Though the SAP software presents an extremely customer-friendly exterior, it remains enormously complex; wherein it needs millions of lines in code for effective functioning in a large enterprise.
'The lack of code quality is a pressing issue on SAP’s 100,000-plus customers.'
It’s not really difficult to perceive why SAP continues to be successful. Used by over 100,000 enterprises worldwide for the optimization of their IT strategies and related business practices, the complexity of SAP systems is more often than not overlooked by users. This is because of SAP’s ubiquity of implementation among the larger and more complex companies.
But then, SAP is certainly here to stay, and for a long time. Bill McDermott, CEO of SAP, the German database giant mentioned this at the SAP Sapphire recently, along with stating that SAP applications were enabling businesses to explore the deepest domains of the digital world via an accessible platform. He added that SAP was ‘simple’—a reference that was quite debatable.
CAST has now investigated the issue by performing an in-depth analysis of the structural quality of the code for advanced business application programming (ABAP). This code is being effectively used by thousands of enterprise based applications dependent on SAP software. These applications are being used in all industry verticals, from food manufacturers to insurance and government defense systems alike.
As per McDermott there was a measured frequency of non-compliance and violations of 78 ABAP applications that consisted of more than 45 million lines of code (MLOC). According to a recent research carried out by CAST, there was a SAP security reporting that stated that almost 95 percent of SAP systems deployed in various organizations were exposed to different kinds of vulnerabilities. This gap in code quality was a pressing issue for the 100,000-plus customers attributed to SAP.
To attain a comprehensive overview of the ways in which SAP was being able to deal with possible vulnerabilities, there was a measurement conducted by CAST with regards to structural quality on performance, security, robustness, changeability as well as transferability. These characteristics and key metrics were measured on a pre-defined scale of 1-4, with one depicting low risk for the system while four meaning a high risk. When an application is positioned at high risk, it tends to expose companies to operational problems like outages, unauthorized access, performance degradation, or data corruption.
Failure arising because of poor code quality often leads to decreased customer satisfaction, productivity and revenue. As tougher new privacy laws start finding a place in Europe and US, the failure of important systems that hold essential customer data could lead to company failures and lawsuits, in the event of sensitive data being leaked. If such a scene arises, it would be quite difficult to explain the outcome to stakeholders.
SAP quality differs by industry:
To benchmark and measure the severity of all possible SAP violations, this report took resort to an algorithm that calculated the total number of violations with regards to their opportunity of occurrence.
Data was analyzed and then broken down into measurable units by eight different sectors: energy, IT consulting, government, manufacturing, utilities, retail, telecom, and financial sectors. Additionally, performance was measured with respect to structural quality characteristics. This analysis proved that diverse sectors had different code quality characteristics.
CAST recommends an average score of 3.0 or above for cases where software is comfortably safe in the face of imminent attacks and major productivity issues. Apart from security, at least 25 percent of the scores of most quality factors defined by CAST fell below the levels of 3.0 – this relates to a staggering number of system applications that are highly vulnerable currently.
With regards to the overall level, apart from the considerations of security issues, government scored the topmost industry overall score of 3.76 with respect to quality, while energy fell to the lowest point with a score of 3.14. As per the report, the customizations in case of government SAP deployments proved to considerably smaller than that of their counterparts in the private sector, which showcased higher scores.
When a specific violation got the label of ‘severe’ by CAST’s methodology, in fifty percent of cases it afflicted transferability capabilities and afflicted performance. This directly aligns with two major problems observed in respect to SAP implementations: cost and performance.
From the technical standpoint, the most important problem suffered by organizations can be attributed to the speed of transactions. This is especially true with regards to complicated and tightly packed quarter-close batch windows. Also, as most the applications analyzed in this report have been outsourced for maintenance and enhancement, from a business point of view, the levels of cost control for the clients of SAP custom development proves to be frustratingly low. The root cause pertaining to both these issues are closely knit with the above mentioned two quality characteristics.
Compliance with rules:
One of the primary reasons behind businesses using SAP modules and platforms and finding themselves at risk of severe compliance issues and violations is a lack of understanding and alignment with the standard practices of SAP specific ABAP related language code.
By the end of 2015, the General Data Protection Regulation (GDPR) is expected to come into force; this is expected to protect the ‘personally identifiable information’ (PII) of over half a billion citizens of EU. Companies that are non-compliant with all the clauses of GDPR may find themselves paying costly fines and suffering irreparable damage to their hard earned reputation.
CAST had implemented a compliance ratio for determining how different levels of ABAP coding rules were being violated. This was calculated on the basis of the ratio pertaining to the compliance occurrence in a given sample versus the number of instances in which non-compliance was reported. In effect, this calculation showed the net ratio with respect to bad quality and good quality code.
When it comes to data, there were basically three principles that posed the greatest difficulty to IT teams in terms of compliance: avoidance of unreferenced methods and functions (compliance ratio 32%); avoidance of classes that had extremely low cohesion (33%); and avoidance of SQL queries that failed to use the 1st column of a pre-defined composite index located in the WHERE clause (35%).
It is evident from available data that the developers complied with stated rules just one-third of the total time– a concerning statistic for a large majority of the c-suite, especially if they wish to see their company transform itself to higher levels of performance and agility.
After analyzing the given data, it was clear that a majority of the regulations that developers struggled with respect to compliance issues either affected the overall quality characteristics of maintainability or performance.
Both these health factors dictate the operational IT costs related to production and maintenance cycles, both critically and in-house, at times when systems are outsourced.
From this, and by taking a look at the three most important non-complied regulations of ABAP, there exists a struggle between IT teams and developers to adhere to reliable and efficient techniques for information retrieval, or those processes that promise to make software applications more user accessible.
It all boils down to complexity:
While non-compliance serves to be an obvious answer to address why an important percentage of business related SAP software is actually vulnerable, it fails to get to the root causes defining the issue. In addition, even as SAP is well adopted and highly popular because of its proven robustness in the current non-customized form, it still provides a flexible and complex architecture because of the higher levels of customizations that organizations undertake.
In most instances, SAP implementations are considered to be highly sophisticated and developers are deploying a stacking system for allowing applications to perform efficiently. As in-house teams generally do not possess the capabilities of handling these systems on their own, because of the expenses involved, companies have to resort to outsourcing firms for help.
With tightness prevailing in the job market related to ABAP, even benchmarked world-class systems integrators are going through the issues concerning the unavailability of skilled workers. Because of this, they will not be in a position to handle and be familiar with the customized SAP platform of a particular business, so as to establish the safety and functionality of these systems.
Perplexing and intricate stack systems have often been compromised because of human error, with the errors related to basic software engineering being responsible for over fifty percent of all violations.
Now, it’s time that the complicated processes of maintaining the SAP code is directly managed by business and IT executives via deep software analytics. The management tends to brush technical issues like structural quality into a corner, but then, these concerns form the root cause of inefficiency and business risk.