It’s easy to see why SAP remains successful. It is used today by more than 100,000 enterprises worldwide to optimise their business practices through IT. The complexity of these systems is often overlooked by users due to SAP’s ubiquity of use among these large and complex companies.
SAP is also here to stay. As CEO Bill McDermott at SAP Sapphire recently stated, SAP is about enabling businesses to enter the digital world through an accessible platform. He also claimed SAP is ‘simple’, which is more debatable.
CAST has investigated the issue by analysing the structural quality of advanced business application programming (ABAP) code, which is used in SAP software across thousands of enterprise applications running everything from insurance for food manufacturers to government defence systems.
>See also: SAP users struggling to keep pace
Research by CAST measured frequency of violations and non-compliance of 78 ABAP applications consisting of over 45 million lines of code (MLOC). With a recent SAP security report stating that 95% of SAP systems deployed in enterprises are exposed to vulnerabilities, this lack of code quality is a pressing issue on SAP’s 100,000-plus customers.
To gain a comprehensive overview of how SAP users are dealing with possible vulnerabilities, CAST measured structural quality on robustness, performance, security, changeability and transferability.
These characteristics were measured on a scale 1-4, with one meaning the application was at high risk and four meaning it was at low risk. If an application is at high risk, it exposes companies to operational problems such as outages, performance degradation, unauthorised access or data corruption.
Failure due to poor code quality can lead to decreased productivity, customer satisfaction and revenue. As tough new privacy laws come into place in the US and Europe, failure of key systems holding customer data could mean lawsuits or even company failures, should sensitive data be leaked. This would be anything other than simple to explain to shareholders.
SAP quality varies by industry
To measure and benchmark the severity of possible SAP violations, the report used an algorithm that calculated the number of violations versus their opportunity of occurrence.
Data was analysed and broken down by eight different sectors: government, energy, IT consulting, manufacturing, retail, telecom, utilities and financial sectors. Performance was measured against the structural quality characteristics and it proved that different sectors had varying code quality characteristics.
For software to be comfortably safe against major productivity issues and imminent attacks then CAST recommends a score of 3.0 or above. With the exception of security, at least 25% of the scores for all of CAST’s quality factors fell below 3.0 – a staggering number of applications which are currently highly vulnerable.
At the overall level, government scored the highest industry overall quality score with 3.76, whilst energy showed the lowest score of 3.14 – though customisations in government SAP deployments were markedly smaller than their private sector counterparts, which accounted for the higher scores.
>See also: Companies running scared of SAP updates
When a violation was labelled by CAST’s methodology as ‘severe’, half the time it afflicted performance and transferability capabilities. This lines up directly with two of the main problems observed in SAP implementations: performance and cost.
From a technical standpoint, the biggest problem suffered by organisations is the speed of transactions, especially during tight quarter-close batch windows. From a business standpoint, as almost all the applications in this report are outsourced for enhancement and maintenance, the level of cost control for clients of custom SAP development is frustratingly low. These two quality characteristics are at the root cause of both these issues.
Complying to the rules
A lack of compliance to standard practices of the SAP-specific ABAP language code could be the key reason why businesses using SAP platforms are at risk of severe violations.
As the General Data Protection Regulation (GDPR) is set to come into force at the end of this year, protecting the personally identifiable information (PII) of half a billion EU citizens. A company that is non-compliant with the GDPR may find itself facing costly fines and irreparable damage to a hard earned reputation.
To measure how often ABAP coding rules were violated, CAST used a compliance ratio, which was calculated based on the ratio of compliance occurrence in the sample verses the number of times of non-compliance was flagged up. In effect, it is the net ratio of bad quality code to good quality.
Looking at the data, there were three practices which IT teams had the greatest trouble in complying with: avoiding unreferenced functions and methods (compliance ratio 32%); avoiding classes with very low cohesion (33%); and avoiding SQL queries that do not use the first column of a composite index in the WHERE clause (35%).
It is clear from the data that developers only complied with the above rules one-third of the time – a worrying statistic for the majority of the c-suite, if they want their company to transform to higher levels of agility.
After analysing the data, it was found the majority of the rules that developers struggle to comply with affected either the quality characteristics performance or maintainability.
These two health factors dictate operational IT costs in production and during maintenance cycles, both in-house and critically, when systems are outsourced.
From this, and looking at the top three of non-complied rules of ABAP, there is struggle among developers and IT teams to adhere to efficient information retrieval techniques or processes that make software more user accessible.
It all comes down to complexity
Whilst non-compliance is an obvious answer to why a significant percentage of business SAP software is vulnerable, it does not get to the root of the issue. SAP is widely adopted and popular due to its proven robustness in its uncustomised form. Yet, it provides a complex and flexible architecture due to the large degree of customisation that organisations undertake.
Often, SAP implementations are highly sophisticated and so developers deploy a stacking system to allow applications to run efficiently. In-house IT teams rarely have the expertise to manage these systems alone, due to the expense and many depend on outsourcing firms to help.
With the ABAP job market still tight, even world-class systems integrators may not have the skilled workers available and will often not be familiar enough with a particular business’s customised platform, to establish both the functionality and safety of these systems.
Intricate and perplexing stack systems have long been compromised through human error, with basic software engineering errors accounting for more than half of all violations.
It is time that the complex process of maintaining SAP code is managed directly by IT and business executives through deep software analytics. Management often brushes technical issues such as structural quality aside, but they lie at the root cause of business risk and inefficiency.
Sourced from Bill Curtis, CAST chief scientist and author of SAP CRASH report