Scroll Top

Software Supply Chain Security, Whats Next?

TAKE NOTE (Insights and Emerging Technology)

President Joe Biden’s recently issued executive order on cybersecurity is expansive, running more than 8,000 words, and covers everything from the adoption of zero-trust architecture to multifactor authentication. However, one of the most anticipated elements of the order concerns the vital issue of software supply chain security.

The topic has always been important but became extremely urgent for the federal government in the wake of the so-called SolarWinds attack. As part of the attack, which impacted at least nine federal agencies and 100 private sector companies, foreign actors, identified by the administration as the Russian Foreign Intelligence Service, inserted a malicious update to the company’s Orion software, which was used as a vector for the attack.

The executive order mandates several key changes to how the federal government and, more important, private sector companies that do business with the government, will handle software supply chain security. Federal IT and cybersecurity leaders, and the contractors they work with, need to take the issue seriously and treat it with the urgency it deserves.

At the same time, they need to educate and collaborate more with a wide range of stakeholders — from software developers to users and IT security teams — and not simply rush to fulfill the mandates of the order without knowing how the changes will impact their agencies and missions.

What Does the Order Say on Software Supply Chain Security?

The order does several important things related to software supply chain security. It requires the National Institute of Standards and Technology to develop baseline security standards for software used by government agencies (though NIST is looking at whether existing guidance may cover some of the new rules).

Those standards are required to encompass secure software development environments, including such actions as: using administratively separate build environments; auditing trust relationships; establishing multifactor, risk-based authentication and conditional access across the enterprise; documenting and minimizing dependencies on enterprise products that are part of the environments used to develop, build and edit software; employing encryption for data; and monitoring operations and alerts and responding to attempted and actual cyber incidents.

Other controls include “employing automated tools, or comparable processes, that check for known and potential vulnerabilities and remediate them, which shall operate regularly, or at a minimum prior to product, version, or update release,” according to the order. Software companies doing business with the government will also be required to maintain “accurate and up-to-date data, provenance (i.e., origin) of software code or components, and controls on internal and third-party software components, tools, and services present in software development processes, and performing audits and enforcement of these controls on a recurring basis.”

Read More

Interested in learning more about RPA? Download our FREE White Paper on “Embracing the Future of Work”

UNDER DEVELOPMENT (Insights for Developers)

Understanding S/4HANA Cloud

Intro

As we spoke about last month, cloud computing is one of the hottest buzzwords in technology. It appears 48 million times on the Internet. We concluded that SAP’s offerings can be quite confusing… There is HANA Enterprise Cloud (HEC), and SAP Cloud Platform (previously HANA Cloud Platform), and HANA Cloud. So lets Recap before we dive yet another offering called S/4HAN Cloud…

SAP HEC is a managed IaaS {infrastructure-as-a-service} offering, where customers can run their own scoped S/4 HANA on premise version, customized to their own needs. They also can add satellite/legacy systems, if they are part of their SAP landscapes or can bring in an older SAP version into HEC (e.g. R/3, mySAP ERP) with the intention of a soon planned release change towards S/4 HANA…

SAP HANA Cloud Platform( or SAP Cloud Platform) is a Paas ( Platform as a service) . It is for Developers. It provides a platform( IDEs and tools) to develop new apps/ extend existing apps.

SAP HANA Cloud is a SaaS {software-as-a-service} offering from SAP. Even so, it is offered as more of a database-as-a-service (DBaaS). SAP designed the HANA Cloud for clients who want easier access to the high speed associated with the in-memory database of SAP HANA, use a relational data lake that handles a large data amount and enjoy the benefits of cloud. Its just the HANA appliance in the cloud so to speak.

OK, so what is S/4HANA Cloud….

S/4HANA Cloud

S/4 HANA Cloud is a pre-scoped version of S/4 HANA with a reduced set of functionality compared to S/4 HANA on premise, provided as pure SaaS {software-as-a-service}. Customers can instantly use the functionality. Specifically there are certain industry sets, e.g. procurement, sales, manufacturing, professional services, sourcing, and finance.

S4HANA Cloud

S/4HANA Cloud is a collection of integrated applications designed to ease the planning of company resources based on its needs. S/4HANA Cloud makes these applications available for users on the cloud. The solution uses the real-time data accessibility and in-memory processing of HANA to provide solutions on a SaaS model.

HANA is a high-performance analysis application that was used with different hardware to analyze large data amounts. S/4HANA Cloud uses the HANA in-memory database to access data in real-time to speed business processes.

As a cloud-based solution, you do not depend on resources like IT expertise, storage, internal hardware, and databases from SAP when using S/4HANA Cloud. You can virtually link your functional areas and departments while digitizing business processes. This means your company can adapt quickly to new technologies with S/4HANA Cloud.

So what are the components of S/4 HANA Cloud…

Pillars of the S/4HANA Cloud

SAP S/4HANA Cloud is based on three main technologies. These technologies enable the achievement of seamless digital transition and improvement of processes in all areas of a company.

The following are the three technological pillars of S/4HANA Cloud….

Read More

– Dig Deeper –
3 Minute Overview of S/4HANA Cloud

Q&A (Post your questions and get the answers you need)

Q. What is clean ABAP? We have a few developers wanting to start an internal Slack Channel around this subject.

A. Having a code base, which is readable and maintainable is essential for sustainable development. The book Clean Code from Robert C. Martin and some other books contain many best practices around maintainable code. Some months ago Florian Hoffmann and Klaus Haeuptle at SAP started an internal repository about best practices for maintainable and readable ABAP Code. Through info sessions with many hundreds of participants, intense discussions, and great contributions, SAP colleagues helped turn this into a treasure trove for modern ABAPers..

From the exchange with SAP customer and partners, SAP uncovered that there is a huge need for such kind of best practices. So much so that ABAPers asked whether this would become available as a book, and whether SAP would be allowed to share it with customers and partners. SAP came to the conclusion that this initiative gains its drive from its community, and that it needs to remain part of that community.

Therefore, as of now, Clean ABAP is an Open Source contribution:

SAP is additionally publishing a book clean ABAP to help developers with learning and implementing clean ABAP as an individual, as a team and as an organization

There has also been a podcast published recently as well. Even more details can also be found behind the following links :

Cheers!