The Dangers of AI in Custom Code: How to Secure Your SAP Landscape

The evolution of AI has revolutionized the velocity of modern software development bringing unprecedented efficiencies. But at the same time, it introduces new security and compliance risks to your custom code that can be catastrophic if left unaddressed. The era of slow, manual code review is over. To survive the sheer volume of AI-generated content, companies must adopt a proactive, automated Application Security Testing (AST) strategy.

Key Takeaways:

• The Seduction of “Functional” Code: AI often produces code that passes functional tests but fails security audits, harboring flaws like SQL injection or hardcoded credentials.
• Context Blindness: AI may lack an understanding of your specific SAP architecture, leading to business logic errors and unauthorized data exposure.
• Shadow Dependencies: AI may suggest obsolete or “hallucinated” libraries that introduce unmanaged risks into your landscape.
• The “Rubber Stamp” Risk: The speed of AI can lead to superficial code reviews, allowing subtle vulnerabilities to slip into production.
• The Solution is Shift Left: Traditional, reactive security is obsolete. Continuous, automated Application Security Testing (AST) must be integrated directly into the SAP DevSecOps pipeline.

The Undeniable Allure of AI-Augmented Software Development

The momentum behind AI adoption is undeniable. Development backlogs that once spanned months are shrinking at an unprecedented rate, fueled by several key competitive advantages:

• Hyper-Productivity: AI assistants have become indispensable for eliminating “grunt work.” By handling boilerplate code and repetitive tasks, they free up developers to focus on higher-level architecture and creative problem-solving.
• Compressed Development Cycles: AI acts as a significant force multiplier. Business features that previously required weeks of manual labor can now move from concept to deployment in a matter of days.
• Natural Language to Logic: The ability to generate complex algorithms and functional logic from simple natural language descriptions has revolutionized the way we approach implementation, making rapid prototyping more accessible than ever.
• Enhanced Optimization: AI serves as a tireless co-pilot, capable of identifying subtle syntax improvements and suggesting performance optimizations that even experienced developers might overlook during a long sprint.

The silent vulnerabilities sneaking into your custom code

In the world of SAP, where custom ABAP and non-ABAP code governs your most sensitive business processes, this new velocity comes with a hidden cost. When a developer uses AI to scaffold a transaction, they often inherit “technical debt” and security gaps. AI models are trained on public data that often contains decades of outdated practices. As a result, they inadvertently mirror those mistakes inside your proprietary environment.

Pattern Replication of Insecure Legacy: 

AI models operate on pattern matching, not understanding. If an AI has seen thousands of legacy ABAP examples that use direct string concatenation for database queries, it will suggest that same pattern to your developers. This re-introduces classic vulnerabilities like SQL Injection into modern S/4HANA environments. Attackers can then find and exploit these flaws using their own automated tools.

The Absence of Business Context: 

Security in SAP is deeply tied to business logic and authorization objects (e.g., AUTHORITY-CHECK). AI assistants often omit these critical checks because they don’t understand your specific organizational roles or data sensitivity. The result? A perfectly functional report that inadvertently allows a user to view payroll data or financial records they aren’t authorized to see.

Hallucinated and Insecure Dependencies: 

 AI sometimes suggests “hallucinated” code by referencing non-existent function modules or libraries. More commonly, it recommends outdated and vulnerable open-source snippets. This creates a “shadow supply chain” within your custom code that is nearly impossible to track manually.

The “Comprehension Gap”: 

The sheer volume of code AI produces can overwhelm human reviewers. When code “looks” clean and runs without errors, there is a natural tendency to “rubber-stamp” the review. This creates a gap where subtle architectural flaws like missing input validation or insecure API handling get merged into the core without a second thought.

The Regulatory Compliance Risk:

 In highly regulated industries like Life Sciences or Manufacturing, code must satisfy uncompromising mandates such as GxP, NIS2, GDPR, or CCPA. While AI models evolve rapidly, they often lack the up-to-the-minute “regulatory awareness” required to implement these complex legal nuances correctly. Consequently, AI-generated code can be difficult to document for traceability, often failing to meet the rigorous evidence standards required by human-centric compliance frameworks. Furthermore, AI may inadvertently suggest third-party tools or libraries that do not meet your organization’s strict internal compliance requirements, creating a “shadow supply chain” within your mission-critical environment.

The Critical Weakness: SAP Custom Code

SAP systems power your most mission-critical processes, including finance, supply chain, and HR. While SAP secures its standard core, your custom code (Z-programs, Z-transactions) is your largest security blind spot. It is created and changed constantly, often outside of rigorous security review. If an attacker’s AI can analyze a vulnerability in your custom code before your security team even knows it exists, your enterprise data is at extreme risk.

The Defender’s Imperative: Continuous Application Security Testing

To protect the core, organizations must move beyond “blind trust” and implement a “Shift Left” strategy. This requires embedding rigorous AST directly into the early stages of the development lifecycle before the code ever reaches production.

Rigorous SAP Application Security Testing with Onapsis Control

To harness the power of AI without compromising security, you need a specialized gatekeeper. Onapsis Control provides the scrutiny required for the complex, hybrid SAP landscape.

Unlike generic testing tools, Onapsis Control offers:

• Deep SAP Context: Any AST solution must be designed specifically for SAP, capable of understanding ABAP, its dependencies, and the unique security context of SAP NetWeaver, S/4HANA, and SAP BTP.
• Multilingual Support for Modern SAP: Beyond ABAP, it analyzes Java, Node.js, and SAPUI5, securing the side-by-side extensions and microservices that power SAP BTP and S/4HANA Cloud.
  
• Automated Security Gates at the Source: Security checks cannot be relegated to post-deployment manual auditing. Onapsis Control integrates directly into your IDEs, Git Repositories, and CI/CD pipelines to ensure both human and AI-authored code is scanned for vulnerabilities before packaging.
• Zero-Trust for Code: Control adopts a “verify everything” approach. It checks for missing AUTHORITY-CHECK statements, insecure data handling, and hardcoded secrets, ensuring your custom code adheres to the SAP Security Baseline.
• Blocking Risky Transports: A critical control point is the SAP Transport Management System (TMS). If vulnerable code is detected, Onapsis Control can automatically block the transport, preventing a potential breach from ever reaching your production environment.
• Frictionless Remediation: To match the speed of AI development, Onapsis provides clear, actionable instructions. This allows developers to fix vulnerabilities instantly, ensuring that security remains a driver of innovation, not a bottleneck.
• Automated Compliance & Audit Readiness: Onapsis Control maps your custom code directly to specific regulatory frameworks. It provides the documentation and audit trail needed to prove that your AI-augmented code meets the latest industry standards, turning a “black box” into a transparent, compliant asset.

Conclusion: Harness the Power of AI without Regrets

The future of SAP development is augmented by AI, but it must be protected by specialized defense. Moving at the speed of AI without an automated safety net like Onapsis Control is a gamble with your most sensitive business data. Shifting security left does more than just identify flaws. When combined with Onapsis Research Labs’ threat intelligence, it establishes a proactive “Clean Core” strategy that keeps your systems agile and compliant.

Don’t let the quest for velocity open the door to a catastrophic breach. By implementing a robust AST strategy with Onapsis Control, you can secure your innovation, automate your compliance, and ensure that your custom code remains an asset, not a liability.

Ready to secure your AI-driven development? Learn more about Onapsis Control and Request a Demo today.

Frequently Asked Questions

1. If AI writes the code, why isn’t it inherently secure? 

AI models are trained on public code, which is often riddled with security flaws. Because AI prioritizes functionality over security, it often takes the path of least resistance and introduces critical security vulnerabilities in the process.

2. Can standard SAP code reviews catch AI-generated flaws? 

Manual reviews are increasingly insufficient against the sheer volume of code AI can produce. AI-generated flaws are often subtle. A missing validation check hidden within a sea of functional code is easily overlooked by human reviewers during a busy release cycle.

3. How does Onapsis Control handle “hallucinated” or outdated code suggestions? 

Onapsis Control uses a comprehensive database of SAP-specific security patterns and threat intelligence. If an AI suggests a vulnerable function module or an insecure coding pattern, Onapsis Control flags it immediately, preventing that “hallucination” from becoming a real-world security risk.

4. Does using an AST tool like Onapsis Control slow down our developers? 

Actually, it does the opposite. By catching vulnerabilities early in the development phase, Onapsis Control prevents the “rework” that happens when a flaw is found late in the testing cycle or, worse, after a breach. It provides developers with immediate feedback, allowing them to fix code as they write it.

5. How does Onapsis Control support our “Clean Core” strategy? 

A “Clean Core” requires that all customizations are secure, maintainable, and compliant. Onapsis Control enforces these standards automatically, ensuring that AI-augmented development doesn’t clutter your core with insecure, low-quality “spaghetti” code.