What Is GitOps and How to Use It to Boost SAP Development
What Is GitOps?
Alexis Richardson coined the term GitOps to define a set of principles for managing and operating software systems. The goal is to enable developers to perform operations tasks efficiently using familiar development tools and processes.
GitOps involves expressing the desired state of a system declaratively. You store the state in a version control system (typically Git) to enforce versioning and immutability while retaining a full version history.
A GitOps setup uses software agents to automatically pull the target state declarations from a source and continuously monitor the system state to reconcile with the desired state. It enables developers to automate this process and gain more control and visibility.
SAP Developer Responsibilities
SAP developers create solutions that help optimize an organization’s servers and systems. They provide applications that automate and optimize various work processes, such as billing, invoicing, data entry, and other business data functions.
Organizations leverage SAP software to record and manage sales, finance, purchasing, and production data. SAP developers help ensure these programs operate smoothly and troubleshoot errors as they arise.
What SAP developers do
SAP developers often use SAP’s Advanced Business Application Programming (ABAP) programming language when building applications for optimizing business processes. Organizations using ABAP code and SAP hire SAP developers to ensure the backend processes of a certain program or website are fully functioning.
SAP developers create code according to specifications detailing the functions the SAP system is required to accomplish. They need a good understanding of business processes to ensure they develop the code required to execute these functions.
The most common responsibilities of SAP developers include creating guidelines according to client function specifications, discussing SAP system functions with clients, and testing and verifying code results through various test cases. They also write functionality reports for clients or employers and test case scenarios to verify code functionality.
Why Is Managing SAP Security Difficult?
SAP systems consist of many components, which often include the NetWeaver Application Server, SAP Gateway and Messenger Server, Internet Communications Manager (“ICM”), and SAProuter. SAP environments use communication protocols such as HTTP, DIAG, Remote Function Call (RFC), and HTTP, with a large number of interfaces. Many of these communications are not encrypted, and endpoints often lack basic security controls.
In addition, most SAP systems have many custom developments, reports and transactions written by SAP programmers, who don’t necessarily follow secure coding requirements. These custom developments are likely untested for security holes, putting critical applications at risk of malicious activity. There is also a major risk of insider threats.
In many cases, attackers can use a simple ABAP injection, exploit directory traversal vulnerabilities, or use many other attack vectors to compromise the entire SAP system. This can potentially shut down critical business activities and result in catastrophic data breaches.
Organizations are often unaware of the growing number of known SAP security vulnerabilities. The attack surface increases with the adoption of new technologies, such as the migration of SAP applications to the cloud. Managing hybrid SAP environments with both on-premises and cloud applications is becoming increasingly complex. This means SAP is becoming an attractive and valuable target for attackers, and a main priority for IT security teams.
How GitOps Impacts Security
GitOps can significantly contribute to the security of an enterprise software project. It allows you to enhance your organization’s security posture in a cloud environment. DevOps teams use GitOps practices to shift security left, accelerate responses, meet auditing requirements, and improve customer confidence and satisfaction.
GitOps treats everything, including all security processes, as code. Shifting security left means the team can identify changes in the application’s state that may affect security early in the development lifecycle. A GitOps solution makes fixing bugs and redeploying applications easier, allowing you to address as soon as they are detected.
While DevSecOps is a cultural change, and does not specify exactly how to implement security into your security processes, GitOps is more prescriptive. GitOps involves using Git as the single source of truth for the environment, and using properties of Git like history and review tools to manage how you make changes to that source of truth.
GitOps can accelerate changes applied to the application development pipeline. For example, it enables teams to respond rapidly to security incidents in the event of a CI/CD pipeline breach. Developers can quickly identify pipeline vulnerabilities and remediate them by updating the code representing their CI/CD pipeline configuration, and instantly redeploying it.
This means that once you discover an exploitable vulnerability, the team can quickly respond and roll back to a previous, safer configuration, or apply a patch and deploy the new, fixed version of the pipeline.
In addition, the GitOps model lets you implement policy as code and automate security processes. These policies help DevOps teams enforce infrastructure security using granular access controls. Development teams can leverage the faster feedback loops to determine their code’s security level before deploying it to the cloud.
In this article I explained the basics of GitOps, touched on security challenges in SAP environments, and explained how GitOps can help. While DevSecOps is a generic, cultural movement, GitOps is a specific work model teams can adopt which directly impacts security. In a SAP environment, it can help to make development efforts and customizations more visible, improve collaboration, increase reliability, and most importantly, help developers and security experts collaborate to discover security issues early.