How to Switch from SAP Code Vulnerability Analyzer to the Cybersecurity Extension for SAP, Part 9

The Cybersecurity Extension for SAP serves as a direct alternative to the SAP Code Vulnerability Analyzer (CVA) for managing SAP vulnerability assessments, threat detection, and custom code security. To transition, organizations must configure their SAP Solution Manager environment and establish a central check system using the ABAP Test Cockpit (ATC).

Executive Summary

The Cybersecurity Extension for SAP, developed by Layer Seven Security, offers a specialized alternative for organizations currently utilizing SAP CVA. Unlike SAP CVA, this solution functions as an add-on for SAP Solution Manager, a widely adopted platform for application lifecycle management used by over 12,000 customers. Transitioning to this extension allows teams to consolidate their security monitoring within their existing Solution Manager infrastructure, which is typically included in standard SAP support.

The transition process involves reviewing your existing Solution Manager setup to ensure it meets the requirements for the extension. Once the extension is deployed, organizations can decommission SAP CVA components, including existing consoles, sensors, users, and system add-ons. The extension leverages the ABAP Test Cockpit (ATC) to apply code vulnerability checks, and it is recommended that users configure a central check system to perform remote code analysis across their SAP landscape. This approach ensures a centralized, efficient security posture for custom code across multiple SAP systems and versions.

Key Takeaways

  • The Cybersecurity Extension for SAP is a functional alternative to SAP CVA.
  • The extension operates as an add-on for SAP Solution Manager, leveraging existing platform usage rights.
  • Code vulnerability checks are performed using the ABAP Test Cockpit (ATC).
  • Configuring a central check system is recommended for analyzing code in remote systems across your landscape.
  • Post-transition, SAP CVA consoles, sensors, and associated users can be removed from the landscape.

What are the differences between SAP CVA and the Cybersecurity Extension for SAP?

The primary difference lies in the integration and platform requirements, as the Cybersecurity Extension for SAP is built specifically as an add-on for SAP Solution Manager.

FeatureSAP Code Vulnerability AnalyzerCybersecurity Extension for SAP
PlatformStandalone / IntegratedSAP Solution Manager Add-on
Code AnalysisSAP CVA ConsoleABAP Test Cockpit (ATC)
DeploymentSAP CVA SensorsSolution Manager Integration

How do you prepare your SAP Solution Manager for the transition?

Transitioning to the Cybersecurity Extension for SAP requires a standard setup of SAP Solution Manager. Because Solution Manager acts as the monitoring and diagnostics platform for this extension, you must ensure your environment is correctly configured to support the add-on. Once the platform is prepared and the extension is active, you can proceed to remove SAP CVA users, sensors, and consoles from your SAP systems to complete the migration.

How is code vulnerability analysis performed?

The extension applies code vulnerability checks by utilizing the ABAP Test Cockpit (ATC). For organizations managing multiple systems or various releases, it is recommended to configure a central check system. This central system performs remote code analysis for all connected remote systems, ensuring consistent security coverage. For detailed configuration instructions, please refer to the SAP guidelines on setting up a central check system for your landscape.

Frequently Asked Questions

Can I remove SAP CVA components after transitioning?
Yes. Once you have successfully transitioned to the Cybersecurity Extension for SAP, you can remove all SAP CVA consoles and sensors from your SAP landscape. Additionally, you should remove the SAP CVA users and add-ons from your SAP systems.

Does the Cybersecurity Extension for SAP require Solution Manager?
Yes. Unlike SAP CVA, the Cybersecurity Extension for SAP is designed as an add-on for SAP Solution Manager. It requires the standard setup of Solution Manager to function as your platform for vulnerability management and threat detection.

What is the recommended ATC configuration?
A central check system is recommended for the ABAP Test Cockpit (ATC). This central system performs code analysis for remote systems, which is particularly effective when managing multiple systems on various releases.

Share the Post: