Initial commit

2025-11-30 08:55:02 +08:00
commit 6942e32e6b
26 changed files with 7173 additions and 0 deletions
--- a/references/security.md
+++ b/references/security.md
@@ -0,0 +1,327 @@
+# SAP BTP Security Reference
+
+## Overview
+
+Security must be integrated throughout the development lifecycle, from initial design through production operations. SAP BTP provides platform-level security with platform roles, segregation of duties, and audit logging with digital signatures.
+
+## Security by Development Phase
+
+### Explore Phase
+
+| Guideline | Action |
+|-----------|--------|
+| Secure SDLC Framework | Implement OWASP-aligned development standards |
+| Engagement & Training | Clarify stakeholder expectations, train teams |
+| Risk Assessment | Identify high-level security risks |
+| Threat Modeling | Evaluate industry-specific threats |
+| Compliance Planning | Determine applicable regulations (GDPR, HIPAA) |
+
+### Discover Phase
+
+| Guideline | Action |
+|-----------|--------|
+| Map Data Flows | Document sensitive data movement using OWASP Threat Dragon |
+| Establish Secure Architecture | Microservice isolation, least privilege, defense-in-depth |
+| Validate Third-Party Services | Review security certifications |
+| Security in Prototypes | Include input sanitization, mock authentication |
+| Plan Data Protection | Anonymize user research data |
+| Understand Boundary Conditions | Assess IAM and audit logging integration |
+
+### Design Phase
+
+| Guideline | Focus |
+|-----------|-------|
+| Secure User Interfaces | SAP Fiori authentication and validation |
+| Access Control Models | RBAC/ABAC using OpenID Connect/OAuth |
+| API Security | OAuth and TLS encryption |
+| Secure Extensibility | Isolate and validate custom logic |
+| Domain Model Validation | Review CDS models for data protection |
+
+### Run and Scale Phase
+
+| Guideline | Focus |
+|-----------|-------|
+| Continuous Threat Monitoring | SAP BTP observability tools |
+| Security Patching | Regular updates to dependencies |
+| Secure Auto-Scaling | Tenant isolation in multitenancy |
+| Security Audits | Periodic compliance reviews |
+| Data Protection | Privacy law compliance |
+
+## Common Runtime Threats
+
+| Threat | Description | CAP Mitigation |
+|--------|-------------|----------------|
+| SQL Injection | Malicious SQL in inputs | Parameterized queries |
+| XSS | Script injection in UI | Input validation |
+| CSRF | Unauthorized actions | Built-in CSRF protection |
+| Authentication Bypass | Improper session handling | XSUAA integration |
+
+## CAP Security Implementation
+
+### Authentication Setup
+
+```bash
+# Add authentication
+cds add xsuaa
+```
+
+### xs-security.json Configuration
+```json
+{
+  "xsappname": "my-app",
+  "tenant-mode": "dedicated",
+  "scopes": [
+    {
+      "name": "$XSAPPNAME.Read",
+      "description": "Read access"
+    },
+    {
+      "name": "$XSAPPNAME.Write",
+      "description": "Write access"
+    },
+    {
+      "name": "$XSAPPNAME.Admin",
+      "description": "Admin access"
+    }
+  ],
+  "role-templates": [
+    {
+      "name": "Viewer",
+      "scope-references": ["$XSAPPNAME.Read"]
+    },
+    {
+      "name": "Editor",
+      "scope-references": ["$XSAPPNAME.Read", "$XSAPPNAME.Write"]
+    },
+    {
+      "name": "Administrator",
+      "scope-references": ["$XSAPPNAME.Read", "$XSAPPNAME.Write", "$XSAPPNAME.Admin"]
+    }
+  ]
+}
+```
+
+### CDS Authorization
+
+```cds
+// Role-based access control
+service CatalogService @(requires: 'authenticated-user') {
+
+  @(restrict: [
+    { grant: 'READ', to: 'Viewer' },
+    { grant: ['READ', 'WRITE'], to: 'Editor' },
+    { grant: '*', to: 'Administrator' }
+  ])
+  entity Books as projection on bookshop.Books;
+
+  // Instance-based authorization
+  @(restrict: [
+    { grant: 'READ', where: 'createdBy = $user' },
+    { grant: '*', to: 'Administrator' }
+  ])
+  entity Orders as projection on bookshop.Orders;
+}
+```
+
+### Input Validation
+```cds
+entity Books {
+  key ID : UUID;
+  title : String(100) @mandatory;
+  price : Decimal(10,2) @assert.range: [0, 9999.99];
+  isbn : String(13) @assert.format: '^[0-9]{13}$';
+}
+```
+
+## ABAP Security
+
+### Authorization Objects
+```abap
+AUTHORITY-CHECK OBJECT 'S_DEVELOP'
+  ID 'DEVCLASS' FIELD iv_package
+  ID 'OBJTYPE' FIELD 'CLAS'
+  ID 'ACTVT' FIELD '02'.
+
+IF sy-subrc <> 0.
+  RAISE EXCEPTION TYPE cx_no_authorization.
+ENDIF.
+```
+
+### RAP Authorization
+```abap
+define behavior for ZI_Travel alias Travel
+authorization master ( instance )
+{
+  // Authorization check on entity level
+}
+```
+
+### Behavior Implementation
+```abap
+METHOD get_instance_authorizations.
+  DATA(lv_auth) = abap_false.
+
+  " Check authorization for specific instance
+  AUTHORITY-CHECK OBJECT 'ZTRAVEL'
+    ID 'TRAVEL_ID' FIELD keys[ 1 ]-TravelID
+    ID 'ACTVT' FIELD '02'.
+
+  IF sy-subrc = 0.
+    lv_auth = abap_true.
+  ENDIF.
+
+  result = VALUE #( FOR key IN keys
+    ( %tky = key-%tky
+      %update = COND #( WHEN lv_auth = abap_true THEN if_abap_behv=>auth-allowed
+                        ELSE if_abap_behv=>auth-unauthorized ) ) ).
+ENDMETHOD.
+```
+
+## Authentication Services
+
+### SAP Authentication and Trust Management (XSUAA)
+
+**Purpose**: Manage user authorizations
+
+**Features:**
+- OAuth 2.0 / OpenID Connect
+- SAML 2.0 federation
+- User attribute mapping
+- Role collections
+
+### Identity Authentication Service (IAS)
+
+**Purpose**: Cloud-based identity management
+
+**Features:**
+- Single Sign-On (SSO)
+- Multi-factor authentication
+- Social login integration
+- On-premise IdP integration
+
+### Configuration
+```yaml
+# mta.yaml
+resources:
+  - name: my-xsuaa
+    type: org.cloudfoundry.managed-service
+    parameters:
+      service: xsuaa
+      service-plan: application
+      config:
+        xsappname: my-app
+        tenant-mode: dedicated
+
+  - name: my-ias
+    type: org.cloudfoundry.managed-service
+    parameters:
+      service: identity
+      service-plan: application
+```
+
+## Secrets Management
+
+### SAP Credential Store (CAP)
+
+**Use Cases:**
+- API keys
+- Database credentials
+- Third-party service tokens
+
+**Access via REST API:**
+```javascript
+const { CredentialStore } = require('@sap/credential-store');
+
+const credStore = new CredentialStore();
+const password = await credStore.readPassword('namespace', 'key');
+```
+
+### ABAP Communication Management
+
+- Integrated credentials store
+- Outbound communication configuration
+- Certificate management
+
+## Audit Logging
+
+### CAP Audit Log Service
+```javascript
+const cds = require('@sap/cds');
+const audit = cds.connect.to('audit-log');
+
+// Log data access
+await audit.log({
+  type: 'DATA_READ',
+  data_subject: { type: 'Customer', id: customerId },
+  attributes: ['name', 'email']
+});
+```
+
+### ABAP Audit Logging
+
+**Security Audit Log:**
+- Automatic for security-relevant events
+- Configurable event classes
+
+**Read Access Logging (RAL):**
+- Sensitive data access monitoring
+- Compliance reporting
+
+## Data Privacy
+
+### SAP Data Privacy Integration
+
+**Capabilities:**
+- Cross-application privacy features
+- End-to-end compliance support
+- Data subject access requests
+
+### Personal Data Handling (CAP)
+```cds
+entity Customers {
+  key ID : UUID;
+  @PersonalData.FieldSemantics: 'DataSubjectID'
+  customerID : String;
+  @PersonalData.IsPotentiallyPersonal
+  name : String;
+  @PersonalData.IsPotentiallyPersonal
+  email : String;
+}
+```
+
+## Security Best Practices
+
+### Environment Configuration
+- Restrict network access
+- Use private endpoints where possible
+- Enable WAF protection
+
+### Deployment Pipelines
+- Code scanning in CI/CD
+- Dependency vulnerability checks
+- Container image scanning
+
+### Secrets
+- Never hardcode credentials
+- Rotate secrets regularly
+- Use managed services
+
+### Network
+- TLS 1.2+ for all connections
+- Certificate pinning where appropriate
+- IP allowlisting for sensitive services
+
+## Compliance Resources
+
+| Standard | SAP BTP Support |
+|----------|-----------------|
+| GDPR | Data Privacy Integration, audit logging |
+| SOC 2 | SAP compliance certifications |
+| ISO 27001 | Platform certifications |
+| HIPAA | Healthcare-specific controls |
+
+## Source Documentation
+
+- Security Considerations: [https://github.com/SAP-docs/btp-developer-guide/blob/main/docs/security-considerations-for-applications-a73f6ff.md](https://github.com/SAP-docs/btp-developer-guide/blob/main/docs/security-considerations-for-applications-a73f6ff.md)
+- CAP Security Guide: [https://cap.cloud.sap/docs/guides/security/](https://cap.cloud.sap/docs/guides/security/)
+- SAP BTP Security Recommendations: [https://help.sap.com/docs/btp/sap-btp-security-recommendations/sap-btp-security-recommendations](https://help.sap.com/docs/btp/sap-btp-security-recommendations/sap-btp-security-recommendations)