Beyond the Basics: Why Comprehensive Application Security Testing for SAP is Non-Negotiable

The shift to the cloud and the rapid evolution of SAP S/4HANA have fundamentally changed the rules of secure software development. Many organizations assume that operating within the SAP ecosystem means built-in tools and the provider’s infrastructure will fully manage their security and compliance requirements.

However, relying solely on baseline code security leaves critical vulnerabilities undetected. As SAP landscapes become more complex and interconnected, the gap between basic syntax checks and comprehensive Application Security Testing (AST) creates significant operational and compliance risks.

Key Takeaways:

• The Shared Responsibility Myth: Organizations often assume the cloud provider is responsible for the security of custom code. Under the shared responsibility model, the customer retains full ownership and risk for all custom developments and integrations.
• Basic Syntax Checks vs. Deep Analysis: Standard development tools frequently miss complex, cross-application data-flow vulnerabilities that purpose-built Application Security Testing (AST) platforms are specifically designed to identify.
• Comprehensive Test Case Coverage: While native tools offer limited security coverage, dedicated AST solutions like Onapsis Control utilize extensive libraries of specialized security and compliance checks to thoroughly inspect the SAP application layer.
• Stronger Together: Comprehensive AST integrates directly into existing SAP environments. Specialized solutions, such as those provided by SAP-endorsed partners like Onapsis, complement native SAP tools to ensure secure migrations to SAP S/4HANA and SAP BTP.

The “Shared Responsibility” Trap: Who Really Owns The Risk?

• One of the most dangerous misconceptions in the enterprise world is that moving to RISE or SAP Cloud ERP transfers security responsibility to the vendor. While the provider is responsible for the security “of” the Cloud (infrastructure and the standard core), you remain 100% responsible for security “in” the Cloud.
• This means every custom report, every BTP extension, and every API integration is your responsibility. If a custom transaction allows unauthorized data leakage, the accountability rests solely with your organization.

Why “Standard” Tools Fall Short: Depth Matters

Most organizations rely on the basic, integrated tools provided within their development environment. While these are useful for catching simple syntax errors, they are not dedicated security solutions.

The core difference lies in the breadth and depth of the inspection. While standard, built-in scanners typically offer a limited set of security-relevant checks (often fewer than 100 basic patterns), purpose-built AST platforms provide comprehensive libraries of specialized security test cases. For example, Onapsis Control utilizes over 600 specific checks powered by threat intelligence from Onapsis Research Labs. As researchers continuously discover new attack vectors, these findings are directly integrated into automated scanning workflows.

Advanced AST solutions extend beyond generic quality checks to provide deep inspections across critical dimensions, including security, compliance, performance, maintainability, robustness, and data loss prevention. A prime example of this depth is the focus on Core Data Services (CDS) security. In modern S/4HANA environments, CDS views serve as the foundation of data modeling, yet they frequently remain a blind spot for traditional scanners. Purpose-built application testing treats CDS security as a foundational requirement by scanning for improper access controls, insecure client handling, and resource-heavy cross-joins.

Comprehensive AST coverage across supported SAP languages and architectures must include:

• Vulnerability Assessment: Detecting high-risk flaws like SQL Injection, Cross-Site Scripting (XSS), and Directory Traversal. This requires Advanced Data Flow Analysis to accurately trace untrusted inputs to dangerous execution points.
• Authorization & Logic: Scanning for hardcoded credentials, insecure data storage, and improper masking of sensitive personally identifiable information (PII). A mature AST platform automatically maps these results to regulatory frameworks like GDPR, SOX, and NIS2.
• Performance & Robustness: Catching critical architecture flaws like duplicate alternative keys in transactional CDS views or cross-joins that can lead to application crashes or system-wide performance degradation.

Furthermore, basic scanners are often limited to legacy ABAP and rely on simple Pattern Matching. This approach often creates a flood of false positives because the tool cannot determine if a dangerous statement is actually reachable by an attacker.

In contrast, advanced AST platforms provide a multi-language security umbrella. Whether development teams use modern ABAP syntax, XSA Node.js, SAPUI5, or XSJS, comprehensive solutions apply the same rigorous standards across the board. By utilizing Global Data and Control Flow Analysis, platforms like Onapsis Control track how an input in one program or language can lead to an exploit in another. This methodology detects sophisticated, cross-application vulnerabilities that standard, single-language tools simply cannot see.

Stronger Together: Onapsis & SAP

Choosing a comprehensive AST tool is about fortifying them. Rather than competing with standard checks, advanced AST solutions actively map to and expand upon them to ensure comprehensive coverage. This is achieved by seamlessly augmenting the standard SAP landscape. For instance, Onapsis Control runs alongside the ABAP Test Cockpit (ATC) and integrates directly into the SAP Transport Management System (TMS), SAP Cloud Transport Management service (cTMS), SAP Change Request Management (ChaRM), and the Eclipse IDE.

For example, where standard checks look for basic security exceptions (such as CVA check 1162 or 11A4), specialized platforms provide expanded test cases that cover additional development objects and deliver deeper context for vulnerabilities. As an SAP-endorsed partner, Onapsis integrates directly with the SAP ecosystem to bridge the gaps left by basic tooling, ensuring that migrations to SAP S/4HANA or SAP BTP are fundamentally secure.

Automated Gatekeeping: Protecting the “Clean Core”

In many standard development setups, security findings are treated as suggestions that are often bypassed to meet deadlines. Comprehensive AST transforms this dynamic by providing broader workflow integrations that enforce security policies automatically.

While basic tools are often confined to the SAP GUI, advanced AST solutions connect directly to Git repositories (GitLab, GitHub, Azure Git, Bitbucket) and integrate into modern CI/CD pipelines like Azure DevOps, SAP CI/CD Service, and Piper. By acting as a specialized transport guard within the SAP Cloud Transport Management System (cTMS), platforms like Onapsis Control ensure that no insecure code reaches the production core.

To maintain the speed of development, modern security tooling must also facilitate rapid remediation. Automated remediation features can instantly correct frequently occurring coding errors, allowing developers to secure their code without manual rewriting. Furthermore, providing step-by-step remediation guidance for every finding ensures that an organization’s Clean Core strategy remains a reality without becoming a development bottleneck.

Conclusion: Moving Beyond Basic Security

In an era of increased regulatory pressure (like NIS2) and sophisticated cyber threats, relying on basic tools for your most mission-critical assets is no longer a viable strategy.

By implementing an advanced AST like Onapsis Control, you close the “Shared Responsibility” gap. Utilizing an SAP-endorsed partner allows development teams to move beyond basic bug detection and establish a fundamentally secure SAP landscape.

Ready to see what your current tools are missing? Learn more about Onapsis Control and Request a Demo today.

Frequently Asked Questions

If I already have built-in SAP tools, why do I need comprehensive AST? 

Standard tools focus primarily on code quality, performance, and basic syntax. Onapsis Control is a specialized, comprehensive security platform. With over 600 test cases compared to the significantly smaller subset found in standard tools, Onapsis identifies deep architectural flaws and security risks that basic scanners miss.

How does the “Stronger Together” philosophy work in practice? 

Onapsis doesn’t replace your SAP infrastructure; it enhances it. As an SAP-endorsed partner, our tool integrates into your existing SAP landscapes (like BTP, ECC and  S/4HANA) to provide a layer of security intelligence that standard tools aren’t built to provide. Think of it as adding a high-tech security system to a well-built house.

Does comprehensive AST cover more than just ABAP? 

Yes. Modern SAP environments use Java, Node.js, and JavaScript (UI5). While many standard tools are strictly ABAP-centric, Onapsis Control provides a unified security umbrella across languages used in your SAP ecosystem, including side-by-side extensions on BTP.

How does Onapsis help with my “Clean Core” strategy? 

A “Clean Core” requires customizations to be secure and maintainable. Onapsis Control acts as an automated transport guard  in your Cloud Transport Management System. If code doesn’t meet your security and compliance standards, it is blocked before it can be imported, ensuring your core remains pristine and secure.