Skip to Content
Technical Articles
Author's profile photo Limor Wainstein

DevSecOps for Mission Critical Environments: SAP and Oracle

Image Source 

SAP and Oracle are two examples of vendors that support mission critical applications. If a SAP ERP or an Oracle database is subject to a cyber attack, the damage to an organization could be catastrophic. This is both due to the sensitive data stored by these applications, and because of their business critical nature, meaning that any disruption to ongoing activity results in costly downtime. 

The 2021 Cost of Breaches report published by IBM showed that the average cost of a breach to businesses was $4.24 million. Keep in mind that many breaches are targeted against web applications or other infrastructure that is not at the core of business operations. The cost of a breach to critical systems like SAP or Oracle is likely to be much higher.

The security industry is realizing that in order to properly secure applications, cooperation is needed between three elements in an organization—developers, operations teams (IT), and security. When security teams operate as a separate silo, and come in to inspect applications after they are already developed and tested, they have a limited ability to influence application development. Security issues found at this stage are either very expensive to fix, or are simply ignored because they will delay the release timeline. 

DevSecOps is an organizational pattern that creates one organizational unit including developers, operations, and security, all cooperating from day one of the development lifecycle. For example, a code change to a SAP system will undergo security review and automated testing at the planning stage, and developers will have the tools to verify that their code is secure, even before it is tested. At every subsequent stage of the lifecycle—testing, staging, and deployment—security are involved to ensure the software and its environment are secure.

Below, I’ll explain how DevSecOps principles apply to SAP and Oracle environments.

What is DevSecOps?

DevSecOps is a methodology that unifies development, security, and operations collaborators. It automates security throughout the entire software development lifecycle, including design, testing, deployment, and delivery.

Traditionally, security was implemented at the end of the software development cycle by a disparate security team and tested by another, different quality assurance (QA) team. Occasionally, security experts were contracted to perform in-depth penetration testing. This approach worked when teams needed to release software updates only once or twice per year. However, this approach does not work in modern environments that undergo constant changes.

Agile and DevOps methodologies help improve the software development process by unifying disparate teams, removing bottlenecks, promoting collaboration, facilitating better communication. These approaches help create a cycle that enables teams to reduce the development cycle to weeks or even months.

DevSecOps integrates infrastructure and application security into agile and DevOps processes. It helps address security issues as they emerge earlier during development when it is easier, quicker, and less expensive to fix them. It also ensures security issues are addressed before the software is deployed to production environments. 

DevSecOps for SAP

The DevSecOps process is key to the continuous improvement of mission-critical applications and should be considered by all SAP-based organizations.

Businesses today must look beyond traditional strategies and consider automated application testing and protection software. These automated solutions can help identify security, compliance, and quality errors during all stages of the development process.

DevSecOps tools can analyze code as it is being developed and enable automated testing during the build process. During runtime, they can scan for SAP system changes, enforce configurations, assess vulnerabilities and misconfigurations, and continuously monitor user behavior and threats. 

This level of functionality helps businesses ensure application availability, avoid costly repairs, eliminate production downtime, and set a security baseline for measuring improvements.

Why is it important to address security issues early in the development lifecycle?

Many security issues might be hidden in SAP custom code. Addressing them during the later stages of development can be expensive and delay implementation in production. Moving to a DevSecOps process can accelerate releases and make fixes easier and cheaper. Being prepared can accelerate critical projects such as S/4HANA and cloud migrations.

In addition, while a traditional security process can miss many vulnerabilities, DevSecOps testing enables much higher code quality and an improved ability to detect security issues. This allows organizations to better address critical security vulnerabilities and potential compliance issues. 

 Establishing a continuous improvement cycle

After custom SAP code is deployed to production, it is important to continuously analyze and monitor it for vulnerabilities and misconfigurations. Understanding and identifying what happened before, during, and after a production deployment is part of the continuous application improvement cycle. SAP and security teams must take appropriate steps to secure and apply patches and continuously identify threats to SAP applications.

As the volume of sensitive information grows and breaches increase, IT, operations, and information security teams need more DevSecOps than ever before. By implementing these processes today, businesses can ensure the reliability, security, and compliance of future SAP mission-critical applications.

DevSecOps with Oracle Software Security Assurance

Oracle Software Security Assurance (OSSA) helps build security into the software development lifecycle phases, including design, build, testing, and maintenance. It applies to various Oracle products and diverse deployment environments, including Oracle Cloud, Oracle on AWS and other clouds, and on-premises deployments.

OSSA provides a set of standards, practices, and technologies that can help foster security innovations, minimize security weaknesses, and reduce the impact of security weaknesses in Oracle products. It helps manage security policies across hybrid clouds, providing identity management, security monitoring, and analytics.

OSSA employs various programs to achieve its objectives, including Oracle’s Secure Coding Standards and automated analysis and testing tools. Additionally, Oracle implements transparent security vulnerability disclosure and remediation policies and delivers security patching through the Security Alert and Critical Patch Update programs.


In this article, I explained the basics of DevSecOps and showed how it can be used to improve security for two mission critical environments:

  • DevSecOps for SAP—implementing security analysis for every code change to SAP systems, adding automated security testing, and ensuring that production SAP environments have monitoring in place to reveal security vulnerabilities and misconfigurations.


  • DevSecOps for Oracle—Oracle Software Security Assurance (OSSA) provides practices and technologies that can help teams implement Oracle’s Secure Coding Standards and ensure automated testing of code at all stages of the lifecycle.

I hope this will be useful as you improve the security process for your mission critical applications.




Assigned Tags

      Be the first to leave a comment
      You must be Logged on to comment or reply to a post.