Automating DevSecOps to Better Secure SAP Systems
Key Takeaways
Cyber threats targeting ERP systems are increasing rapidly, necessitating integrated and automated security measures during development and deployment.
Onapsis' updates enhance security by embedding automated code scanning within CI/CD pipelines and establishing transport governance as a critical security checkpoint.
Organizations must proactively monitor and harden connectivity points to mitigate vulnerabilities and adapt to evolving attacker strategies.
The velocity of cyber threats targeting enterprise resource planning (ERP) systems has fundamentally shifted over the past year. Exploitation windows for SAP vulnerabilities have collapsed to just hours, while targeted attacks on mission-critical SAP environments have surged. In the cloud, the reality is even starker: new SAP applications are often probed by adversaries within hours of deployment.
For CIOs and CISOs navigating the transition to RISE with SAP (now SAP Cloud ERP Private) and the SAP Business Technology Platform (BTP), these statistics represent significant security risks. Security can no longer be a retrospective audit activity; it must be an integrated, automated enabler of transformation. To help address these needs Onapsis has released its Q4 2025 platform updates to directly address this reality, embedding protection into the very fabric of SAP DevSecOps.
Securing the SAP BTP and Code Lifecycle
As organizations accelerate innovation via SAP BTP, the definition of “SAP code” has expanded beyond traditional ABAP to include cloud applications. Onapsis’ latest update delivers robust code security testing integrated directly into SAP CI/CD, ensuring that every extension and custom application is vetted for security and compliance before it runs.
Explore related questions
This capability is vital for maintaining speed without sacrificing control. The Onapsis Platform has expanded Git repository coverage to include support for gCTS and Bitbucket, alongside existing support for GitLab, GitHub, Azure Repos, and abapGit. This allows development teams to scan code “at rest” and enforce security standards early in the lifecycle. Whether developing in ABAP or non-ABAP languages, organizations can now automate checks across the software supply chain, effectively closing the door on vulnerabilities before they enter the repo.
Transport Governance
Even with secure coding practices, the transport process remains a critical control point. A single misconfigured transport can undo months of stability. To address this need, Onapsis has introduced a new SAP Transport Management System (TMS) approval workflow that acts as an automated gatekeeper.
This feature automatically scans transports for critical vulnerabilities as they move toward production. Crucially, it empowers operations teams to block risky transports programmatically. By embedding this logic into the standard change management process, enterprises can prevent exploitable code or dangerous misconfigurations from reaching productive systems. This protects the integrity of both on-premise and hybrid landscapes without slowing down release cycles.
Runtime Protection for Exposed Assets
As SAP environments become increasingly multi-cloud, the attack surface expands to connectivity layers. Recognizing this, Onapsis has bolstered its Assess and Defend modules to cover the most exposed components of the SAP architecture.
New vulnerability scans for SAP Web Dispatcher align with SAP’s Security Baseline Template, giving teams visibility into this critical gateway which often faces the open internet. Furthermore, enhanced monitoring for the SAP Cloud Connector now combines point-in-time assessment with continuous alerting. If a configuration change occurs that violates policy or introduces connectivity risk, security teams are notified immediately.
Additionally, the new “Alert on Anything” capability for SAP HANA and Java assets allows customers to define custom alerts based on specific log data. This flexibility ensures that monitoring extends beyond out-of-the-box rules, adapting to unique organizational threat models.
Preparing for 2026
As SAPinsiders look toward 2026, the gap between attacker innovation and defender response time will define business resilience. SAP leaders must evaluate their current DevSecOps maturity. Are you scanning code only during audits, or at the commit? Is your transport process a rubber stamp, or a security gate?
To stay ahead, organizations must operationalize these new capabilities. By integrating scanning into CI/CD pipelines and hardening connectivity points like the Web Dispatcher, businesses can confidently pursue RISE with SAP, knowing their digital core is secure by design.
What This Means for SAPinsiders
Embed security into SAP development. Prioritize integrating CI/CD with automated code security and compliance checks for all SAP BTP extensions, not just core ERP changes. Standardize Git-based workflows across teams (including gCTS and Bitbucket) to enforce mandatory scanning before merge or release, using findings to drive secure coding training.
Make transportation management approvals a security control point. Transform the SAP TMS approval workflow into a formal security gate. Ensure transports are automatically scanned and that policies are set to block high-risk changes. Regularly review these results to identify recurring bad practices and improve upstream development.
Harden exposed SAP connectivity and entry points. Implement regular scanning for SAP Web Dispatcher to align with SAP’s Security Baseline Template. Use combined capabilities to baseline and monitor SAP Cloud Connector configurations, and leverage capabilities like “Alert on Anything” to create custom detections for high-risk admin activities or unusual changes.
