DevSecOps for SAP: The Missing Link

As part of Solutions Review’s Premium Content Series—a collection of contributed columns written by industry experts in maturing software categories—Christoph Nagy, the CEO and a founding member of SecurityBridge, shares insights on DevSecOps for SAP.

With DevSecOps, companies can leverage agile development concepts and inject them with automation tools to increase how new services are introduced via code. This has proven to be a better approach than the traditional working method, which relies on teams stuck in an often siloed environment. However, perhaps the most compelling advantage of using a DevSecOps approach is introducing a new mindset that makes everyone in the organization responsible for security. 

DevSecOps should include all departments of an organization and embed “security thinking” into the entire change process, from the executive board to individual teams. This approach requires high-level management support, as their backing helps promote a common understanding among team leaders. Business operators need tools and processes that support: 

• Continuous Monitoring 
• Scanning for Security Defects 
• Attack Detection 
• Change Management and Governance 
• Regular Assessments 

How DevSecOps Applies to SAP 

The standard model for SAP does not provide the tools needed to validate source code for security flaws. However, the system is monolithic and tightly integrated with a database and application layer. Because of this structure, developers can find it difficult to collaborate on the same code set, as there’s not often much time to review custom codes or transports. Problems occur when changes go into a production environment before being properly vetted for security issues.  

Neglecting important security considerations at an early project phase is never advisable. Every project must have a security element—business requirements and targets must never overlook security concerns. To adequately address security, processes and tools are required to enable close team collaborations that answer essential questions like: 

• Will the project introduce a security impact to contained data and established processes? 
• Is there a need for additional software and security architecture? 
• Is there a specific skill set required to be onboarded to the project? 

Using An Agile Environment 

With an agile environment, developers can kickstart the design phase once all epics and user stories have been written. One way to simplify the process is to use tools capable of scanning for potentially vulnerable source code that could allow SQL injections, cross-site scripting, or missing authorization checks in the development process.

Once all security and functional requirements are met, the production deployment can be initiated. The “go-live” does not end the DevSecOps process. Instead, it marks the handover to the “Keep-System-Running” (KSR) teams. In this phase of the lifecycle, the DevSecOps for SAP functionalities focuses on monitoring to enable attack detection, regular vulnerability assessments, and proper security patching. 

While the SAP flagship products do not provide the tools out of the box needed to validate source code for security flaws, DevOps practices enable developers to address SAP security issues instantly. It’s important to note that although many organizations use Change Management and IT Service Management solutions, these are not the tools necessary for an SAP DevSecOps approach.  

Companies need to look for platforms with an open API that allows integration with established SAP solutions while linking Change Management processes and Security Incident monitoring. These solutions offer an integrated SAP cybersecurity approach and reduce TCO compared to individual siloed code scanning and vulnerability management tools.