Skip to Content
Business Trends
Author's profile photo Vahagn Vardanian

SAP BTP Security


SAP BTP is a cloud platform that operates on the SAP Cloud Infrastructure, a worldwide network of data centers that offers safe and flexible computing resources. The platform is designed to be multi-cloud, allowing it to run on different cloud environments including SAP’s cloud infrastructure, public clouds such as AWS and Microsoft Azure, and private clouds on-premises.

In terms of design, SAP BTP is a versatile cloud platform that gives organizations access to the necessary tools and services to develop, deploy, and manage custom applications securely and effectively. The platform’s design and development tools make it possible for organizations to adopt new technologies and services and respond to changing business needs quickly.

SAP BTP provides several development tools, such as the SAP Cloud SDK, SAP Business Application Studio, and SAP Business Application Studio Code Extension, making it simple for customers to write and deploy custom applications on the platform.

SAP BTP Security

SAP BTP offers a high level of security but like any platform, it is not completely secure. Custom applications deployed on SAP BTP may contain security weaknesses that could expose sensitive data and compromise the platform’s security.

To prevent data breaches, which can occur when sensitive information is disclosed to unauthorized parties, SAP BTP implements robust data protection and encryption features such as data encryption at rest and in transit and secure access controls.

However! It is important to keep in mind the security of custom applications deployed on SAP BTP. These applications may contain vulnerabilities such as common web vulnerabilities or SAP-specific vulnerabilities that could be exploited by attackers to gain access to sensitive data and systems.

The top 15 vulnerabilities that can be exists on the applications:

  1. SQL Injection
  2. Cross-Site Scripting (XSS)
  3. Cross-Site Request Forgery (CSRF)
  4. Broken Authentication and Session Management
  5. Remote Code Execution (RCE)
  6. Broken Access Control
  7. Unvalidated Inputs
  8. Insufficient Logging and Monitoring
  9. Insecure Direct Object References
  10. Injection Flaws (e.g. Command Injection)
  11. File Inclusion
  12. Server-Side Request Forgery (SSRF)
  13. Unrestricted File Upload
  14. Denial of Service (DoS)
  15. Clickjacking

RedRays provides a solution for this. As the only company that provides SAP BTP custom application security audit services, our team of security experts can assist you in identifying and fixing potential security threats in custom applications such as vulnerabilities, insecure configurations, and incorrect permissions.


Big thanks Yerevan Community of SAP

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Mustafa Bensan
      Mustafa Bensan

      Hi Vahagn,

      I think SAP BTP custom application security audit services are certainly of value for SAP customers' in-house developed BTP custom apps (including those developed for SAP customers by partners).  What would also be of value is if such a security audit satisfied the requirements for standard certifications such as SOC.  Does the RedRays offering lead to such certifications?

      For SAP partners building SaaS applications on BTP, it is worth noting that the SAP ICC (Integration and Certification Centre) offers a Security Code Scan Assessment which also covers custom BTP apps.



      Author's profile photo Vahagn Vardanian
      Vahagn Vardanian
      Blog Post Author


      Unfortunately, we are not doing security assessments for SOC standards, yet 🙂


      Thank you for the link, I will check it.

      Author's profile photo Michael Cocquerel
      Michael Cocquerel

      We have a security requirement to control all http outbound communications from our SAP BTP customer account to avoid/block unexpected communication.

      For LAN to internet HTTP communication, we are using a traffic steering solution called Netskope.
      is it possible to configure our BTP account to implement a similar solution ?

      Author's profile photo Vahagn Vardanian
      Vahagn Vardanian
      Blog Post Author


      Do you mean RedRays Security Platform?

      Author's profile photo Michael Cocquerel
      Michael Cocquerel

      If you have a solution using RedRays, you are welcome but my question was not specific to RedRays.

      Author's profile photo Vahagn Vardanian
      Vahagn Vardanian
      Blog Post Author

      Please check this monitoring solution, I think it will be helpful for you