This repository contains the material for the workshop called "Developing Secure Solutions With SAP BTP: Proven Techniques For The Real World".
Welcome to this hands-on workshop dedicated to embedding security into your SAP BTP applications. In an era where data breaches and cyber threats are constant, building secure software is not an option - it's a requirement. This workshop is designed for developers working with the SAP Cloud Application Programming Model (CAP) and Node.js.
By completing the exercises, you will gain the practical skills to identify and mitigate common security risks as defined by the OWASP Top 10 Vulnerabilities.
Top 10 OWASP Vulnerabilities
- Identify and Mitigate a critical OWASP Top 10 vulnerability in a real-world scenario.
- Leverage the SAP Cloud Application Programming Model (CAP) for secure, cloud-native development.
- Implement SAP BTP's comprehensive, built-in security services to protect your data and business logic.
- Validate the effectiveness of security fixes through practical testing.
- Some experience with Node.js and GitHub
Please complete the following setup before the workshop:
- Getting Started – Set up your environment and initial deployment.
💡 Tip:
- Some exercises require switching between user accounts. Use an Incognito (Private) browser window to avoid authentication conflicts.
- This workshop was tested with the Edge web browser. For a better experience, we recommend using Edge.
Every exercise module is a self-contained lab focused on a specific vulnerability. All modules adhere to the following standard structure:
-
📖 1. Overview: A high-level description of the vulnerability, its impact, and why it's a security risk.
-
🚨 2. Vulnerable Code: A snippet of code containing the specific security flaw. We'll analyze why it's insecure.
-
💥 3. Exploitation: A step-by-step guide on how to exploit the vulnerability, demonstrating its real-world impact.
-
🛡️ 4. Remediation: The corrected version of the code that patches the vulnerability, along with an explanation of the fix.
-
✅ 5. Verification: A simple procedure to confirm that the patch has successfully mitigated the vulnerability and the exploit no longer works.
-
📌 6. Summary: A practical recap that consolidates the exercise outcomes with actionable takeaways.
-
💡In step 4, you will replace the vulnerable version of the code with a corrected version. In most cases you will have to open the corrected file and copy the full content into the development environment. If you only copy the code snippet explaining the fixes, your application won't work. To copy the content of the file, use the button "Copy raw file" in the toolbar above the file content.
This structure is designed to help you understand a vulnerability from an attacker's perspective and a defender's, see how it can impact a CAP application, and learn actionable steps to mitigate it with SAP BTP best practices.
- Exercise 0 - Getting Started (Prerequisites)
- Exercise 1 - Broken Access Control
- Exercise 2 - SQL Injection
- Exercise 3 - Security Logging and Monitoring Failures
- Additional Resources
No known issues.
Live support will be available from facilitators during the event.
-
Found a bug or have a question?
Open an issue in this repository. -
Looking for broader support?
Ask a question in SAP Community.💡 Tip: When creating issues, please include details like your environment (Node.js version, OS), steps to reproduce the issue, and screenshots if applicable. This helps us provide faster, more accurate support!
If you wish to contribute code, offer fixes or improvements, please send a pull request. Due to legal reasons, contributors will be asked to accept a DCO when they create the first pull request to this project. This happens in an automated fashion during the submission process. SAP uses the standard DCO text of the Linux Foundation.
Copyright (c) 2026 SAP SE or an SAP affiliate company. All rights reserved. This project is licensed under the Apache Software License, version 2.0 except as noted otherwise in the LICENSE file.