Business-critical applications like SAP help run enterprises, supporting financial systems, human capital management, supply chains, supplier relationships, and more. Considering 94% of the world’s 500 largest companies use SAP and 87% of the world’s revenue touches these systems, keeping these applications secure is a top priority. Over the last decade, we’ve seen an increase in cyberattacks targeting these business applications. These attacks can have massive business-level consequences for example, the average cost of ERP application downtime is over $50,000 an hour, and the average yearly cost of business disruption due to non-compliance is around $5 million1.
Secure SAP application development can be complex… but it doesn’t need to be
Onapsis has been in the business of protecting critical ERP systems since 2009 so we know firsthand how challenging secure development for SAP applications can be. One of the challenges is the accelerated pace of digital transformation. Developing SAP applications securely and at the speed of business is onerous. Security is taking a back seat to expediency for CFOs, who are also shifting budget away from security and towards other initiatives. At the same time, digital transformation initiatives are a higher priority for CEO and CIOs but with reduced security spend, organizations run the risk of transforming their business at the expense of introducing exploitable vulnerabilities in core business applications.
There is a lack of tools that sufficiently support secure SAP application development, in terms of not only components that are unique to SAP but also integrations with relevant development and change management environments, security testing for SAP means manual security reviews. However, the average SAP system contains over two million lines of custom code and most organizations run multiple systems, so manual reviews aren’t exactly practical. Given how time-consuming manual review processes can be, and the lack of automation tools, there is potential for security due diligence to be rushed or skipped altogether in the interest of timely project delivery.
According to a 2020 PWC Pulse Survey, organizational spend is decreasing for security but increasing for workforce expenditures2. Software outsourcing, due to talent shortages and current market conditions for hiring and retaining talent, is a trend that will continue to increase in the near future. Outsourced SAP development is also needed to develop applications at the speed of business. However, many organizations have challenges with alignment across their existing internal development and security teams, with over half of organizations stating there is limited or no collaboration between development and security teams3. If internal security and development teams are not in alignment, bringing in outsourced development will only complicate the issue. Developing and testing applications securely, throughout the SAP application development process, becomes even more complex when introducing outsourced developers and their code into the cycle.
A better approach that aligns with today’s challenges
A better approach is needed to specifically address the challenges of balancing speed with development and managing the risks associated with code development for SAP systems.
- Accelerated Cycles: Organizations need to balance the speed of SAP development with security: incorporate it earlier in the process , leverage automation, and have timely, easy to understand, guidance for risk mitigation.
- Deep Visibility: Custom code issues need to be found and remediated before are imported into production to save time and money. Enterprises should also have insight into the level and severity of code risks to prioritize remediation efforts.
- Team Alignment: Robust reporting must be in place in order to align development projects across the organization and keep projects on time and on budget. Effective reporting unites security teams, development teams, and executives.
Onapsis Control can help
Onapsis Control provides application security testing for SAP applications, including the ability to review internal or third-party created custom code and transports, and single click automated remediation for common code errors. It provides automated assessments, integrations with development environments and change management systems, and step-by-step remediation instructions so application teams can identify and fix issues as quickly as possible. Organizations gain automation and prioritization capabilities so they can reduce investigation and remediation times, accelerate development efforts, and meet project timelines. Onapsis Control empowers teams to quickly remediate issues — before they negatively impact system security, compliance, performance, or availability.
- Automatically analyze code and mitigate organizational risk: Onapsis Control scans millions of lines of codes in minutes to reduce time to find errors and accelerate development times. Our code scanning is built for both those who develop in ABAP, HANA, and Fiori languages, and is compatible with all SAP development tools. You can use Control to clean up ABAP environments prior to migrating to S4/HANA as well as use Control to keep S4/HANA environments clean. Onapsis also has a large number of test cases that scan the code for probability of the issue, as well as type of issue. Quality reports are easy to run and understand for sharing with executives, as well as security and development teams to ensure development projects stay on track.
- Identify and Block Transports to Prevent Import of Vulnerabilities: Visibility into SAP transports is difficult and once they are imported from development, it is a costly process in both time and money to rewrite and re-import if the transport causes issues. Onapsis Control allows users to gain transport visibility and protect against risk at all stages.
- Automatically Identify and Fix Errors in Large Custom Code Bases: Our one click solution allows you to scan a workload for the most common errors affecting code and with one click, execute an automated remediation of these errors. It is also possible to run a simulation so the impact of the corrections can be previewed prior to executing the automated remediation.
Learn more about how Onapsis Control enables application security testing, including automated code analysis and transport inspection specifically for SAP environments. Hear from Curtis on best practices for coping with the interconnected risk and challenges of today's accelerated development cycles in this on-demand session.
2 PwC COVID-19 CFO Pulse Survey, May 2020
3 Reducing Enterprise Application Security Risks: More Work Needs to Be Done Ponemon Institute February 2021