The challenge: SAP standard does not provide the tools needed to validate source code for security flaws. For this reason, the SecurityBridge code vulnerability analyzer complements SAP standard by integrating within the SAP standard development IDE using SAP Code Inspector and the ABAP Test Cockpit.
As a result, new business functions are deployed without significant security defects into the test environment. Quality gates enabled in the SAP transport management system, can be very helpful to avoid that source code is moved, without proper security validation.
Functional issued discovered in the user acceptance test (UAT) phase trigger a restart of the validation cycle. Only once all security and functional requirements are met, the production deployment can be initiated. The SAP transport management system is vulnerable for Software Supply Chain attacks unless the following (lnk) Security Patch has been installed. The go-live does not end the DevSecOps process, it only defines the handover to the so called “Keep-System-Running” (KSR) teams.
In this phase of the lifecycle the DevSecOps for SAP focusses on monitoring to enable attack detection, regular (or better continuous) vulnerability assessments and accurate security patching.