Search
Onapsis Podcasts

ERP Digital Transformation: Big Trends and Bigger Security Challenges

/in /by

As global organizations increasingly adopt cloud technology and undertake digital transformation initiatives, under-resourced teams often prioritize agility and speed over security. This webinar will explore the latest trends influencing ERP digital transformation and the broader challenges of securing these essential systems. Drawing on Onapsis’ decade-long experience in safeguarding top global brands, the session will delve into significant security challenges and threats associated with digital transformation, using insights and real-world examples to illustrate the discussion.

Onapsis Podcasts

Shift Left: Five Reasons Why You Should Extend DevSecOps to Your SAP Environment

/in /by

What is DevSecOps? It is the integration of security best practices into the application development lifecycle. As digital transformation projects accelerate the creation of new code and applications, security often takes a backseat to business application output. With the average SAP system containing over 2 million lines of custom code, large global enterprises are increasingly concerned about the vulnerability of their critical applications. Join this webinar to understand why you should integrate your SAP application development into a comprehensive DevSecOps framework and learn best practices for getting started with SAP development.

Onapsis Podcasts

The ERP Black Box: Five Reasons Why Your Vulnerability Management Program Must Include Your ERP Landscape

/in /by

Often seen as a “black box” for several reasons, SAP and Oracle application landscapes present significant challenges for modern security professionals, resulting in a layered security approach around critical systems. However, neglecting to include these ERP applications in your vulnerability management program makes your organization more vulnerable to security breaches and data loss. In this webinar, Onapsis will present five compelling reasons to demystify these systems and integrate SAP and Oracle applications into your overall vulnerability management strategy.

Onapsis Research Labs Briefing: The Latest Threats to SAP Applications July 2023

/in /by

ON DEMAND

Join the Onapsis Research Labs for a look back at an extremely active year of threats so far in 2023. The tactics, techniques, and procedures of threat actors continue to evolve while the number of potentially exploitable vulnerabilities and applications seem to grow every month. Join the Onapsis Research Labs for both a look back at the first half of 2023 with its elevated threat activity and observed trends as well as a look forward to the second half to help your organization better prepare for the latest threats posing the largest risk to your organizations. 

The Onapsis Research Labs

It’s the world’s leading team of security experts who combine their deep knowledge of critical ERP applications and decades of threat research experience to deliver impactful security insights and threat intelligence focused on the business-critical applications from SAP, Oracle, and SaaS providers. Onapsis Research Labs is, far and away, the most prolific and most celebrated contributor of vulnerability research by the SAP Product Security Response Team. No other research team comes close.

Cyber Tech Talk Features: Eliminating SAP Security Blind Spots with NIST

/in /by

ON DEMAND

Visibility into the application layer can be a blindspot for many organizations, particularly for security departments, even though a secure application layer is a critical component for building a protected environment. As a key component to both The NIST Cybersecurity Framework and SAP’s framework, the SAP Secure Operations Map, the application layer must be protected. Leveraging these frameworks and best practices can help security, SAP application, and SAP BASIS teams, build cross functional team engagement and strategies to eliminate these blind spots and work together effectively.

In this webinar we discuss a strong foundational strategy to protect SAP environments where they are most vulnerable–the application layer. 

You will walk away with an understanding of how to:

  • Leverage key elements of the NIST and SAP Secure Operations Map frameworks for a more effective security strategy
  • Incorporate application security best practices into creating a more secure, compliant, environment for your SAP applications. 
  • Think about the journey to a more secure environment, including mapping out milestones and points to consider at every phase
  • Address growing complexities of AI as part of the NIST framework

Watch The Defenders Digest

/in /by

The Defenders Digest

Everything you need to know in the world of ERP security with The Defenders Digest.

Hear directly from Paul Laudanski & JP Perez-Etchegoyen of Onapsis Research Labs as they chat through monthly highlights and need-to-know information around SAP and Oracle security.

What can you expect once a month?

  • Original threat research, analysis and insights from the Onapsis Research Labs team

  • Industry news surrounding ERP application protection

  • Educational security and compliance content

Watch the latest episodes here

Take the Next Step in
Your ERP Security Journey

Reach out to a member of our team if you are interested in how to accelerate your SAP initiatives, securely.

Would you like The Defenders Digest delivered
to your inbox each month?

Onapsis Control Central

/in /by

Extend DevSecOps to your SAP ABAP applications. A centralized policy engine enables streamlined deployment and management. Step-by-step remediation instructions and integrations with SAP ABAP developer tools accelerate time to issue identification and remediation. 

Organizations are implementing a greater focus on hardening their applications against attack, starting with the development process. A recent survey1 noted that 74% of security professionals have already “shifted left” (i.e., extended security earlier in development cycles) or plan to in the next three years. This shift is particularly important for business-critical applications such as those from SAP since they contain highly valuable corporate data. SAP applications are frequently at the core of large enterprise organizations, supporting the financial, HR, supply chain, sales, ERP, and customer processes needed to function as a global business. 

These applications are also at the core of digital transformation projects, such as the shift to SAP S/4HANA. Analyzing and migrating custom code and data from legacy systems is a headache for developers seeking to migrate code, applications, and systems to the cloud. And building security into the software development lifecycle for SAP custom applications remains a challenge as well. Manual reviews, which are highly prone to error, are often used due to a lack of automated testing solutions for SAP code languages and environments. 

The accelerated pace of these digital transformation projects also forces teams to attempt to balance speed and security…with security frequently tabled in order to meet abbreviated project timelines. Tight development cycles lead to the use (and re-use) of third-party code libraries and developers. However, with little visibility here as well, organizations are forced into even more manual reviews (if at all) to stop the introduction of new security issues. 

Onapsis Control Central addresses these challenges with comprehensive application security testing for SAP ABAP custom applications throughout development. With a centralized architecture for automated assessments, integrations with SAP development environments and change management, and step-by-step remediation instructions, Control Central helps teams rapidly identify and fix issues before they negatively impact production.

“Onapsis helps us gain deeper visibility into code and transport vulnerabilities so we can prioritize our mitigation efforts and reduce risk to our systems.”

– Director SAP Application Development, Fortune 100 Manufacturing Company

How Onapsis Control Central Works

Onapsis Control Central works by scanning systems and inspecting code directly within development environments. Control Central leverages extensive test cases based on best practices and in-depth security analysis and research of SAP applications from the Onapsis Research Labs. Millions of lines of code can be automatically scanned in minutes, and remediation guidance is provided to keep pace with accelerated development cycles.

Security And Compliance

Onapsis’ highest priority is the security of our software and the confidentiality, integrity, and availability of customer information as it flows through that software. We embed the strongest possible security measures into our software development life cycle (SDLC) and into the operating system, database, web security, and logging layers of our products. Onapsis contracts with accredited, third-party, auditing companies who have audited our SDLC process and we have the following certifications: ISO 9001, ISO 20243:2018, ISO 27001:2013,  SOC 1 Type 1/2, SOC 2 Type 1/2, and Veracode Verified Program. Our product design and development requirements follow the OWASP ASVA v4 framework or other industry standard guidelines.

Onapsis Professional Services
Achieve your business objectives at every stage of your journey. Onapsis’ comprehensive professional services offerings target:

Implementation: A paired delivery approach to accelerate time-to-value
Education: Knowledge for teams to successfully operate our platform
Optimization: Enable continuous improvement and alignment to business needs
Administration: Alleviate resource constraints

Onapsis Research Labs
The award-winning Onapsis Research Labs is a team of cybersecurity experts who combine in-depth knowledge and experience to deliver security insights and threat intel affecting mission critical applications from SAP, Oracle, and SaaS providers. They have discovered over 1,000 zero-day vulnerabilities and multiple critical global CERT alerts have been based on their novel research. Onapsis automatically updates its products with the latest threat intelligence and other security guidance from the Onapsis Research Labs. This provides customers with advanced notification on critical issues, comprehensive coverage, improved configurations and pre-patch protection ahead of scheduled vendor updates.

Licensing

Onapsis Control Central is licensed as an annual subscription based on the number of target systems. Subscription includes access to all updates available for the respective software license, technical support, and a dedicated account manager. 

Expand and enhance your Control Central deployment with additional premium capabilities:

  • On Change Control: Licensed as an annual subscription based on the number of target systems, it provides a detailed security scanning and approval framework for change management that integrates with SAP CHaRM. It offers a single view of detailed security scans, approvals, and notes related to system changes in addition to enabling  automatic notifications to improve workflows.
  • Control for Transports: Licensed as an annual subscription based on the number of target systems, it provides the ability to check development objects, system settings, application configuration, and data within SAP transports for vulnerabilities. Step-by-step remediation instructions identify flawed transport requests and help prevent costly production errors as well as reduce the risk of system downtime.

The Onapsis Platform
Onapsis Control is one-third of the Onapsis Platform. The Platform provides complete attack surface management for ERP landscapes, focused on business-critical application security that directly target interconnected risk – vulnerability management, threat monitoring, compliance automation, and application security testing.

Onapsis is proud to be an Oracle partner and the only application security and compliance platform invited to the SAP Endorsed Apps Program. 

Onapsis Control for Transports

/in /by

Complete transport security testing for SAP with the ability to check development objects, system settings, application configuration, and data within transports. Step-by-step remediation instructions and integrations with development and change management tools identify flawed transport requests. This prevents system downtime and damage to systems (including associated costs) from error imports into production.

Building security into development cycles for business-critical SAP applications is increasingly important. Organizations continue to ‘shift left’ and insert security earlier into the application development process. Since SAP applications are top attack targets for threat actors, the mechanisms for importing changes into their production systems – SAP transports – must be evaluated for risk. However, many organizations struggle with this due to the large number of objects, settings, and tables that transports contain and the lack of effective and targeted security tools. Many organizations subsequently revert to less-than-practical manual testing which introduces new challenges due to the time-consuming and error- prone nature of manual review.

Additionally, accelerated timelines for digital transformation projects,
such as SAP S/4HANA migrations and RISE with SAP, put increased pressure on all teams involved in the application development cycle. But speed must be balanced with security. Preventing critical issues from getting into production systems is imperative since there is no way to roll back a chance made once an SAP transport is delivered into production – you can only build a new transport. Production errors can lead to significant impact to the business, if left uncorrected. Even if errors are identified, building a new transport to repair the damage is time-consuming and unnecessarily repetitive, leading to project delays and cost overruns.

Onapsis Control for Transports directly addresses these challenges, giving you control over your transports by analyzing them for harmful objects and preventing import errors that can result in system downtime. Automatic blocking of bad transports and actionable remediation enable development teams to fix issues before there’s an impact on a production system’s performance, security, and compliance.

“Onapsis helps us address two of the biggest trouble areas—custom code and transports. A third-party solution for analyzing these that integrates into SAP ChaRM allows us to get things right the first time and avoid costly rework and manual analyses.”

– Security Architecture Manager | Fortune 100 Chemical Company

How Control for Transports Works

Onapsis Control for Transports works with transport management systems, the mechanisms for importing new code and data changes to SAP production systems. Because it can be difficult to determine if a modification could adversely affect a system until it is in production, Control for Transports can check transport requests for changes prior to import, including checks for changes in development objects, system settings, application configuration, and application data. Control for Transports leverages extensive test cases based on threat research from the Onapsis Research Labs. Transports and third-party updates are inspected prior to import and detailed remediation guidance is provided. Transports can also be blocked prior to import to prevent system risk.

Security and Compliance

Onapsis’ highest priority is the security of our software and the confidentiality, integrity, and availability of customer information as it flows through that software. We embed the strongest possible security measures into our software development life cycle (SDLC) and into the operating system, database, web security, and logging layers of our products. Onapsis contracts with accredited, third-party, auditing companies who have audited our SDLC
process and we have the following certifications: ISO 9001, ISO 20243:2018, ISO 27001:2013,  SOC 1 Type 1/2, SOC 2 Type 1/2, and Veracode Verified Program. Our product design and development requirements follow the OWASP ASVA v4 framework or other industry standard guidelines.

Licensing

Onapsis Control for Transports is licensed as an annual subscription based on the number of target systems. Subscription includes access to all updates available for the respective software license, technical support, and a dedicated account manager.

The Onapsis Platform

Onapsis Control for Transports is part of the Onapsis Platform.
The Platform focuses on four pillars of business-critical application security that directly target interconnected risk – vulnerability management, threat monitoring, compliance automation, and application security testing.

Onapsis Professional Services
Achieve your business objectives at every stage of your journey. Onapsis’ comprehensive professional services offerings target:

Implementation: A paired delivery approach to accelerate time-to-value
Education: Knowledge for teams to successfully operate our platform
Optimization: Enable continuous improvement and alignment to business needs
Administration: Alleviate resource constraints

Onapsis Research Labs
The award-winning Onapsis Research Labs is a team of cybersecurity experts who combine in-depth knowledge and experience to deliver security insights and threat intel affecting mission critical applications from SAP, Oracle, and SaaS providers. They have discovered over 1,000 zero-day vulnerabilities and multiple critical global CERT alerts have been based on their novel research. Onapsis automatically updates its products with the latest threat intelligence and other security guidance from the Onapsis Research Labs. This provides customers with advanced notification on critical issues, comprehensive coverage, improved configurations and pre-patch protection ahead of scheduled vendor updates.

Table 1: Onapsis Control for Transports Features And Benefits

DescriptionBenefits
Comprehensive Transport Scan EngineScan transports in seconds to validate them for completeness, security, consistency, and changes to critical data prior to importing into production. Scan development objects, system settings, application configuration, and data.
Flexible Deployment Options Can be deployed to inspect transport requests individually or with centralized bulk security evaluations of full transport directories 
Broad Library of Transport Test Cases Hundreds of test cases are available out-of-the-box and incorporate the latest threat intelligence from the Onapsis Research Labs. Test case domains include but are not limited to security, compliance, data loss prevention, robustness, and maintainability. 
Full Transport Risk AnalysisPair with Control for Code to scan both the code and the transport construction itself for errors, threats, and vulnerabilities prior to release into production. Simulate the effect of transports prior to import. Block bad transports from entering production, preventing critical system downtime and production issues.
Transport Threat Detection Continuously monitor released transports in the transport directory and automatically receive notification if they contain suspicious content 
SAP Workflow IntegrationsSeamless integration with SAP ChaRM (Change Request System)
and SAP TMS (Transport Management System) 
Leading Third-Party Vendor Integrations Seamless integrations with workflow management tools from Rev-Trac and Basis Technologies enable transport inspection for SAP application development.

Table 2: Onapsis Control Technology Components and Description

Technology Component & DescriptionDetails
Central System: Collects communication event and transport data from all systems. The Cockpit is used to run transport scans, and Finding Manager is used to view results.Can be a separate SAP system or part of an existing SAP system
Source Systems: Development and QA Systems that send the transport request to be checked by the Central System.
The transport request is also checked prior to import
into production.		Existing SAP system environment
SAP Systems Supported SAP S4/HANA 1709, 1809, 1909, 2020, 2021, 2022 (and further releases)SAP S/4HANA Cloud Extended Edition (EX)SAP NetWeaver 7.00 or higher

©2024 Onapsis | All rights reserved