Why is SAP Business Application Studio a safe development environment?
I believe you are already familiar with SAP Business Application Studio (a.k.a. BAS), have tried out its features and productivity tools, and understand the benefits of using BAS for developing business applications.
However, when starting your journey with our IDE, you might wonder if it is safe to use BAS for developing your company’s projects and want to know more about how we handle security and your data protection aspects in our product.
In this blog, I collected materials that should answer your questions related to this sensitive topic.
Your security is our top priority!
SAP Business Application Studio is developed by a professional team that has extensive experience in cloud security topics. BAS is designed and implemented according to the high standards and industry best practices for security and data protection. We constantly check our product compliance to these standards using several validation technologies and procedures such as code scanning, threat modeling, penetration tests, etc. The regular internal and external security audits confirm that BAS provides all the required means for safe usage. The reports are available upon request for all external interested parties in the SAP Trust Center:
BAS stores your data, but you still have full control over it
SAP Business Application Studio is a cloud development environment. Therefore, your project’s source code and binaries, personal data that we collect to provide you with the IDE services (e.g. user ID), and your development activities, are entirely hosted on SAP Cloud Platform running on multiple cloud infrastructure providers.
However, you, as the owner, have full control over the stored information.
BAS stores and processes your data only in the regions and based on an infrastructure provider (IaaS) that you selected when creating your subaccount. For more information, see Selecting a Region.
The availability of your data is assured by mechanisms of autosaving, replications, backup, and disaster recovery.
As a developer, you can access your projects through a web browser and perform your development activities in remote dev spaces (see the section below).
As an administrator representing the data controller (your company), you can fulfill the GDPR requirements and export or delete personal data of a specific user following these guidelines:
If for any reason, you decide to stop using the service by deleting your entire SAP Cloud Platform account or subaccount or unsubscribing from the service itself, all the data passed to BAS from the relevant account/subaccount is automatically removed.
BAS provides secure dev spaces for your development activities
For your development activities in BAS, you create dev spaces that are equipped with the tools, resources, and runtimes required for developing a specific business scenario. You can learn more about dev spaces in this blog by Nachshon Vagmayster.
Access to dev spaces is protected and can be controlled by SAP Cloud Platform mechanisms for tenant and authorization management, including the option of using your own custom identity provider. See Manage Authorizations for more information.
Dev spaces are completely isolated from each other, i.e. processes running in one dev space cannot access processes or resources, including the file system, from another dev space, even if it belongs to the same user.
We update the tools of a dev space automatically on every dev space re-start. Therefore, with BAS dev spaces, you not only avoid the complex and time-consuming process of installation and configuration of the required tools, but you also ensure that you are running their latest security updates.
For more information about BAS architecture and dev spaces security, you can read the following:
Your development security is also your responsibility
Upon creating a dev space, you get everything you need to develop a business application of the selected type. At the same time, the dev space remains open. This means you can extend it for your needs by installing additional tools or by consuming additional packages/libraries in your projects. Read these blogs for details and interesting examples:
- Extending SAP Business Application Studio development environment and Enrich your SAP Business Application Studio Dev Space with Community VS Code Extensions, blogs by Ohad Navon.
- Xtending Business Application Studio, series of blogs by Andrew Lunde.
We encourage you to leverage the openness and extensibility capabilities of BAS to build a dev space that fully satisfies your development needs. However, please make sure you are aware of the SAP Business Application Studio official statement regarding using additional tools in your dev spaces included in the Using Additional Tools section (at the bottom of the page).
This statement relates to any piece of software you add to your development environment as well as to any project files. For example:
- Code snippets that you copy from internet sites and paste into your project files.
- Files that you upload to your workspace.
- ‘npm’ modules that you install by running ‘npm’ commands (e.g. ‘npm install’) in the BAS terminal.
- Additional packages/components/modules that you define and consume as dependencies in your project, e.g. via the ‘package.json’ file of ‘npm’ projects.
- Yeoman generators that you install via the dedicated UI.
- VS Code extensions from the Open VSX Registry that you install via the BAS Extensions view.
To avoid potential risks, keep your development environment safe, and produce secure applications, consider incorporating the following into your development process routine. These recommendations are considered best practice for any environment, including your personal laptop.
- In your development environment and projects, consume tools from reputable sources only, also when upgrading to new versions. Keep these tools up-to-date to ensure you have the latest security fixes.
- Use a source-control system to back up your development code.
- Restrict access and usage of productive landscapes for development purposes:
- Connect the required systems only, e.g. by using the SAP Cloud Connector (see the next section for more details), and control access to them by configuring proper authentication and authorization (e.g. read-only scope).
- Do not deploy applications to your productive environment directly from BAS.
- Do not use productive backend systems or real data for your development. Use test landscapes or mock data instead.
- Run security processes, e.g. code scanning, before production delivery.
In this context, it is worth mentioning one more advantage of using a BAS dev space over a local machine. If by any chance you install something that causes the dev space to malfunction, you can download the dev space content, delete the space, and create a new one within minutes.
Safe connection to on-premise backend and corporate source control systems
While working on your application in BAS, you sometimes need to access systems in your on-premise landscape. For example, if you want to use the corporate source control system (Git repositories) or if your application consumes services and data exposed by the ABAP back-end system (see this blog by Yuval Morad). These systems and services can be accessed from the dev space by using the SAP Cloud Connector, the SAP product dedicated to providing secure connectivity to on-premise systems. For more information on this topic, you can read the following:
- Cloud Connector, in the SAP Cloud Platform Connectivity documentation.
- Connect to your Corporate Git System, contains information on how to use your enterprise (on-premise) Git from BAS.
How To Connect Your Corporate Github To SAP Business Application Studio, blog by Samuel Davies
- SAP Cloud Platform Cloud Connector – A Brief Guide for Beginners, blog by Abhradeep Basu (Note: the blog is quite old and does not reflect the latest UI changes, but it still provides a good overview on the topic).
- Setup SAP Business Application Studio (BAS) for developing SAPUI5/Fiori like app using on-premise SAP ABAP System, blog by Saket Amraotkar.
This is it. I hope now you have a better understanding of how we protect your development assets and data and that this information makes you feel more confident when working in SAP Business Application Studio.
Feel free to contact us with any questions you may still have.