(Jana Subramanian serves as Head of Cybersecurity, APJ Strategic Customer Engagements and is a Fellow of Information Privacy (FIP), awarded by the International Association of Privacy Professionals (IAPP). In this role, Jana supports strategic customer engagements on cybersecurity, data privacy, multi-cloud security integration architecture, contractual assurance, audit, and compliance.)

Introduction

Enterprise companies utilize the SAP Business Technology Platform (SAP BTP) for building cloud-native applications, facilitating business automation, integration and extension, data management and enhancing analytics, among many other capabilities. As we all know in this age of digitalization, cybersecurity becomes paramount as businesses increasingly depend on platforms like SAP BTP to fuel innovation, modernize applications, and drive business growth. However, this dependence also brings significant cybersecurity challenges, especially in light of the prevalent vulnerabilities identified by the Open Web Application Security Project (OWASP). The OWASP Top Ten list is a critical awareness document for developers and web application security professionals, outlining the most significant security risks to web applications and offering essential guidance in the realm of cybersecurity.

This blog aims to explore how SAP BTP's comprehensive array of security controls and services aligns with OWASP's best practice approach to safeguard against critical cyber threats. We'll delve into the specific features of SAP BTP that effectively mitigate OWASP vulnerabilities, offering insights into the platform's multi-layered security approach to securing enterprise applications and operations.

Top 10 OWASP Vulnerabilities

SAP BTP is a crucial element in SAP’s cloud architecture. Central to a multitude of SaaS applications utilized by our customers and within SAP itself, SAP BTP maintains platform capabilities for enhanced security, performance and reliability. In securing SAP BTP’s cloud infrastructure, SAP employs security of cloud foundry environment with HA Proxy, Load Balancers, DNS Security, Proxy services, Network Address Translation, DDoS protection, network-level segregation, security groups, and stringent access controls among many others including security natively available with Hyperscale providers. Beyond these fundamental protections, SAP BTP offers comprehensive security features specifically designed to mitigate OWASP-type vulnerabilities, equipping customers with powerful tools to safeguard their digital landscapes.

Figure 1: High Level SAP BTP Integration Landscape

Before delving into SAP BTP's security controls, let us summarize the OWASP vulnerabilities last identified as the Top 10.

Rank	Category	Description
A1	Broken Access Control	Inadequate restrictions on what authenticated users are allowed to do.
A2	Cryptographic Failures	Security vulnerabilities where applications fail to properly protect sensitive data through adequate encryption leading to sensitive data exposure. This can be weak cryptographic standards or misconfigured TLS settings.
A3	Injection	Broad class of security vulnerabilities where an attacker can inject malicious data into a program or system, which then gets executed or processed by that system. This can result in unauthorized access to data, data loss, or even complete takeover of the system. Examples include SQL Injection, Cross-Site Scripting, Command Injection, LDAP and XML injection.
A4	Insecure Design	A new category focusing on design flaws and missing security controls.
A5	Security Misconfiguration	Common issues due to insecure default configurations, incomplete setups, etc.
A6	Vulnerable and Outdated Components	Use of unsupported or out-of-date software components.
A7	Identification and Authentication Failures	Expanded from 'Broken Authentication', focusing on flaws in user identity management.
A8	Software and Data Integrity Failures	New category about assumptions in software updates, critical data, and CI/CD pipelines.
A9	Security Logging and Monitoring Failures	Inadequate logging and insufficient monitoring of security events.
A10	Server-Side Request Forgery (SSRF)	New addition focusing on server-side software making unvalidated HTTP requests.

SAP BTP Security Control to address OWASP Vulnerabilities

In the following section, we will focus on the details of how SAP BTP provides capabilities that can be configured to address OWASP vulnerabilities. For clarity, only high-level capabilities are discussed without going into the nitty-gritty of the configuration.

Rank	Category	SAP BTP Security Capability to address OWASP Vulnerability
A1	Broken Access Control	Within the SAP Business Technology Platform (SAP BTP), several components and protocols play a crucial role. These include the App Router, API Management service, Identity Authentication Service (IAS), Identity Provisioning Service (IPS), OAuth 2.0 protocol, and OpenID Connect protocol. 1.     App Router Role-Based Access Control (RBAC): Enforces RBAC at the application level, ensuring users access only authorized parts. Route to Services Based on User Roles and Privileges: Routes requests to backend services based on each user's specific roles and privileges. 2.     API Management API-Level Security: Defines security policies for APIs, controlling access and conditions. OAuth 2.0 Integration: Secures API access with OAuth 2.0, ensuring only authenticated users access endpoints. 3.     Identity Authentication Service (IAS) Centralized Authentication: Provides a central mechanism for application and service access, restricting access to authenticated users only. The service can support delegated and federated authentication to customer specific IDP Identity Provider Integration: Enhances security by supporting integration with external providers using SAML and OpenID Connect protocols. 4.     Identity Provisioning Service (IPS) and Identity Access Governance Automated User Management: Automates user provisioning and de-provisioning across cloud and on-premises applications within SAP BTP. Role and Access Synchronization: Synchronizes roles and access rights across systems, ensuring consistent control. 5.     OAuth 2.0 Delegated Authorization: Enables applications to access services on behalf of users without needing credentials (delegated authorization). Access Tokens: Provides applications with access tokens for controlled access to APIs and services, based on granted scopes.  6.     OpenID Connect Authentication Layer on Top of OAuth 2.0: Adds an identity layer over OAuth 2.0, providing additional user authentication information. ID Tokens: Issues ID tokens alongside OAuth 2.0 access tokens, containing authenticated user information, enhancing access control further.

The Application Router in SAP BTP, serving as the singular point of entry for applications in the Cloud Foundry environment, performs a multitude of functions. It is responsible for serving static content, authenticating users, rewriting URLs, and forwarding or proxying requests to other microservices with user information propagation. This versatile router is accessible as a library on npmjs.com under @sap/approuter and as a container image on Docker Hub at https://hub.docker.com/r/sapse/approuter.

Figure 2: Secure Flow with AppRouter

 

Rank	Category	SAP BTP Security Capability to address OWASP Vulnerability
A2	Cryptographic Failures	1.     Encryption of Data in Transit and at Rest TLS for Data in Transit: SAP BTP utilizes Transport Layer Security (TLS) to encrypt data transmitted over the network, preventing eavesdropping and tampering. (Image of Data in transit encryption process.). SAP BTP supports TLS1.2 and above encryption protocol. Encryption of Data at Rest: Sensitive data stored within SAP BTP services, such as databases and file storage, is encrypted using industry-standard algorithms to safeguard it against unauthorized access. (Image of Data at rest encryption process.) 2.     Secure Key Management Centralized Key Management Service: SAP BTP provides a dedicated service for managing cryptographic keys, ensuring secure storage, regular rotation, and strict access control of encryption keys. This is facilitated by SAP Data Custodian Key Management Service available for SAP HANA Cloud, SAP Analytics Cloud (Private Edition). This is a additional service that can be integrated with SAP BTP services in scope. SAP also maintains credential store for storing cryptographic materials.  3.     Secure Cryptographic Algorithms Use of Strong Algorithms: SAP BTP employs robust, industry-standard cryptographic algorithms for encryption, hashing, and digital signatures. These algorithms offer strong protection against known and emerging cryptographic attacks. 4.     Compliance with Security Standards Adherence to Security Best Practices and Standards: SAP BTP complies with recognized international security standards such as FIPS-140 for the cryptographic modules and libraries. This compliance assures high levels of data protection and promotes trust among users. 5.     Secure Communication Protocols Enforced Secure Protocols: The platform enforces the use of secure communication protocols, such as HTTPS, for all data exchanges. This reduces the risk of data being intercepted or manipulated during transmission. 6.     Access Control Fine-Grained Access Control: SAP BTP implements strict access control measures, ensuring that only authorized personnel have access to sensitive data and encryption keys. This granular approach minimizes the risk of unauthorized access and data breaches.

 

Rank	Category	SAP BTP Security Capability to address OWASP Vulnerability
A3	Injection	1.     API Management Input Validation: SAP API Management includes features for validating input data. It can enforce checks on the inputs sent to APIs, ensuring they meet the expected format and type, thus preventing injection attacks. Policy-Based Access Control: It allows defining and enforcing policies that can restrict what types of calls and operations can be performed through the API, reducing the attack surface for injection. Rate Limiting and Quota Management: By controlling the rate and volume of API calls, SAP API Management can prevent or mitigate the impact of certain injection attacks, such as those trying to flood the system with malicious requests. 2.     AppRouter URL Rewriting and Redirection Safeguards: AppRouter can rewrite and redirect URLs in a secure manner, ensuring that untrusted input doesn’t lead to malicious destinations or actions. Authentication and Authorization: It handles user authentication and authorization, ensuring that only properly authenticated and authorized users can access certain functionalities, thereby limiting the potential for malicious injection. 3.     Secure Software Development Lifecycle Approach Prepared Statements and Parameterized Queries: For services interacting with databases, using prepared statements and parameterized queries is a key defense against SQL injection. This ensures that user input is treated strictly as data, not executable code. Content Security Policy (CSP): Implementing CSP in web applications can help prevent certain types of injection attacks, like XSS (Cross-Site Scripting). Regular Security Scanning and Auditing: Continuous monitoring and regular security audits can help in early detection of vulnerabilities, including potential injection flaws. Secure Coding Practices: SAP encourages and facilitates secure coding practices, which include proper input validation, sanitization, and the use of frameworks that inherently reduce the risk of injection. Educational Resources and Training: SAP provides resources and training for developers to understand and prevent security vulnerabilities, including injection attacks.

SAP API Management empowers developers to build secure APIs by providing features and policies specifically designed to address common vulnerabilities. This significantly enhances the security of API interactions and offers robust protection against a wide range of cyber threats. Additionally, the platform's ability to enforce stringent security policies, coupled with its seamless integration with other SAP security tools, makes it an indispensable component in strengthening API ecosystems.

Figure 3: API Management Policies

The following diagram offers a high-level view of the secure flow involving AppRouter and API Management.

Figure 4: Secure Flow with API Management

 

A4	Insecure Design	SAP BTP Security Capability to address OWASP Vulnerability
A5	Security Misconfiguration	Secure Defaults: SAP BTP is designed with security-focused default configurations, reducing the risk of misconfigurations that can lead to security vulnerabilities. Guided Configuration: The Integration Advisor provides guided configuration steps, helping users to accurately configure integration scenarios. This reduces the risk of security misconfigurations which can occur due to manual errors or misinterpretation of settings. Secure Credential Store: SAP provides secure store that allows developers to store signing keys and certificates securely within the platform. Best Practice Templates: It offers pre-defined configuration templates that are aligned with security best practices. This ensures that integrations are set up securely right from the start, minimizing the likelihood of introducing vulnerabilities. Custom Mapping Recommendations: By analysing business context and requirements, the Integration Advisor can suggest custom mappings and configurations that adhere to security standards, further reducing the risk of insecure setups. Secure Software Supply Chain, Regular Scanning and Updates, Compliance with Security Standards, Regular Security Audits Multi-Factor Authentication (MFA): Provides robust authentication mechanisms, including MFA, to strengthen user authentication processes. Single Sign-On (SSO): Supports SSO capabilities, reducing the risk of authentication failures due to multiple credential management. Support for SAML 2.0, Open ID, OAuth 2.0 Secure Software Development Lifecycle (SSDLC) at SAP SSDLC Integration: SAP incorporates SSDLC practices throughout the development process of its products, including SAP BTP. This means security is a priority at every stage, from design and development to deployment and maintenance. SAST and DAST Provides black box security testing. Scans a running application. Finds vulnerabilities in the final solution (prior to delivery) Ensures high-quality security validation before delivery. Can discover runtime and environment-related issues. Typically scans Web applications and Web services. Provides white box security testing. Scans source code Prevents vulnerabilities early in the security development lifecycle (SDLC) Fully integrated into development process, hence highly effective vulnerability preventions Continuous Security Assessment: As part of the SSDLC, SAP conducts continuous security assessments to identify and mitigate potential vulnerabilities early in the development process. Security Training for Developers: SAP ensures that its development teams are trained in secure coding practices, staying updated with the latest security trends and threats. Security by Design: By adhering to the principles of 'security by design', SAP integrates security considerations into the software architecture from the ground up, reducing the likelihood of vulnerabilities. Contractual Assurances  Data Protection and Compliance: SAP provides contractual assurances to its customers regarding data protection, privacy, and compliance with relevant regulations (like GDPR, HIPAA). Transparent Security Practices: SAP maintains transparency in its security practices, providing customers with detailed information on how their data is protected. Regular Audits and Certifications: SAP undergoes regular external audits and obtains certifications to validate its adherence to high security and data protection standards. Technical and Organizational Security Measures: These measures include a comprehensive set of policies, processes, and technologies that SAP implements to ensure the security of its software and protect customer data. SAP Cloud Identity Services - A suite of services for user authentication and lifecycle management SAP Authorization and Trust Management Service - Manage application authorizations and trust for SAP BTP Platform Authorizations Management API  - Functionality for subaccount members managing. SAP Connectivity Service - Manage destinations and securely connect to on-premises systems. SAP Credential Store Service - Managing passwords and keys. Audit Log Retrieval API - Functionality for retrieving audit logs. SAP Malware Scanning Service - Scan business documents uploaded by your custom-developed applications for malware.

Figure 5: Secure Authentication and Authorization Flow

The authentication and authorization flow explained well with a diagram in the book “Architecting Solutions with SAP Business Technology Platform” by Serdar Simsekler , Eric Du

Rank	Category	SAP BTP Security Capability to address OWASP Vulnerability
A9	Security Logging and Monitoring Failures	1.     Comprehensive Logging   Detailed Activity Logs: SAP BTP maintains detailed logs of all activities, including user actions, system events, and errors. This helps in identifying suspicious activities and potential security incidents. Audit Trails: Audit trails are kept for critical operations, providing a clear record of who did what and when, which is crucial for security audits and investigations. Audit Log Retrieval API - Functionality for retrieving audit logs. 2.     Real-time Monitoring and Alerting Continuous Monitoring: The platform continuously monitors for unusual activities and potential security threats. This includes monitoring of network traffic, user activities, and system performance. This is being performed by SAP Security Operations. Automated Alerts: In case of suspicious activities or identified threats, the system generates automated alerts, enabling rapid response to potential security incidents. This is internally managed as a part of SAP BT Security Operations. 3.     Security Information and Event Management (SIEM) Integration Integration with SIEM Tools: SAP BTP can integrate with Security Information and Event Management (SIEM) tools, allowing for advanced analysis of log data, correlation of events, and more effective detection of potential security issues.

Figure 6: Audit API Retrieval Log

 

Rank	Category	Description
A10	Server-Side Request Forgery (SSRF)	Input Validation and Sanitization: SAP BTP employs stringent input validation and sanitization to ensure that URLs and other input data are valid and do not contain malicious content. This is crucial in preventing attackers from injecting malicious URLs that could lead to SSRF. Network Segmentation and Access Controls: By segmenting networks and enforcing strict access controls, SAP BTP limits the ability of a server-side application to make requests to unauthorized or sensitive internal resources, reducing the risk of successful SSRF attacks. URL Allowlisting: SAP BTP supports URL allowlisting, where applications can only communicate with a predefined list of safe and approved external services or domains, preventing requests to potentially harmful URLs. Many of the controls explained for App Router and API Management will apply to mitigate this vulnerability.

Additional References:

S.No	Description
1	SAP Cloud Platform API Management – API Security Best Practices Blog Series
2	SAP API Management Documentation
3	SAP BTP Application Router
4	Architecting Solutions with SAP Business Technology Platform: An architectural guide to integrating,...

 Conclusion

SAP Business Technology Platform (SAP BTP) delivers robust security for developers looking to modernize applications, integrate systems, or build extensions. With its comprehensive security measures, SAP BTP offers exceptional protection against a range of OWASP vulnerabilities, a crucial consideration in today’s digital landscape. This level of security is especially vital for developers who need to ensure the safety and integrity of their applications against various web threats.

At the infrastructure layer, SAP has designed and deployed a multi-layered security architecture, utilizing both hyperscale cloud capabilities and a suite of validated third-party and open-source tools and services. For developers, SAP BTP provides a solid security framework encompassing an array of features such as the App Router, API Management, robust authentication, and authorization processes, built in security services for credential store, Secure KMS, thorough audit logging, and efficient malware scanning for documents. These integrated security features effectively mitigate risks and minimize the potential for web application attacks, offering each SAP BTP customer a secure and reliable cloud environment for their business needs.

Disclaimer:

© 2023 SAP SE or an SAP affiliate company. All rights reserved. See Legal Notice on www.sap.com/legal-notice for use terms, disclaimers, disclosures, or restrictions related to SAP Materials for general audiences.