DevOps has brought with it a whole new spectrum of SAP-security related risks. DevSecOps is the answer. [shutterstock: 581136349, Kalakruthi]
It sometimes seems like new trends aren't even that new. This is especially hard to notice, if the trend has even gotten a new new. This is the case with DevOps or DevSecOps if security is being included.
For those who do not know the term, DevOps is a clipped compound of development and operations. DevOps is supposed to enable a more effective and more efficient collaboration between the Dev (development) and the Ops (operations) departments.
Applied to DevSecOps, this means that security is implemented in software development from the beginning. Not too long ago, I read an article about that subject which surprised me quite a lot. Especially when considering that exactly this is what makes up the DNA of Virtual Forge.
Let’s take a look back: In 2008, we presented the first version of our CodeProfiler for Abap. This made us become pioneers when it comes to secure programming in Abap. Shortly after, books on the subject “secure programming in Aabap”, workshops and most of all, the ever same message to our and all SAP customers: “Security has to be a part of every application concept from the beginning” followed. This is especially the case for an SAP system which on average contains 2 million lines of custom code. Not to mention the fact that the most sensible data of a company is located in its SAP system. An analysis to find vulnerabilities in one’s coding should be mandatory in any case.
“Secure (…) programming is rarely taught and even downstream code analyses cannot be taken for granted.”
Sadly, the reality is different. Secure Abap programming is rarely taught and even downstream code analyses cannot be taken for granted. A kind of auto-correct during development, which is essentially offered by our Virtual Forge CodeProfiler for Hana, or at least an integration into the development environment for Abap based NetWeaver systems, like it is the case with CodeProfiler for ABAP, are used by only a few SAP customers at all.
However, where there is light, there is also shadow: SAP security has become a more present subject and many customers take it more serious than they did a few years ago. And if DevSecOps causes more SAP customers to engage with the subject, this is indeed positive news.