Originally Posted In CIO Influence 

The SAP Business Technology Platform (BTP) is not just inspiring a trend; it’s a powerful tool with immense potential. However, this potential is yet to be fully harnessed, which demands our attention and action. 

BTP should be a topic when discussing SAP because it facilitates enterprise-level application development while providing tools for analytics and machine learning. BTP is the extension platform when following the ‘clean core’ concept, which emphasizes staying up-to-date, transparent, unmodified, consistent, and cloud-compliant. This concept is crucial for ensuring that the S/4HANA stack is upgradeable and future-proof, whether operated on-premise, through hyperscale, or with Rise. However, a challenge arises when developers who are more comfortable with programming languages like JavaScript and Python feel constrained when using SAP’s ABAP. The solution is to use these languages working with BTP. But how will working with alternate languages affect security? 

Most BTP users are in the early stages of adoption, and each situation is unique. In the established SAP processes (seemingly redundant to mention), development happens in the development system. The BTP process typically starts with a small unit test, followed by a more extensive system test, where the technical release occurs before any changes are made in the production system. This test usually happens in the BTP and highlights the need to review or change the commonly used processes.

The Gold Rush

BTP provides an incredible variety of services to SAP customers. This unboundedness makes for a ‘gold rush’ optimism, a metaphorical reference to the 19th-century gold rush in the United States, where many people rushed to mine gold, hoping to strike it rich. In the context of BTP, it refers to the enthusiasm and eagerness of organizations to adopt BTP and leverage its capabilities. However, in the mad dash to ‘strike it rich,’ the flood of users bypasses the need for governance, fixed structures, and best practices. This negligence should be a flashing warning sign to IT security personnel. The shock happens when customers realize multiple unverified tenants can access the productive system. What results is confusion about:

• Where the responsibility lies;
• Who has permission to do what;
• Whether or not the tenants are being used productively can lead to security risks. For instance, a tenant might unknowingly install a malicious app or share sensitive data with unauthorized users. This lack of control over tenant activities is a significant security concern.
• A need for certainty regarding individual requirements. 

Guidelines For Secure Governance

These areas of confusion comprise the first hurdle that needs to be overcome. The next hurdle  is determining the governance guidelines once responsibility has been assigned to BTP tenants:

• Who creates them;
• Who approves them, and 
• Where is the tenant connected. 

We must translate SAP’s best practices into the world of BTP. Secure coding and governance are not just recommendations; they are necessities for your systems’ safe and efficient operation. 

Any BTP process implemented must be monitored by IT personnel for compliance and efficiency. The IT department can use an ‘internal control system (ICS), a set of processes that ensures the organization’s objectives are met and validates whether or not the new process is working as desired (i.e., to determine how many administrators there are for the global BTP account). This system is crucial for maintaining the security and integrity of the BTP environment.

In addition to the hurdles above, IT must define roles and responsibilities for implementing procedures, monitoring, and governance, no matter the language platform used. For example, who’s responsible for BTP security? Once these roles are created, the BTP tenant must be checked for possible gateways. At this point, a third-party security platform is valuable for monitoring because it creates an additional layer of transparency for identifying threats.

Guidelines For Secure Coding

The first step in securing the coding is assigning authorizations; the next issue arises regarding content in the BTP. ABAP is no longer the only choice, as Python and other free languages, such as Fiori developments, enable business app creation with a consumer-grade user experience. These new languages make the casual developer an SAP expert with easy-to-use screens that work on any device and present near-limitless possibilities. 

BTP excels in connecting and integrating with S/4HANA, which covers an enterprise’s daily processes (order-to-cash, procure-to-pay, plan-to-product, and request-to-service) and core capabilities. However, it is a free development platform, so you must set rules and guidelines for coding.  

Guidelines must have clear and consistent documentation, standardized code formatting, adherence to secure coding practices, and reviews to ensure alignment with best coding practices. In addition, automated frameworks, units, integration, and regression tests must be conducted continuously throughout development. Code anomalies and security vulnerabilities should be identified early using static code analyzers for streamlining the quality assurance and testing phase. 

Conclusion

In the fast and ever-changing world of the SAP Business Technology Platform (BTP), taking advantage of its extraordinary capabilities means paying attention to security protocols. As organizations rush to cash in on the golden opportunities BTP offers, overlooking the need for systemized management and implementing best practices could present substantial danger. Unambiguous rules for tenant obligations, such as regular password changes and restricted access to sensitive data, and secure coding practices, such as input validation and error handling, must be established. Merging new programming languages and technologies requires assiduous system testing and monitoring to ensure that BTP’s potential is utilized without endangering security. By being aware of these issues and proactively minimizing their threats, businesses can strike it rich and remain secure.