Computer Science Department
School of Computer Science, Carnegie Mellon University


Measuring the Attack Surfaces of
SAP Business Applications

Pratyusa K. Manadhata, Yuecel Karabulut*, Jeannette M. Wing

May 2008


Keywords: Attack surface, attack surface metric, SAP business applications, security metrics, mitigation, software security, software quality

Software vendors such as SAP are increasingly concerned about mitigating the security risk of their software. Code quality improvement is a traditional approach to mitigate security risk; measuring and reducing the attack surface of software is a complementary approach. In this paper, we introduce a method for measuring the attack surfaces of SAP business applications implemented in Java. We implement a tool as an Eclipse plugin to measure an SAP software system's attack surface in an automated manner. We demonstrate the feasibility of our approach by measuring the attack surfaces of three versions of an SAP software system. SAP's software developers can use the tool as part of the software development process to improve software quality and security. SAP's customers can also use the tool to mitigate their security risk.

23 pages

*SAP Research Palo Alto, Palo Alto, CA.

Return to: SCS Technical Report Collection
School of Computer Science

This page maintained by