Overview Video: Secure Development Services
SAP Cloud Application Programming Model (CAP)
The SAP Cloud Application Programming Model (CAP) is an open and opinionated, framework of languages, libraries, and tools for building enterprise-grade services and applications.
It offers the following capabilities for security:
- Automatic authorization enforcement in the CAP-supported runtimes Node.js and Java
- No manual coding of permission checks required because it is automatically enforced during runtime
- Developers can still implement individual permission checks
SAP Credential Store
SAP Credential Store service provides a secure repository for passwords and keys for applications that are running on SAP BTP. It enables applications to retrieve credentials and use them for authentication to external services, or to perform cryptographic operations and transport layer security (TLS) communication.
SAP Credential Store in SAP Discovery Center
SAP Connectivity and Destination Service
SAP BTP connectivity provides two services, the SAP Connectivity service and the SAP Destination service. The SAP Connectivity service contains a connectivity proxy, which is used to access on-premise resources. The SAP Destination service can be used to retrieve and store the technical information about the target resource.
Documentation: Connectivity in the Cloud Foundry Environment
Cloud Connector
The Cloud Connector provides a secure tunnel between SAP BTP applications and on-premise systems to access relevant data. Existing on-premise data can be reused without exposing the entire internal landscape. The Cloud Connector itself will be installed on-premise, so you have full control over what happens in your on-premise SAP systems. Furthermore, the connection will be established from on-premise to SAP BTP. This offers the advantage that you do not have to open an additional incoming port.
The Cloud Connector also offers principal propagation. It manages the authentication process of an identity between systems.

SAP Custom Domain Service
SAP Custom Domain service allows you to make your SAP BTP applications accessible via an individual domain, which is different from the default one (hana.ondemand.com). It also provides a self-service for managing the related certificates and trust. You can also integrate your own PKI solutions, so it is not limited to a specific trust center. Furthermore, you have full control over the private key and certificate lifecycle.
SAP Custom Domain Service in SAP Discovery Center