Applications built on SAP are at the center of every enterprise organization. They are responsible for functions such as finance, manufacturing, human resources, sales, and supply chain management. However, application exploits are also a primary attack vector for enterprises – per Forrester research, 39% of external attacks were due to web application exploits, and 30% due to software exploits. Whether they exist on premises, in the cloud, or both, it is critical that these application environments are secured and resilient to attacks. Application changes, as well as new functionality and innovation, must be delivered in a timely fashion in order to support the organization at large without simultaneously increasing risk to the business in the form of software vulnerabilities, ripe for exploitation.
Yet software vulnerabilities resulting from development errors - whether maliciously or accidentally included - put SAP applications at risk. This is further compounded by the fact that there has been a significant increase in the number of attacks against SAP systems over the last 10 years. In fact, a recent Onapsis Research Labs threat report found conclusive evidence that attackers have sophisticated knowledge of business-critical applications and are actively targeting and exploiting vulnerable SAP applications.
But the overwhelming demand to build new functionality quickly and get it into production is difficult to balance with creating it securely. The lack of relevant application security testing tools dedicated to SAP code and transports means development cycles often contain substantial, time-consuming manual review processes. These often result in missed errors that lead to vulnerabilities. Additionally, it should be noted that security is frequently not top-of-mind during development. A recent survey noted that 86% of developers said they do not view application security as a top priority when writing code, and 36% claim that the reasons why their code has vulnerabilities is due to the priority of meeting project deadlines.
This problem is compounded by the complexities of workflow and change management within SAP systems. Development teams struggle to keep pace with rate of change as well as accurately manage and track all of the changes inherent in the development process. The ability to parallel development tracks, and controlling and locking down sprints, and releases, is critical to successful development. They lack change management tools that can create an enforceable workflow process and manage all changes from their creation in development, through the complex security and testing process, into production.
Onapsis and Rev-Trac: Enabling DevSecOps for SAP Application Development
Onapsis Control can be integrated directly into the Rev-Trac workflow and change management process using Rev-Trac’s built-in customer exits. Once a developer reaches the predefined step in the change management process, Onapsis Control is automatically called and all transports associated with the Rev-Trac request are submitted for analysis. In the event that Onapsis Control identifies an error, the developer will be alerted and prompted to rectify the issue before migrating the change. The developer also has the option to continue to progress the transport if it’s deemed an acceptable risk. Through the entire process, a full audit trail is automatically captured and a report is made available for review before progressing the changes into production.
Together, Onapsis Control and Rev-Trac solve the challenges of delivering secure application development projects for SAP. The joint solution enables users to check the security and vulnerability of code and transports prior to import, thereby reducing time and money spent fixing errors in production. Together, this solution also delivers the capability to check the security and vulnerability of code and transport directly from within your change/workflow management tools. This ensures consistency in development and reduces extraneous development time spent through the resolution of any issues from within the seamless workflow/change management tool.