What Is Application Vulnerability Report?
Security is a top priority in today’s digital landscape, especially when applications rely heavily on open-source components. These components, while powerful and cost-effective, often come with publicly known vulnerabilities that can put your business data at risk.
The Application Vulnerability Report is a newly introduced feature for SAP Business Technology Platform (BTP) services that helps you detect and remediate vulnerabilities in your Cloud Foundry applications. This tool scans your application for known security issues based on Common Vulnerabilities and Exposures (CVEs), ensuring that you stay ahead of potential threats.
Go to Entitlements in your SAP BTP Sub-account to add Application Vulnerability Report to add the plans
Service Marketplace
Search for application-vulnerability-report-service in the SAP BTP Service Marketplace and create a new instance of the service.
Allow the User to Access the Space
You need to manually add the application-vulnerability-report-scanner@sap.com user to your Cloud Foundry space. This enables the application vulnerability report to download the droplets of the respective applications and scan them accordingly.
Log on to the CF space that you want to scan.Select the Space Members tab and choose Add Member.Enter the application-vulnerability-report-scanner@sap.com user and assign the Space Auditor role to it.
Why Is This Important?
Open-source vulnerabilities are one of the most frequent security challenges in modern application development. Attackers are quick to exploit these weaknesses, and failing to address them promptly can lead to severe consequences, including data breaches and compliance violations.
By using the Application Vulnerability Report, you can:
Identify vulnerabilities early in your application lifecycle.Understand the severity of each issue based on CVE data.Take corrective actions quickly to secure your SAP BTP landscape.
Application Vulnerability Report – Process overview
The application vulnerability report supports you in the detection of vulnerabilities in custom applications during runtime. Instead of a shift-left support approach during pipeline runs, this service provides security-relevant information for what has already been deployed (and maybe forgotten). The service scans the applications using a proprietary scanning layer that utilizes open-source scanners such as Open Source Vulnerabilities (OSV) and trivy, as well as custom SAP BTP-specific and 0-day exploit targeted scanners. This unique combination offers a very broad and up-to-date coverage of vulnerabilities in your applications. By using an API, you can integrate the report data into your incident and security workflow.
Overview of the each Process flow
1. Applications Running on SAP BTP
This is the starting point.It includes all your Cloud Foundry applications deployed on SAP Business Technology Platform.These applications often use open-source libraries and packages, which can have vulnerabilities.
2. Scanning Layer
This layer performs the security scans on your applications. It consists of multiple scanning sources:
Commercial
Uses commercial vulnerability databases and tools to identify known issues.
Trivy/OSV
Trivy is an open-source vulnerability scanner, and OSV (Open Source Vulnerabilities) is a database of vulnerabilities in open-source software.
These help detect issues in widely used open-source components.
BTP Specific
Scans for vulnerabilities specific to SAP BTP services and configurations, ensuring platform-level security.
0 Day
Focuses on zero-day vulnerabilities, which are newly discovered and not yet patched.
These are critical because attackers often exploit them quickly.
3. Application Vulnerability Report for SAP BTP
After scanning, all findings are consolidated into a single report.This report provides:List of vulnerabilitiesSeverity levelsRecommendations for remediationIt acts as a centralized dashboard for security insights.
4. API for Customers
Customers can access the report via API.This allows integration with:Security dashboardsCI/CD pipelinesMonitoring toolsEnsures automation and continuous security checks.
5. Customers
End-users (developers, security teams) consume the report and take corrective actions to secure applications.
Reference :
Initial Setup ProcessAuthentication ProcessAudit Logging Process
What Is Application Vulnerability Report?Security is a top priority in today’s digital landscape, especially when applications rely heavily on open-source components. These components, while powerful and cost-effective, often come with publicly known vulnerabilities that can put your business data at risk.The Application Vulnerability Report is a newly introduced feature for SAP Business Technology Platform (BTP) services that helps you detect and remediate vulnerabilities in your Cloud Foundry applications. This tool scans your application for known security issues based on Common Vulnerabilities and Exposures (CVEs), ensuring that you stay ahead of potential threats. Go to Entitlements in your SAP BTP Sub-account to add Application Vulnerability Report to add the plansService MarketplaceSearch for application-vulnerability-report-service in the SAP BTP Service Marketplace and create a new instance of the service.Allow the User to Access the SpaceYou need to manually add the application-vulnerability-report-scanner@sap.com user to your Cloud Foundry space. This enables the application vulnerability report to download the droplets of the respective applications and scan them accordingly.Log on to the CF space that you want to scan.Select the Space Members tab and choose Add Member.Enter the application-vulnerability-report-scanner@sap.com user and assign the Space Auditor role to it.Why Is This Important?Open-source vulnerabilities are one of the most frequent security challenges in modern application development. Attackers are quick to exploit these weaknesses, and failing to address them promptly can lead to severe consequences, including data breaches and compliance violations.By using the Application Vulnerability Report, you can:Identify vulnerabilities early in your application lifecycle.Understand the severity of each issue based on CVE data.Take corrective actions quickly to secure your SAP BTP landscape. Application Vulnerability Report – Process overviewThe application vulnerability report supports you in the detection of vulnerabilities in custom applications during runtime. Instead of a shift-left support approach during pipeline runs, this service provides security-relevant information for what has already been deployed (and maybe forgotten). The service scans the applications using a proprietary scanning layer that utilizes open-source scanners such as Open Source Vulnerabilities (OSV) and trivy, as well as custom SAP BTP-specific and 0-day exploit targeted scanners. This unique combination offers a very broad and up-to-date coverage of vulnerabilities in your applications. By using an API, you can integrate the report data into your incident and security workflow.Overview of the each Process flow1. Applications Running on SAP BTPThis is the starting point.It includes all your Cloud Foundry applications deployed on SAP Business Technology Platform.These applications often use open-source libraries and packages, which can have vulnerabilities.2. Scanning LayerThis layer performs the security scans on your applications. It consists of multiple scanning sources:CommercialUses commercial vulnerability databases and tools to identify known issues.Trivy/OSVTrivy is an open-source vulnerability scanner, and OSV (Open Source Vulnerabilities) is a database of vulnerabilities in open-source software.These help detect issues in widely used open-source components.BTP SpecificScans for vulnerabilities specific to SAP BTP services and configurations, ensuring platform-level security.0 DayFocuses on zero-day vulnerabilities, which are newly discovered and not yet patched.These are critical because attackers often exploit them quickly.3. Application Vulnerability Report for SAP BTPAfter scanning, all findings are consolidated into a single report.This report provides:List of vulnerabilitiesSeverity levelsRecommendations for remediationIt acts as a centralized dashboard for security insights.4. API for CustomersCustomers can access the report via API.This allows integration with:Security dashboardsCI/CD pipelinesMonitoring toolsEnsures automation and continuous security checks.5. CustomersEnd-users (developers, security teams) consume the report and take corrective actions to secure applications. Reference :Initial Setup ProcessAuthentication ProcessAudit Logging Process Read More Technology Blog Posts by SAP articles
#SAP
#SAPTechnologyblog
