SAP ABAP Virtual Forge Code Checker

The Virtual Forge CodeProfiler for ABAP is the most comprehensive code scanner for custom-coded ABAP applications operating in the cloud. Its code analysis supports a holistic approach to cyber security. The CodeProfiler was the first ABAP code scanner and still remains the leading product on the market.


  • Check your code for bad practices (300 test cases)
  • Security and compliance monitoring
  • Performance, maintainability, robustness and data loss prevention checks
  • Secure automated deletion of your code after scan
  • End to End data encryption


  • Detailed reporting on issues and vulnerabilities with criticality assessments
  • Create robust, secure SAP applications
  • Check what your developers are implementing
  • Build into your development workflow


£12500 to £66250 per unit

Service documents


G-Cloud 11

Service ID

1 2 3 8 0 7 7 3 0 0 6 9 1 9 4



Phil Thomas


Service scope

Software add-on or extension
Cloud deployment model
Private cloud
Service constraints
System requirements
The code profiler is for ABAP only, not Java

User support

Email or online ticketing support
Email or online ticketing
Support response times
Email support is available with a 24 hour turnaround for responses, based on a standard 9am-5pm Monday to Friday working week. Emails received outside these hours will be regarded as having arrived at the next business opening time.

If you email at
1) 4pm on Monday, response by 4pm Tuesday
2) 5.02pm on Monday (treated as arriving 9am Tuesday ), response by 9am on Wednesday.
3) 4pm Friday, response by 4pm Monday.
4) 6pm Friday (treated as arriving 9am Monday), response by 9am Tuesday.
User can manage status and priority of support tickets
Phone support
Web chat support
Onsite support
Yes, at extra cost
Support levels
A simple three tier support model is provided with user issues being categorised as High, Medium, Low. All queries are responded to within 24 hours and we aim to close issues down in 24 hours, 1 week, 4 weeks respectively.
Support available to third parties

Onboarding and offboarding

Getting started
We provide clear written instructions and guides.

Please see our SFIA rate cards if you require a consultant to explain the findings of the report to you.
Service documentation
Documentation formats
End-of-contract data extraction
PDF reports can be downloaded to the users device from the cloud service.

Subject to any data retention policies we would securely remove all relevant documents we held in storage from our cloud devices upon contract termination, provided the user acknowledges they have received the documents and no longer wish us to store them.
End-of-contract process
All reports generated during the contract are included in the price of the contract.

At contract termination, we provide 30 days of report storage for the user for old reports, but no new reports are generated. The user is urged to download these old reports. At the end of this period, subject to any legal requirement to store items, the reports are deleted.

Using the service

Web browser interface
Supported browsers
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
Compatible operating systems
  • Linux or Unix
  • Windows
Designed for use on mobile devices
Service interface
Description of service interface
A standard web portal username and password, supplemented by MFA is used for logging in to the service and to access the reports.

The reports are stored on the cloud server and are available in date order as PDF files.

Due to the reports being in PDF format, the site is not optimised for mobile browsing.
Accessibility standards
None or don’t know
Description of accessibility
Section 9.2.1 Non text context and Sections 9.2.10 Colour, 9.2.12 Contrast, 9.2.13 Font Size, 9.2.14 Imagery have been included in the consideration of website design
Accessibility testing
None, although issues can be raised and improvements made to address any valid concerns.
Customisation available


Independence of resources
We operate in a private cloud from Heidelberg, Germany. The users are accessing PDF reports or submitting extracts for assessment. It is highly unlikely that resource contention will be an issue, but if it did become an issue, we would take advantage of the infrastructure to remove contention.


Service usage metrics


Supplier type
Reseller providing extra features and support
Organisation whose services are being resold
Virtual Forge (shortly to be part of Onapsis following sale)

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
European Economic Area (EEA)
User control over data storage and processing locations
Datacentre security standards
Managed by a third party
Penetration testing frequency
At least once a year
Penetration testing approach
‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Other
Other data at rest protection approach
Our server's disk is encrypted using luks with XTS chaining, using a 512 bit keysize resulting in 256 bit AES; sha512 hashes are used to verify data integrity
Data sanitisation process
Data sanitisation type
Deleted data can’t be directly accessed
Equipment disposal approach
In-house destruction process

Data importing and exporting

Data export approach
The users can download the PDF reports.
Data export formats
Other data export formats
Data import formats
Other data import formats
SAP specific format

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
Our aim is to provide access to reports at all times. Our solution is in the private cloud operated by Virtual Forge, who provide this service to Siemens, The Linde Group etc.
Approach to resilience
We utilise the resilient nature of the private cloud to host servers and reports. Further details are available on request.
Outage reporting
Email alerts are used to report any service outages.

Identity and authentication

User authentication needed
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password
Access restrictions in management interfaces and support channels
Management and support channels restrictions are managed by Virtual Forge and more details are available upon request
Access restriction testing frequency
At least once a year
Management access authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
Between 1 month and 6 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
Between 1 month and 6 months
How long system logs are stored for
Between 6 months and 12 months

Standards and certifications

ISO/IEC 27001 certification
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance approach
We follow an ISO27001 and 27005 approach to Governance, Risk and Compliance. Simple and easy to follow processes, policies and procedures are written with playbooks as required. All staff receive full security training and we have appropriate security incident policies, having written these for a number of HMG, MOD and Blue-Chip clients as Senior Information Assurance professionals.
Information security policies and processes
Analysts report to our Ethical Hacker, who reports to Company owner and Security Lead.

We use the 14 Cloud Security Principles and CIS Risk Assessment Process, with appropriate Risk Mitigations.

We have processes and policies for Acceptable Use, Access Control, Asset Disposal, Change Control, Clearances and Vetting, Cryptography, Disaster Recovery, Forensic Readiness, GDPR, Information security, Passwords, Patch and Vulnerability management, Protective Monitoring, Role Separation, Security Incidents, Site Access, System lockdown and hardening, Testing and ITHC

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Components are stored in a CMDB
Alerts on patching, vulnerabilities and end of sale, life and support are monitored and analysis conducted for impact to service.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
We follow a number of publicly available feeds and review the full impact using the CVSSv3 standard, modified to account for our environment. We obtain our information from public repositories like NVD, US-CERT, Hackerstorm. We follow a number of vendors for patches.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Monitoring is done by the VirtualForge team. More details are available upon request
Incident management type
Supplier-defined controls
Incident management approach
We have defined playbooks for the most common incidents which can be followed by all staff. Users can report incidents to us via email and we will return the email with a phone call to the number we hold on record for them. We then repeat the information back to them to ascertain we have everything we need. We then collect data, isolate any services we need to. Perform our analysis. Write our initial findings, Peer review them. Fix the cause of the incident. Issue report to the customer. Updates to the customer are provided as necessary.

Secure development

Approach to secure software development best practice
Supplier-defined process

Public sector networks

Connection to public sector networks


£12500 to £66250 per unit
Discount for educational organisations
Free trial available

Service documents

Return to top ↑