Cloud 101

Secure SAP Application Development at the Speed of Digital Transformation

Secure SAP Application Development at the Speed of Digital Transformation

Blog Article Published: 07/18/2022

This blog was originally published by Onapsis here.

Written by Curtis Parker, Onapsis.

Business-critical applications like SAP help run enterprises, supporting financial systems, human capital management, supply chains, supplier relationships, and more. Considering 94% of the world’s 500 largest companies use SAP and 87% of the world’s revenue touches these systems, keeping these applications secure is a top priority. Over the last decade, we’ve seen an increase in cyberattacks targeting these business applications. These attacks can have massive business-level consequences for example, the average cost of ERP application downtime is over $50,000 an hour, and the average yearly cost of business disruption due to non-compliance is around $5 million[1].

Secure SAP application development can be complex… but it doesn’t need to be

We know firsthand how challenging secure development for SAP applications can be. One of the challenges is the accelerated pace of digital transformation. Developing SAP applications securely and at the speed of business is onerous. Security is taking a back seat to expediency for CFOs, who are also shifting budget away from security and towards other initiatives. At the same time, digital transformation initiatives are a higher priority for CEO and CIOs but with reduced security spend, organizations run the risk of transforming their business at the expense of introducing exploitable vulnerabilities in core business applications.

There is a lack of tools that sufficiently support secure SAP application development, in terms of not only components that are unique to SAP but also integrations with relevant development and change management environments, security testing for SAP means manual security reviews. However, the average SAP system contains over two million lines of custom code and most organizations run multiple systems, so manual reviews aren’t exactly practical. Given how time-consuming manual review processes can be, and the lack of automation tools, there is potential for security due diligence to be rushed or skipped altogether in the interest of timely project delivery.

According to a 2020 PWC Pulse Survey, organizational spend is decreasing for security but increasing for workforce expenditures[2]. Software outsourcing, due to talent shortages and current market conditions for hiring and retaining talent, is a trend that will continue to increase in the near future. Outsourced SAP development is also needed to develop applications at the speed of business. However, many organizations have challenges with alignment across their existing internal development and security teams, with over half of organizations stating there is limited or no collaboration between development and security teams[3]. If internal security and development teams are not in alignment, bringing in outsourced development will only complicate the issue. Developing and testing applications securely, throughout the SAP application development process, becomes even more complex when introducing outsourced developers and their code into the cycle.

A better approach that aligns with today’s challenges

A better approach is needed to specifically address the challenges of balancing speed with development and managing the risks associated with code development for SAP systems.

  • Accelerated Cycles: Organizations need to balance the speed of SAP development with security: incorporate it earlier in the process , leverage automation, and have timely, easy to understand, guidance for risk mitigation.
  • Deep Visibility: Custom code issues need to be found and remediated before are imported into production to save time and money. Enterprises should also have insight into the level and severity of code risks to prioritize remediation efforts.
  • Team Alignment: Robust reporting must be in place in order to align development projects across the organization and keep projects on time and on budget. Effective reporting unites security teams, development teams, and executives.

Hear from Curtis on best practices for coping with the interconnected risk and challenges of today's accelerated development cycles in this on-demand session.


[2] PwC COVID-19 CFO Pulse Survey, May 2020

[3] Reducing Enterprise Application Security Risks: More Work Needs to Be Done Ponemon Institute February 2021

Share this content on your favorite social network today!

Sign up to receive CSA's latest blogs

This list receives 1-2 emails a month.