cloud Application Programming Model. Your challenge is to add one or more of these features into the project. The more security features the better. We will also have a live session Security Aspects of SAP Cloud Application Programming Model on Wednesday, October 27th at 17:00 CEST / 23:00 SGT / 11:00 EDT 🌎 to discuss some of the security aspects you could add as part of this challenge.

General Approach to the CAP Coding Challenge

The general process you must follow for this challenge is:

If you have access to GitHub Codespaces then you can do all of this in the cloud, including the installation and use of all of the extensions. opening repository in GitHub Codespaces

Challenge Rules

We don't want to be too prescriptive in this fun challenge, but there are a few things that we need to ask you to do, so that things have a chance of running smoothly.

For this challenge, please abide by these rules:

  1. You have a week to complete the challenge, i.e. to submit a Pull Request with your script changes. This means that any PR submitted after Wednesday 3 Nov will not be considered.
  2. Please ensure you specify the following precisely in the title of your Pull Request: WEEK4CHALLENGE <your SAP Community user name>. So if your SAP Community user name is e.g. dj.adams.sap (from https://people.sap.com/dj.adams.sap) then the title of your Pull Request must be WEEK4CHALLENGE dj.adams.sap (you can put whatever you want in the PR description - i.e. the multi-line text area).
  3. You only need to send modifications to the content in the /src or /cap folders, you should not need to modify any other files in this repository.
  4. We will not actually merge your Pull Request as the base repository remains the starting template for everyone. Instead we will just judge your submissions based upon what is contained within the Pull Request.

How to obtain support

Create an issue in this repository if you find a bug or have questions about the content.

For additional support, ask a question in SAP Community.

Contributing

License

Copyright (c) 2021 SAP SE or an SAP affiliate company. All rights reserved. This project is licensed under the Apache Software License, version 2.0 except as noted otherwise in the LICENSE file.