There’s no skirting around it—moving to SAP S/4HANA is a massive undertaking, requiring input and cooperation from executives, security teams, compliance experts, operations, SAP Basis and developers. Our new e-book, DevSecOps for SAP S/4HANA Migrations for Dummies, walks through how applying DevSecOps approaches can facilitate SAP application development, while also improving security, compliance and quality throughout the development lifecycle. This is a quick and practical read for the entire cast of characters involved that can help improve the likelihood that SAP S/4HANA projects are completed on time and on budget with security and compliance addressed from the start. Below, I’m highlighting a few of the strategies discussed in the book.
1. Establish Baselines: Setting Security & Compliance Standards From the Start
DevSecOps is all about building security into application development, but remember the cast of characters I mentioned above? Chances are they will all have their own definitions of what makes an application secure. For an SAP S/4HANA migration to be successful, it is essential that security (and compliance!) standards are agreed to and established at the start.
I’m highlighting compliance here because while it goes hand-in-hand with security (i.e., you generally can’t be compliant if you aren’t secure), it is often even more of an afterthought when it comes to projects like these. And given the consequences of violating some of these regulations—millions of dollars in fines, extreme penalties for executives—it really shouldn’t be.
So what can you use to help establish your standards? Here are some ideas, with more details provided in our book:
- SAP Security Baseline
- NIST Cybersecurity Framework
- Industry-specific (e.g., Sarbanes-Oxley, NERC CIP)
- Privacy regulations (e.g., GDPR, California Consumer Privacy Act)
2. Shift Left: Building Custom Code Analysis Into Your Development Processes
Shifting left is a key concept for DevSecOps—the earlier in the development lifecycle you can find problems, the better. But how can you efficiently and effectively identify problems in your SAP custom code? Manual code reviews are labor-intensive, error-prone and often fail to even find a fraction of the critical issues that can impact security and compliance of mission-critical applications.
Arguably the best place to start—the “furthest left”, if you will—is during the coding process itself. Interactive code analysis can offer developers real-time advice that they’re not following a best-practices approach or the code they are creating may contain errors and security vulnerabilities. Issues can be identified and fixed before they are passed onto the next system or have any significant consequence.
From there, automatically scanning your code before releasing to your test or QA environment(s) and again before production helps ensure you’re catching any new or overlooked issues before they make it to the next stage.
Code assessment is also essential for brownfield implementations. Be sure to analyze your legacy code before bringing any of it into your new SAP S/4HANA environment; you don’t want any of your old skeletons making the move with you.
3. Maintain the Right: Monitoring for and Defending Against Threats
We all know the job isn’t done once an application is in production, though that would be nice! Remember that SAP is often running your business’s most mission-critical applications. Defending against vulnerabilities, attacks and misconfigurations is absolutely essential to keep everything functioning properly. So how do we do this? Here are a few examples detailed in the book:
- Regularly assess for vulnerabilities and misconfigurations to prevent security and compliance gaps
- Continuously monitor user access and activity for suspicious behavior, such as privilege escalation or authorization misuse and abuse
- Receive near real-time alerts for suspected threats and system attacks
Applying DevSecOps to SAP S/4HANA Projects
I know DevSecOps is not a new concept, but I do hope this post opens your eyes to how it can be applied to the SAP application development lifecycle. I invite you to check out the full book for much more detail on applying these concepts. The type of find-fix-repeat process outlined in the book can significantly reduce SAP S/4HANA migration project costs and timelines, while also minimizing security and compliance risks. And that’s sure to make everyone happy!