In an ideal world, every developer would follow the project-defined code checklist and guidelines, and every peer reviewer and lead would ensure that the due diligence is done for the quality assurance throughout the lifecycle of the project, every step of the way. Also, you would have unicorns taking you to the office, avoiding the traffic. Projects get messy at times. Requirements are delayed. Code is done in patches, and sometimes, under the operating timelines, due diligence stays due. Eventually, it keeps on adding technical debt and vulnerabilities which can affect in long term. Hence, at times, SAP Projects need a technical code audit.  

The first part is to understand the scope of developments and group them based on technical stack, RICEFW type, etc. Then, closely review each of the groups to understand the key areas of improvement or high-risk factors. Ensure the metrics and risk profiles are clearly defined and aligned with Project Guidelines and SAP Best Practices.

After the baseline is identified, based on the risk level, start reviewing the custom developments. Usage of tools like Code Inspector and ABAP Test Cockpit can be of great help. If the customer is interested, third-party tools like Onapsis can also be used. The goal is to identify all potential issues and vulnerabilities. For example, badly designed queries which can be pushed down to the database causing performance concerns or missing auth checks create security vulnerabilities.

After all data points are catalogued, it becomes important to prioritise and identify a roadmap to fix. Some projects would have a built-in cycle, but usually this activity is executed in the last 1-2 test cycles before user acceptance testing, in a phased manner, in a sequence that ensures that changes are also tested properly. It is important that the development team has complete clarity on the changes made and what impact they might have on the solution. In projects where such a roadmap is not feasible post build, it is important that such cadence is baked into the build process.

~S