Why secure code is becoming mandatory - innovation in the cloud and with AI

Many companies have migrated to S/4, are striving for the clean core principle and see the added value of side-by-side extensions. The ERP core remains stable, while innovations and individual processes are increasingly being implemented outside the system. This is where the challenge begins: added value is increasingly being created by external services, microservices and special solutions that are based on SAP data but run outside the familiar SAP world.

Innovation today is all about new business models, complex process automation and AI-supported workflows that intervene deeply in operational processes. As a result, the focus on security is also shifting: away from the pure protection of a monolithic ERP system and towards securing highly networked, heterogeneous landscapes in which cloud platforms, local data centers and specialized services work together. 

Cloud foundation open source

In order to implement innovations quickly, a robust, well thought-out security architecture that integrates all these levels is required. Open source provides a good foundation here, as modern cloud-native development relies almost exclusively on open source components: Frameworks, libraries, container images and complete platforms. This is particularly true for AI topics; almost all relevant frameworks, pipelines and tools originate from the open source ecosystem. The key question here is how trustworthy these building blocks are and how their use can be controlled.

Open source communities have already responded to the growing risks. Mature concepts such as software supply chain security have been addressing the origin, integrity and maintenance of components for years, while providers such as Red Hat are using these technologies to design hardened, tested and commercially supported platforms. For companies, this means that open source is a welcome part of the solution and can be managed in a structured way. There is also a new factor: agentic AI approaches. This refers less to individual AI agents and more to agentic AI workflows in which systems plan independently, make decisions, call up external tools or orchestrate other agents. This architecture promises enormous leaps in productivity, but it is also associated with particular risks,
as agents install additional software or access additional services via APIs, for example. 

A modern security strategy must take these risks into account. The decisive factor here is a zero-trust approach that makes agents controllable during operation and protects them from manipulation. This involves the areas of identity, behavior and logic. Red Hat's security approach includes the assignment of cryptographically verifiable identities instead of fixed access data, the monitoring of agent behavior and the use of guard rails to check the decision logic of models. These mechanisms supplement software supply chain security, they do not replace it.

Paradigm shift in security strategy

S/4 and Clean Core are necessary prerequisites, but not a sufficient answer to the current innovation and security requirements. The complexity arises outside the ERP system - precisely where the decisive value creation takes place today. For companies, this means a paradigm shift. They must define their own consistent and secure strategy for the development and operation of software, link their innovation roadmap with the security architecture and governance and, if necessary, rethink their partner selection. Today, companies need partners who have mastered both the SAP ecosystem and modern development and security concepts - and who can translate these into resilient, production-ready solutions.

To the partner entry: