Securing SAP BTP - Vulnerability Management: Enforcing Best Practices for Users & Configurations
If you missed our first post in this series, we explored why securing your SAP BTP instance is so crucial. As a critical and highly interconnected asset, SAP BTP requires robust protection—but it’s not easy. Many existing tools don’t cover the customer’s responsibilities within the shared security model, and teams in charge of SAP cybersecurity often face resource constraints and competing priorities.
Today, I’m diving into one of the essential strategies for securing SAP BTP—vulnerability management. As we discussed in the previous post, it’s the customer organization’s responsibility to ensure that BTP—and all other SAP applications—are securely configured and that BTP users have the appropriate access and authorization levels. This is true even for RISE with SAP customers, as application and user configurations fall under the customer’s side of the shared security model.
Challenges to Successful SAP BTP Vulnerability Management
Unfortunately, this is easier in theory than it is in practice. BTP is no different than other SAP applications here in that it’s difficult for customers to:
- Know and keep up with the latest security best practices for app and user configuration: SAP has published some guidance here to help, having added some BTP-specific recommendations to their SAP Security Baseline Template, but this requires you to have the internal resources to digest this information and keep up with changes to it.
- Assess if their BTP instance is following these best practices: Manually checking your BTP configurations and users is time-consuming and it’s possible that things will be missed.
Adding to the challenge is that many organizations are still in the earlier stages of their BTP adoption and likely still figuring out their architecture and users, so changes to these areas are to be expected. To be successful here, you’re going to need a reliable, repeatable, and easy way to enforce effective SAP BTP security methods throughout this period of change and beyond.
SAP BTP Vulnerability Management Made Easy with Onapsis
Last year, we released Onapsis Assess support for SAP BTP, allowing our customers to extend their vulnerability management efforts to this critical asset with automated, targeted scans and risk-driven analysis to help them prioritize and accelerate response.
Assess for BTP directly addresses the challenges laid out above:
- Knowing the latest security best practices for BTP configuration and users: Our new BTP-specific vulnerability scan combines checks from the SAP Security Baseline Template with advanced security insights from the experts at Onapsis Research Labs—providing you with unmatched coverage without requiring your internal teams to be security experts.
- Assessing if your BTP instance is following these best practices: Onapsis makes it easy for you to discover and scan all of your BTP subaccounts so you get maximum coverage with minimal effort.
Plus, you get the powerful automation, advanced prioritization, and guided remediation recommendations that have made Onapsis Assess the leading solution for SAP attack surface management. Assess empowers you to respond faster to issues—in BTP and the rest of your SAP landscape—by strengthening your SAP BTP security posture without burdening your already under-resourced teams or interfering with broader transformation project timelines and goals.
Note: Assess for BTP also supports SAP Cloud Connector (SCC), a critical component needed to securely connect BTP to other systems. A separate vulnerability scan with checks designed specifically for SCC helps customers ensure their Cloud Connector instance is updated and securely configured in line with both SAP’s security guidance and the advanced recommendations from the Onapsis Research Labs.
Completing the AppSec Puzzle for BTP: The Need for Continuous Threat Monitoring
In my next post, I’ll be taking a look at another essential approach to securing SAP BTP – continuous threat monitoring. Per NIST and SAP (in partnership with Onapsis), it’s a security best practice to pair point-in-time vulnerability scans, like those discussed in this post, with continuous monitoring for indicators of compromise.
This is another area that falls on the customer’s side of the shared security model under RISE and is often difficult for organizations to manage on their own. In the next part of this series, we’ll take a closer look at those challenges and what’s needed to overcome them to ensure the best possible SAP BTP security for your organization.