8.2 KiB
8.2 KiB
SAP BTP Security Reference
Overview
Security must be integrated throughout the development lifecycle, from initial design through production operations. SAP BTP provides platform-level security with platform roles, segregation of duties, and audit logging with digital signatures.
Security by Development Phase
Explore Phase
| Guideline | Action |
|---|---|
| Secure SDLC Framework | Implement OWASP-aligned development standards |
| Engagement & Training | Clarify stakeholder expectations, train teams |
| Risk Assessment | Identify high-level security risks |
| Threat Modeling | Evaluate industry-specific threats |
| Compliance Planning | Determine applicable regulations (GDPR, HIPAA) |
Discover Phase
| Guideline | Action |
|---|---|
| Map Data Flows | Document sensitive data movement using OWASP Threat Dragon |
| Establish Secure Architecture | Microservice isolation, least privilege, defense-in-depth |
| Validate Third-Party Services | Review security certifications |
| Security in Prototypes | Include input sanitization, mock authentication |
| Plan Data Protection | Anonymize user research data |
| Understand Boundary Conditions | Assess IAM and audit logging integration |
Design Phase
| Guideline | Focus |
|---|---|
| Secure User Interfaces | SAP Fiori authentication and validation |
| Access Control Models | RBAC/ABAC using OpenID Connect/OAuth |
| API Security | OAuth and TLS encryption |
| Secure Extensibility | Isolate and validate custom logic |
| Domain Model Validation | Review CDS models for data protection |
Run and Scale Phase
| Guideline | Focus |
|---|---|
| Continuous Threat Monitoring | SAP BTP observability tools |
| Security Patching | Regular updates to dependencies |
| Secure Auto-Scaling | Tenant isolation in multitenancy |
| Security Audits | Periodic compliance reviews |
| Data Protection | Privacy law compliance |
Common Runtime Threats
| Threat | Description | CAP Mitigation |
|---|---|---|
| SQL Injection | Malicious SQL in inputs | Parameterized queries |
| XSS | Script injection in UI | Input validation |
| CSRF | Unauthorized actions | Built-in CSRF protection |
| Authentication Bypass | Improper session handling | XSUAA integration |
CAP Security Implementation
Authentication Setup
# Add authentication
cds add xsuaa
xs-security.json Configuration
{
"xsappname": "my-app",
"tenant-mode": "dedicated",
"scopes": [
{
"name": "$XSAPPNAME.Read",
"description": "Read access"
},
{
"name": "$XSAPPNAME.Write",
"description": "Write access"
},
{
"name": "$XSAPPNAME.Admin",
"description": "Admin access"
}
],
"role-templates": [
{
"name": "Viewer",
"scope-references": ["$XSAPPNAME.Read"]
},
{
"name": "Editor",
"scope-references": ["$XSAPPNAME.Read", "$XSAPPNAME.Write"]
},
{
"name": "Administrator",
"scope-references": ["$XSAPPNAME.Read", "$XSAPPNAME.Write", "$XSAPPNAME.Admin"]
}
]
}
CDS Authorization
// Role-based access control
service CatalogService @(requires: 'authenticated-user') {
@(restrict: [
{ grant: 'READ', to: 'Viewer' },
{ grant: ['READ', 'WRITE'], to: 'Editor' },
{ grant: '*', to: 'Administrator' }
])
entity Books as projection on bookshop.Books;
// Instance-based authorization
@(restrict: [
{ grant: 'READ', where: 'createdBy = $user' },
{ grant: '*', to: 'Administrator' }
])
entity Orders as projection on bookshop.Orders;
}
Input Validation
entity Books {
key ID : UUID;
title : String(100) @mandatory;
price : Decimal(10,2) @assert.range: [0, 9999.99];
isbn : String(13) @assert.format: '^[0-9]{13}$';
}
ABAP Security
Authorization Objects
AUTHORITY-CHECK OBJECT 'S_DEVELOP'
ID 'DEVCLASS' FIELD iv_package
ID 'OBJTYPE' FIELD 'CLAS'
ID 'ACTVT' FIELD '02'.
IF sy-subrc <> 0.
RAISE EXCEPTION TYPE cx_no_authorization.
ENDIF.
RAP Authorization
define behavior for ZI_Travel alias Travel
authorization master ( instance )
{
// Authorization check on entity level
}
Behavior Implementation
METHOD get_instance_authorizations.
DATA(lv_auth) = abap_false.
" Check authorization for specific instance
AUTHORITY-CHECK OBJECT 'ZTRAVEL'
ID 'TRAVEL_ID' FIELD keys[ 1 ]-TravelID
ID 'ACTVT' FIELD '02'.
IF sy-subrc = 0.
lv_auth = abap_true.
ENDIF.
result = VALUE #( FOR key IN keys
( %tky = key-%tky
%update = COND #( WHEN lv_auth = abap_true THEN if_abap_behv=>auth-allowed
ELSE if_abap_behv=>auth-unauthorized ) ) ).
ENDMETHOD.
Authentication Services
SAP Authentication and Trust Management (XSUAA)
Purpose: Manage user authorizations
Features:
- OAuth 2.0 / OpenID Connect
- SAML 2.0 federation
- User attribute mapping
- Role collections
Identity Authentication Service (IAS)
Purpose: Cloud-based identity management
Features:
- Single Sign-On (SSO)
- Multi-factor authentication
- Social login integration
- On-premise IdP integration
Configuration
# mta.yaml
resources:
- name: my-xsuaa
type: org.cloudfoundry.managed-service
parameters:
service: xsuaa
service-plan: application
config:
xsappname: my-app
tenant-mode: dedicated
- name: my-ias
type: org.cloudfoundry.managed-service
parameters:
service: identity
service-plan: application
Secrets Management
SAP Credential Store (CAP)
Use Cases:
- API keys
- Database credentials
- Third-party service tokens
Access via REST API:
const { CredentialStore } = require('@sap/credential-store');
const credStore = new CredentialStore();
const password = await credStore.readPassword('namespace', 'key');
ABAP Communication Management
- Integrated credentials store
- Outbound communication configuration
- Certificate management
Audit Logging
CAP Audit Log Service
const cds = require('@sap/cds');
const audit = cds.connect.to('audit-log');
// Log data access
await audit.log({
type: 'DATA_READ',
data_subject: { type: 'Customer', id: customerId },
attributes: ['name', 'email']
});
ABAP Audit Logging
Security Audit Log:
- Automatic for security-relevant events
- Configurable event classes
Read Access Logging (RAL):
- Sensitive data access monitoring
- Compliance reporting
Data Privacy
SAP Data Privacy Integration
Capabilities:
- Cross-application privacy features
- End-to-end compliance support
- Data subject access requests
Personal Data Handling (CAP)
entity Customers {
key ID : UUID;
@PersonalData.FieldSemantics: 'DataSubjectID'
customerID : String;
@PersonalData.IsPotentiallyPersonal
name : String;
@PersonalData.IsPotentiallyPersonal
email : String;
}
Security Best Practices
Environment Configuration
- Restrict network access
- Use private endpoints where possible
- Enable WAF protection
Deployment Pipelines
- Code scanning in CI/CD
- Dependency vulnerability checks
- Container image scanning
Secrets
- Never hardcode credentials
- Rotate secrets regularly
- Use managed services
Network
- TLS 1.2+ for all connections
- Certificate pinning where appropriate
- IP allowlisting for sensitive services
Compliance Resources
| Standard | SAP BTP Support |
|---|---|
| GDPR | Data Privacy Integration, audit logging |
| SOC 2 | SAP compliance certifications |
| ISO 27001 | Platform certifications |
| HIPAA | Healthcare-specific controls |
Source Documentation
- Security Considerations: https://github.com/SAP-docs/btp-developer-guide/blob/main/docs/security-considerations-for-applications-a73f6ff.md
- CAP Security Guide: https://cap.cloud.sap/docs/guides/security/
- SAP BTP Security Recommendations: https://help.sap.com/docs/btp/sap-btp-security-recommendations/sap-btp-security-recommendations