Methodology

How GrundScan verifies BSI APP.4.6

GrundScan performs automated static analysis of ABAP source code against all 22 requirements of BSI IT-Grundschutz APP.4.6. This is not a manual audit — it is a programmatic check of source code patterns, control flow, and API usage. The results reflect the state of the submitted source snapshot only.

Scoring & eligibility

Each requirement is evaluated as one of:

  • PASSEDNo violations detected
  • PASSED*Met, but specific patterns flagged for manual review
  • FAILEDOne or more violations found
  • N/ANot applicable to the submitted codebase

A compliance score is calculated across all applicable requirements. A score of 70% or above makes the scan certificate-eligible.

Certificates are valid for 6 months from the date of issue. Re-scanning is recommended whenever the codebase is updated.

BSI APP.4.6 standard (official PDF) ↗
Scope: Analysis covers ABAP source files within the vendor's registered namespace. Files outside the namespace are excluded. The analysis does not cover Customizing, transport configuration, or runtime system settings.

All 22 requirements

Basis Requirements

A1
Protecting Reports with Authorization ChecksBasis

Detects executable reports (REPORT programs) that lack an AUTHORITY-CHECK statement, leaving them accessible to any user.

A2
Formally Correct Evaluation of Authorization ChecksBasis

Verifies that SY-SUBRC is evaluated immediately after every AUTHORITY-CHECK call. An unchecked return code means the authorization result is silently ignored.

A3
Authorization Check Before Starting a TransactionBasis

Checks that CALL TRANSACTION statements are preceded by an AUTHORITY-CHECK. Without it, any user can launch arbitrary transactions from within the add-on.

A4
No Proprietary Authorization ChecksBasis

Flags homegrown permission logic (custom tables, hardcoded user lists) used in place of SAP's standard AUTHORITY-CHECK mechanism.

Standard Requirements

A5
Drawing Up a Policy for ABAP DevelopmentStandard

Confirms the presence of development guideline artefacts in the codebase (e.g. policy include programs). This is a structural/organisational check rather than a code pattern check.

A6
Complete Execution of Authorization ChecksStandard

Looks for early RETURN, EXIT, or CHECK statements that could short-circuit authorization logic before it completes.

A7
Authorization Check During Input ProcessingStandard

Scans RFC-enabled function modules and BAPIs for missing input validation and absent authorization checks on sensitive parameters.

A8
Protection Against Unauthorized File System AccessStandard

Detects OPEN DATASET statements that read or write files without a preceding AUTHORITY-CHECK on the S_DATASET object.

A9
Authorization Check in Remote-Enabled Function ModulesStandard

Identifies function modules with REMOTE-ENABLED or RFC=YES attributes that contain no AUTHORITY-CHECK, making them callable over RFC by any authenticated user.

A10
Execution of Operating System CommandsStandard

Flags calls to SXPG_COMMAND_EXECUTE and similar OS-command function modules where the command string is not validated against the SM69 command table.

A11
Avoiding Planted Malicious CodeStandard

Detects GENERATE SUBROUTINE POOL and INSERT REPORT — statements that create executable ABAP programs at runtime, a common malicious code injection vector.

A12
Avoiding Generic Module ExecutionStandard

Flags dynamic CALL FUNCTION or CALL METHOD where the function/method name is a variable, which can be exploited to invoke arbitrary functionality.

A13
Avoiding Generic Access to Table ContentsStandard

Detects SELECT statements with a dynamic FROM clause (variable table name), which can expose any database table to unauthorised reads.

A14
Avoiding Native SQL StatementsStandard

Flags EXEC SQL blocks. Native SQL bypasses SAP's client isolation, authorization layer, and buffering — and is a common SQL injection vector.

A15
Avoiding Data LeaksStandard

Scans for sensitive field names (passwords, keys, credentials) written to application logs, MESSAGE statements, or WRITE outputs.

A16
No System-Dependent Execution of FunctionsStandard

Detects conditional logic branching on SY-SYSID or SY-MANDT that disables security checks in specific systems (e.g. 'IF sy-sysid = DEV THEN skip auth').

A17
No Client-Dependent Execution of FunctionsStandard

Flags hardcoded SAP client numbers used to gate functionality, which creates a backdoor in specific client configurations.

A18
Avoiding Open SQL Injection VulnerabilitiesStandard

Detects dynamic WHERE clauses, dynamic ORDER BY, and dynamic field lists built from unvalidated user input — the ABAP equivalent of SQL injection.

A19
Protection Against Cross-Site ScriptingStandard

Scans BSP pages and ICF handlers for user-controlled values written directly to HTML output without escaping via CL_ABAP_HMAC or similar.

A20
No Access to Data from Another ClientStandard

Flags SELECT … CLIENT SPECIFIED and writes to cross-client tables (those without a MANDT key field), which break SAP's tenant isolation model.

A21
Ban on Hidden ABAP Source CodeStandard

Detects patterns that generate or execute ABAP source code that is not visible in standard repository tools — obfuscated or runtime-only logic.

Increased Requirements

A22
Use of ABAP Code Analysis ToolsIncreased

Confirms that automated code analysis has been applied to the codebase. Running a GrundScan analysis satisfies this requirement by definition.

GrundScan automated analysis is a tool to help ABAP add-on vendors understand their security posture against BSI IT-Grundschutz APP.4.6. It does not constitute a formal BSI certification or replace a manual security audit. Results are based solely on static analysis of the submitted source code snapshot.

Questions about this methodology? hello@grundscan.com