AGLEA Blog

SAP Developers. Better an internal or external development team?

Written by Marta Ortona | Jul 28, 2022 10:00:00 PM

 

 

 

Having within the company’s awareness also on the part of SAP developments is certainly important. Especially in order not to be dependent on third parties even for simple problems.

 

 

We don’t talk about ABAP developers directly. But what are or could be the impacts in having an internal group of developers for the security aspects. 

 

Is it better, regarding the SAP security, to have an internal or external development team? 

How to monitor developments from the SAP security point of view? 

One of the greatest difficulties is to verify that software developments are safe. It is not easy to do this because it presupposes a very thorough technical knowledge of Language and a wide availability of time.  

These two resources are frequently difficult to find in a company and probably also unjustified.

 

Being able to identify security problems during development has lower costs than discovering anomalies in programs already active and used.

 

SAP provides different ways to monitor developments from a safety perspective.

 

  • Through SCI Transaction (Source Code Inspector) or Through SE38 Transaction (see image below) is possible to test programs under different metrics, not just SAP security

 

 

  • Using the SAP's paid software named Code Vulnerability Analysis
  • Through third-party software, specific for SAP context or for general purpose; for example:
    • Onapsis, specific for SAP
    • Security Bridge for SAP (see also here)
      • Securty Bridge is a suite for Threat Intelligence

 


    • Kiuwan, general purpose
    • CAST, general purpose
    • Fortify, general purpose

 

What’s the point of having an internal development team?

In the support activity that the IT performs there could be different types of support:  

  • Sometimes IT replaces business
  • There may not be a coordinated work team, so each process area works independently.
  • In Emergency situations, the IT finds the fastest solution, not necessarily the best 

Business replacement is never a proper way of management (although sometimes it may apparently simplify management)  it could bring along some process anomalies which would emerge, for example, at segregation of tasks' stage. 

 

The emergency can lead to the compulsive definition of custom transactions defined on a personal basis. Each department requires specific customization and doesn’t get used to find standard features that can be applied.

 

Often confusing transactional systems (OLTP Online Transaction Processing) with those of analysis (OLAP Online Analysis Processing). Every custom object defined in the system has huge operating costs.  Many of the custom features are no longer used after a few years. 

 

Is therefore better to have an external development team? 

There are certain advantages. But also points of attention to be taken into account.

 

What are the advantages of having an external development team? 

  • More documentation and formalization 
  • Better support for business processes
  • Increased workforce in case of need

 

Attention, the above aspects can be points of advantage. But it's not always like this. Contract agreements may in some cases favor or disadvantage certain virtuous behavior by the supplier.

 

It is therefore essential to have an in-house contact who can also understand the proposals from a technical point of view, evaluate them before proceeding with development. Especially on the SAP security aspects

 

In many cases, if in the specifications' documents there are no authorization and/or safe development aspects, these are not considered. 

 

It is also important to have tools that can certify the work of third-party development companies. The instruments mentioned at the outset can help in setting development acceptability thresholds. 

 

It's possible to include specific conformity clauses in contracts based on analyses carried out by third party control instruments. 

 

Conclusions, what should we do? 

Not in all scenarios the same selection criteria can be applied. However, some considerations may be common.

  • It is essential to have an internal contact to follow developments. This allows to evaluate what is proposed by the supplier and make a comparison between the parties. 
  • Relying on an external part is useful but if you can automatically control what is being done and how
  • Safe development underpins ERP application security especially for the aspects concerning custom SAP developments. 

Blog post originally translated from: https://www.aglea.com/blog/sviluppatori-sap.-meglio-un-team-di-sviluppo-interno-o-esterno