With the recent discovery of several serious vulnerabilities in common development packages, application development security is increasingly more top of mind for many IT executives. Events like the discovery of vulnerabilities in Log4j, as well as other significant vulnerabilities that have since been identified, have forced organizations to take a long, hard look at how they conduct application development in order to improve their mindset and culture and ultimately automate a “DevSecOps” approach to SAP change management.

DevSecOps is a relatively new term to the SAP world and stands for development, security, and operations. In the past, security was applied by an isolated team just before being released into production. This outdated approach is problematic, especially for organizations looking to embrace an agile approach to managing their SAP environment.

Today’s “shift left” methodology emphasizes the importance of identifying potential issues as early as possible in the development cycle, so they can be rectified before advancing any further. It was from this approach that the vision of DevSecOps was born.

DevSecOps emphasizes the necessity of including security early on as an integral part of the entire development life cycle. It requires integrating the right security tools into the development workflow and then automating the process to ensure development doesn’t slow down.

Adopting a DevSecOps approach

One way to begin adopting a DevSecOps approach is to invest in the best-of-breed change management and security compliance solutions to augment your existing development environments.

First, it’s highly recommended that you implement a change management tool that creates an enforceable workflow process. It must be able to manage all changes from their creation in development – through the complex security and testing process to its final safe release into production.

Next, your teams need an automated code analysis tool that can deeply scan SAP code for issues affecting security, compliance, performance, robustness, maintainability, and even data loss.

Best practices dictate that these solutions should integrate in meaningful ways to streamline their usefulness and effectiveness while encouraging adoption by your teams. By creating one seamless DevSecOps solution, your teams can build security unconsciously into the very framework of their development process.

What happens when you integrate these technologies into your development processes?

  • Security is automatically built into your change management process.
  • Security checks are triggered at multiple points in the development cycle to ensure vulnerabilities and code issues are detected (and fixed) as early as possible.
  • Non-compliant code is prevented from progressing through the landscape.
  • The change management process is simplified as the right tool is automatically called on at the right time.
  • CAB and Product Managers can confidently sign off on production releases, knowing changes have undergone a rigorous security screening process.

The Rev-Trac / Onapsis Solution

Rev-Trac has recently formed a strategic partnership with Onapsis, SAP’s chosen partner for cybersecurity, to offer the market an integrated, best-of-breed SAP DevSecOps solution. This hand-off integration with Onapsis’ flagship products, Control for Code and Control for Transports, utilizes a “shift left” approach to identify security vulnerabilities and code issues before transports are released from the development system.

As part of the development workflow, Rev-Trac will automatically pass objects and transports to Onapsis Control for deep analysis and then wait for a result. If the outcome is positive, Rev-Trac continues with its workflow. However, if the outcome is negative, the transports will be prevented from progressing until the developers have rectified the issues.

For SAP teams that adopt this integrated solution, the advantages are numerous and include:

  • Security vulnerabilities are automatically detected in development long before they can cause harm in the production system;
  • Instant security reports mean rapid issue resolution in development;
  • Agility and safety now go hand in hand when delivering SAP changes;
  • CAB gain peace of mind knowing that all code has been screened for security vulnerabilities; and
  • ROI on the entire development toolset is maximized thanks to Rev-Trac’s enforceable, customisable workflow capabilities.


More about Onapsis

Onapsis protects the business-critical applications that run the global economy. The company’s cybersecurity offering, The Onapsis Platform, uniquely delivers vulnerability management, threat detection and response, application security testing, and continuous compliance for business-critical applications from leading vendors such as SAP, Oracle, and other SaaS platforms.

Their technology is powered by the threat intelligence and insights from the Onapsis Research Labs, the team responsible for the discovery and mitigation of more than 800 zero-day vulnerabilities in business-critical applications.