Truth in IT
    • Sign In
    • Register
        • Videos
        • Channels
        • Pages
        • Galleries
        • News
        • Events
        • All
Truth in IT Truth in IT
  • Data Management ▼
    • Converged Infrastructure
    • DevOps
    • Networking
    • Storage
    • Virtualization
  • Cybersecurity ▼
    • Application Security
    • Backup & Recovery
    • Data Security
    • Identity & Access Management (IAM)
    • Zero Trust
    • Compliance & GRC
    • Endpoint Security
  • Cloud ▼
    • Hybrid Cloud
    • Private Cloud
    • Public Cloud
  • Webinar Library
  • TiPs
  • DRAW

Onapsis: SAP BTP Security Best Practices & Continuous Validation

Onapsis
07/10/2026
0 (0%)
Share
  • Comments
  • Download
  • Transcript
Report Like Favorite
  • Share/Embed
  • Email
Link
Embed

Transcript


is provide kind of recommendations to the audience. So, you know, and the key word there on the slide is that continual validation of security. So, for those of you who work in security, you know, it's really a never-ending task. If you're dealing with kind of on-premise technology, then every month there's new notes or patches, et cetera, depending on the technology that you need to address. So, you have to constantly kind of maintain and keep up with security. So, I wanted to kind of put kind of some key elements that I thought were important to do. First off the bat is that regular security audit. So, you know, you can spend that time and effort, as JP said, to go through, I think it was 225 pages of kind of different recommendations to get what's right for your enterprise. Every enterprise kind of has their kind of level of security posture that they're ready for. But these are configurations that can be changed by anyone. So, you need to make sure that you're continually ensuring that you stay at that level. This recommendations change over time as well. As new technology is added into BTP, then there's security associated with those. So, it's not a one-and-done type of exercise. You need to make sure that you're keeping up with what's going on from a security point of view. And then you can see it's kind of what are my users doing? Are they doing what they should be doing? Maybe a month ago they should have been doing that. Is that something they should still be doing now? JP touched on using identity providers, kind of make sure that you're using the authentication technologies that's right for your business. Don't make your users learn another login, but try and leverage what they already have. And then kind of training for teams. So, people who are working in BTP, developing for BTP, can ensure that they have what they need to do so in a secure way. And then really across the enterprise, that can be kind of an additional firewall as your users having a security training, having an ability to react and report on things they see that don't meet kind of security thresholds. So, identifying, phishing for you, etc. And then lastly, exactly what you're doing right now. Security is a journey for all of us. We learn from each other. So, taking advantage of the SAP security community, that there's a lot of kind of content like this and other content available where we're trying to ensure that we all have visibility and understand kind of what does security mean now. Things are changing and changing even faster really with the advent of BTP and other technologies. So, how can I keep up and ensure that I'm informed about what are kind of the latest risks and the latest kind of guidance for security to SAP technology. I would be remiss if I didn't come in and talk a little bit about how we could help. I promise I'll just do 60 seconds. But, you know, one of the reasons that JP and I kind of able to talk about this is because we work with our customers to help them ensure all of their investments in SAP can be, you know, managed and run in a secure way. So, you can kind of see across the top that we work with SAP, whether it's on premise, it's hybrid. So, a little bit of both in the cloud. BTP is obviously we've been focused on here or going with RISE. And we do it through kind of three core pillars. We have assess, which is vulnerability management. So, vulnerabilities could be considered SAP notes, but it also could be what we've been talking about, insecure configurations, users with really high permissions or authorizations on a target system, helping you identify kind of where they are, what the consequence of allowing those to exist could be, and giving guidance on how to address those. With defend, kind of talking about what's going on on those systems. So, from a threat point of view, is someone attempting to exploit vulnerabilities on that system? Is someone performing an action, which is very kind of a highly sensitive action? And, you know, is that something that should be performing? And when we look at kind of BTP, there's a lot of actions that can be performed there, cloning, et cetera, copying, which really could expose a lot of risk. And then if we have a look on the right hand side, it's all about kind of DevSecOps for SAP. So, as you're customizing and adding that extra value on top of these technologies that BTP provides, are you doing so in a way that doesn't expose you to more risk? We do this all through our premium certified kind of SAP endorsed apps. So, SAP has singled us out as an application and provider that they endorse, that they encourage people to use because it helps ensure all of us are running more secure SAP systems. So, I'm going to stop talking because I've been talking a lot. I'm going to bring this slide up, but the slides will be shared. JP, any final words you'd like to give before we go to hand it back to Sean for the questions? No, just, again, we are talking about business applications and as such, there is a lot of value on the data and the processes. Federal actors know about it and they've been addressing more and more and targeting more and more of these applications, either by targeting the technology, by using malware, by stealing credentials. There are many different ways that actors have to ultimately compromise these applications and data. So, it's important to have security, not as an afterthought, but really as a driving force. It's especially important for those of you who are beginning their first steps of the implementation of BTP because a lot of the definitions are going to drive security requirements. Otherwise, it becomes technical debt and it becomes harder and more expensive to secure, to implement.

TL;DR

  • Security for SAP BTP requires continuous validation and cannot be treated as a one-time configuration exercise, as settings can be changed by users and new security considerations emerge with platform updates
  • Organizations should implement regular security audits, monitor user activities and permissions, leverage existing identity providers for authentication, and provide security training for both BTP developers and end users
  • Threat actors are increasingly targeting business applications like SAP due to the high value of data and processes, making proactive security essential rather than an afterthought, especially during initial BTP implementation phases

Summary

This presentation focuses on essential security practices for SAP Business Technology Platform (BTP) environments, emphasizing the critical need for continuous security validation rather than one-time configuration. The speakers outline a comprehensive approach to maintaining security posture in BTP deployments, covering regular audits of the extensive security recommendations (over 225 pages of guidance), ongoing monitoring of user permissions and activities, and the importance of leveraging existing identity providers for authentication. The discussion highlights how BTP's evolving technology landscape requires organizations to stay current with new security considerations as features are added. The presentation concludes with an overview of Onapsis's three-pillar approach to SAP security: vulnerability assessment, threat detection and defense, and DevSecOps integration for custom development on BTP.

Chapters

0:00 - Introduction to Security Recommendations
0:34 - Regular Security Audits
1:26 - Authentication and User Training
2:39 - Onapsis Security Solutions Overview
4:33 - Threat Landscape and Final Thoughts

Key Quotes

0:09 "... the key word there on the slide is that continual validation of security ..."
1:03 "... it's not a one-and-done type of exercise. You need to make sure that you're keeping up with what's going on from a security point of view ..."
4:52 "... there is a lot of value on the data and the processes. Federal actors know about it and they've been addressing more and more and targeting more and more of these applications ..."

FAQ

Why can't SAP BTP security be configured once and forgotten?

BTP security requires continuous validation because configurations can be changed by users at any time, new security recommendations emerge as SAP adds technologies to the platform, and user permissions that were appropriate previously may no longer be necessary as roles evolve.

What are the main areas organizations should focus on for BTP security?

Organizations should prioritize regular security audits against SAP's recommendations, continuous monitoring of user activities and permissions, integration with existing identity providers for authentication, security training for BTP developers and end users, and engagement with the SAP security community to stay informed about emerging threats and best practices.


Categories:
  • » Cybersecurity » Application Security
  • » Cybersecurity » Cloud Security
  • » Data Protection
Channels:
News:
Events:
Tags:
  • Cloud Security
  • Identity & Access
  • Security Operations
  • Best Practices
  • Technical Deep Dive
  • SAP BTP Security
  • Continuous Security Validation
  • Identity and Access Management
  • Security Auditing
  • Vulnerability Management
  • Threat Detection
  • DevSecOps
  • Security Training
Show more Show less

Browse videos

  • Related
  • Featured
  • By date
  • Most viewed
  • Top rated
  •  

              Video's comments: Onapsis: SAP BTP Security Best Practices & Continuous Validation

              Upcoming Webinar Calendar

              • 07/14/2026
                01:00 PM
                07/14/2026
                Crafting a Championship-Worthy Security Team for Unmatched Defense
                https://www.truthinit.com/index.php/channel/2025/crafting-a-championship-worthy-security-team-for-unmatched-defense/
              • 07/14/2026
                02:00 PM
                07/14/2026
                Understanding the Crucial Role of Context in Safeguarding AI-Accessible Data
                https://www.truthinit.com/index.php/channel/2037/understanding-the-crucial-role-of-context-in-safeguarding-ai-accessible-data/
              • 07/21/2026
                04:00 AM
                07/21/2026
                Strategies for Managing AI Governance and Securing App-to-LLM API Traffic
                https://www.truthinit.com/index.php/channel/1967/strategies-for-managing-ai-governance-and-securing-app-to-llm-api-traffic/
              • 07/22/2026
                06:30 AM
                07/22/2026
                Insights and Strategies for Effective Data Privacy and Protection
                https://www.truthinit.com/index.php/channel/2000/insights-and-strategies-for-effective-data-privacy-and-protection/
              • 07/22/2026
                01:00 PM
                07/22/2026
                Insights from Attackers During the FIFA World Cup: A HUMAN Dialogue
                https://www.truthinit.com/index.php/channel/2029/insights-from-attackers-during-the-fifa-world-cup-a-human-dialogue/
              • 07/28/2026
                01:00 PM
                07/28/2026
                Illumio + Netskope: Zero Trust in the Age of AI Autonomy
                https://www.truthinit.com/index.php/channel/2031/illumio-netskope-zero-trust-in-the-age-of-ai-autonomy/
              • 07/29/2026
                04:00 AM
                07/29/2026
                Real-Time Strategies for Safeguarding Against Prompt Injections
                https://www.truthinit.com/index.php/channel/1968/real-time-strategies-for-safeguarding-against-prompt-injections/
              • 07/29/2026
                12:00 PM
                07/29/2026
                Unified Data Security in Action: Uncover, Analyze, and Resolve Threats
                https://www.truthinit.com/index.php/channel/2045/unified-data-security-in-action-uncover-analyze-and-resolve-threats/
              • 07/29/2026
                01:00 PM
                07/29/2026
                Ask Your Cloud Anything: Unlocking Governance Silos in your Environments
                https://www.truthinit.com/index.php/channel/2048/ask-your-cloud-anything-unlocking-governance-silos-in-your-environments/
              • 08/19/2026
                12:00 PM
                08/19/2026
                Becoming Agent Ready: Insights from Cyera's Expertise
                https://www.truthinit.com/index.php/channel/2036/becoming-agent-ready-insights-from-cyeras-expertise/
              • 09/30/2026
                04:00 AM
                09/30/2026
                AI Command Center: Optimizing Visibility and Control in Your Operations
                https://www.truthinit.com/index.php/channel/2024/ai-command-center-optimizing-visibility-and-control-in-your-operations/

              Upcoming Events

              • Jul
                14

                Crafting a Championship-Worthy Security Team for Unmatched Defense

                07/14/202601:00 PM ET
                • Jul
                  14

                  Understanding the Crucial Role of Context in Safeguarding AI-Accessible Data

                  07/14/202602:00 PM ET
                  • Jul
                    21

                    Strategies for Managing AI Governance and Securing App-to-LLM API Traffic

                    07/21/202604:00 AM ET
                    • Jul
                      22

                      Insights and Strategies for Effective Data Privacy and Protection

                      07/22/202606:30 AM ET
                      • Jul
                        22

                        Insights from Attackers During the FIFA World Cup: A HUMAN Dialogue

                        07/22/202601:00 PM ET
                        More events
                        Truth in IT
                        • Sponsor
                        • About Us
                        • Terms of Service
                        • Privacy Policy
                        • Contact Us
                        • Preference Management
                        Desktop version
                        Standard version