La recherche des Onapsis Research Labs guide depuis 2009 les notes de sécurité de SAP. A ce jour, ses équipes ont découvert 1000 vulnérabilités zero-day.
Ces derniers mois, en collaboration avec SAP et ses équipes de recherche, le Research Lab d’Onapsis a découvert et remédié une série de vulnérabilités des applications SAP. La réponse du PSRT (Product Security Research Team) de SAP a été rapide et efficace, dans le cadre de leur collaboration avec Onapsis au service de la protection des utilisateurs.
Dans ce webinaire, l’un de nos chercheurs détaillera cette série de vulnérabilités (P4CHAINS) et proposera nos consignes de sécurité pour y remédier.
Today’s IT and InfoSec Teams Lack Time and Resources
Business-critical applications are the lifeblood of an organization, and an attack against any of them has the potential for a devastating impact across the entire organization. That’s why more than 20% of the Fortune 100 choose to partner with Onapsis to solve the challenges of vulnerability management, threat monitoring, and application security testing for their business-critical applications. Onapsis is proud to be an Oracle partner and the only application security and compliance platform in the SAP Endorsed Apps Program. Digital transformation projects, including cloud migration and modernization of critical systems, are necessary but create time and resourcing challenges for already constrained IT teams. Security teams may have implemented solutions but lack the time, knowledge, expertise, and staff to better optimize them to the specific needs of the business.
48% of cybersecurity professionals say they do not have enough time for proper risk and assessment management due to low staffing levels
1
31% of cybersecurity professionals say the overwhelming workload is the most stressful aspect of their job
2
The Solution
Leverage Onapsis Experts To Assist Your Team
Now under-resourced teams can get the help they need. Paired with our experts, they can receive guidance. This includes Onapsis best practices for the configuration and optimization of our solutions to ensure ongoing operational value. Our team begins the process by working with you to evaluate your existing Onapsis products and identify gaps between desired outcomes and existing use. The evaluation period includes understanding the assets, systems, and code that are currently being scanned, the security rules and checks that are operational in your environment, and related workflows. Our experts also work with your teams to understand how to better incorporate Onapsis technology and threat intelligence into their day-to-day processes. The goal of the optimization service is to not only tune the products but also to align IT and Security teams to share our deep product knowledge and capabilities.
Our experts share their knowledge so you can implement our best practices and ensure our latest product innovations are delivering business value. Once this phase is completed, a plan is created for optimization, including a detailed gap analysis with recommendations and best practices. This plan is then implemented, in a paired delivery model, in your environment. This may consist of but not be limited to, aligning policies and security controls, creating alerts and notifications, implementing automation functionality, and prioritizing vulnerabilities in applications as well as code. It also may include the integration of Onapsis products with your existing tools and processes. The service concludes with a training session and documentation to ensure continued optimization of your Onapsis investment.
Onapsis Assess and Comply Vulnerability Analysis and Mitigation Service
Focus on Your Most Critical Risks Improve your team’s ability to prioritize and mitigate vulnerabilities as well as implement patches in less time
Enable Frictionless Audits Align security controls to compliance policies and leverage automation tools
Streamline Efforts and Eliminate Complexity Implement a framework that integrates with existing change processes and cyber governance
Onapsis Defend Detection Baseline and Fine Tuning Service
Personalize Alerts for Better Risk Management Tune alerts tailored to your most critical systems and risks to better protect your environment
Extend Threat Visibility Across Your Environment Empower your security team by integrating threat monitoring with other security tools, including your SIEM
Improve Time to Mitigation Triage and prioritize incidents using a response framework designed for your business
Onapsis Control Code Analysis and Mitigation Service
Build Aligned Security and Development Teams Learn best practices to better integrate security early and often into the application development lifecycle process
Identify Critical Risks Faster Understand how to prioritize and mitigate the most critical code vulnerabilities that can negatively impact systems
Enable Easier Code Migration Learn how to best “clean” your code and get it ready for migration projects such as S/4 HANA and SAP RISE
References
1 (ISC) 2 Cybersecurity Workforce Study 2022 2 ESG Research Report, The Life and Times of Cybersecurity Professionals 2021 Volume V, 2021
Available for each Onapsis Product. Includes Onapsis expert assessment and the creation and implementation of an optimization plan across product tuning, training, and team alignment.
Business-critical applications are the lifeblood of an organization, and an attack against any of them has the potential for a devastating impact across the entire organization. That’s why more than 20% of the Fortune 100 and close to 30% of the Forbes Global 100 elect to partner with Onapsis to solve their biggest application security challenges.
Although Onapsis products are easy to deploy, integrate, and maintain, competing transformation projects and ongoing challenges with limited resources and flat (or declining) budgets frequently prevent customers from fully leveraging the technology and maximizing the value of Onapsis in their environment.
Onapsis Optimization Services are designed for customers who want to take their Onapsis deployment to the next level. Our Onapsis Professional Services team delivers Optimization Services for each of our products to help teams better operationalize best security practices and maximize their return on investment. Each service begins with in-depth discovery of how Onapsis is currently deployed and operating within their environment. Deep technical analysis of product usage is paired with opportunities and best practices to operationally tailor the product platform (including external integrations) to achieve the desired outcomes.
However, this service is more than just optimal product tuning. The exercise also analyzes team alignment, skillset, and best practice implementation. Our team of experts creates detailed documentation and action plans to ensure your teams – both today and tomorrow – have a blueprint for success to follow.
“In addition to tuning our investment, Onapsis better aligned our InfoSec, SAP Basis, and IT teams on best practices. Guidance on customized, in-depth workflows, mitigation processes, prioritization, and best practices for SLAs has allowed us to identify and mitigate risk more effectively.”
– InfoSec Manager, Fortune 500 Energy Company
How Onapsis Optimization Services Work
Onapsis offers Optimization Services aligned to products implemented in the customer environment. This includes services for Assess (with or without Comply packs), Defend, and Control.
Alignment of cross-functional team for effective risk identification and remediation process
Vulnerability scanning validation
Run vulnerability scans to ensure appropriate configuration, asset tagging, and scan cadence have been enabled and update
Patch management process identification
Identification of the current patch management process, identify SLAs, and ensure the patch mitigation activities meet SLA expectations.
Vulnerability identification assessment
Discovery of assessment vulnerabilities and whether they are tracked in a central repository to comply with best practices and update
Issue tracking workflows and validation
Assessment of whether issues are tracked in a central repository for response and update
Vulnerability prioritization
Develop and implement vulnerability identification and prioritization process that aligns with desired business outcomes
Compliance policy identification
Determine whether policies needed for compliance audits have been implemented and update
Creation of customized policies
Align compliance policies with security controls for automation of the audit process and update
Workflow tool integration
Integrate workflow tools such as ITSM for remediation
RACI matrix and PS Visio task workflows
Customized process documentation for vulnerability management process including: roles, responsibilities, SLAs, mitigation process, and workflows
Paired implementation and knowledge transfer
Hands-on training and enablement to ensure future adherence to best practices
Table 2: Onapsis Defend Optimization Services Features and Benefits
Description
Benefits
Cross-functional workshops
Alignment of cross-functional team across Security Operations, InfoSec, SAP Basis, and Onapsis for effective risk identification and remediation process
Threat monitoring validation
Analyze notable events and ensure monitoring has been implemented for target systems
Critical and high vulnerability alerts
Configure alert notifications to trigger and send emails when continuous monitoring finds notable events
Inventory status alerts
Activate alert notifications to trigger and send emails when assets go offline
Notable event and incidents review
Determine current notable events and incidents are aligned to incident profiles and update
SIEM Integration
Integrate SIEM to receive data logs and incident profile results
Incident tracking workflows and validation
Assessment of whether incidents are tracked in a central repository for response and update
Table 3: Onapsis Control Optimization Services Features and Benefits
Description
Benefits
Cross-functional workshops
Alignment of cross-functional team across Security, Application Development, Basis, and Onapsis for effective risk identification and remediation process for code development and transport
Code scan validation
Run code scan to ensure code test cases are configured correctly and update
Code remediation validation
Validate code remediation process methodology and update
Code vulnerability analysis and prioritization adjustment
Ensure that code vulnerability prioritization is aligned with business outcomes and update
RACI matrix and PS Visio task workflows
Customized process documentation for secure code development process including:roles, responsibilities, SLAs, mitigation process and workflows
Paired implementation and knowledge transfer
Hands on training and enablement to ensure future adherence to best practices
The Onapsis Platform Onapsis Control is one-third of the Onapsis Platform. The Platform provides complete attack surface management for ERP landscapes, focused on business-critical application security that directly target interconnected risk – vulnerability management, threat monitoring, compliance automation, and application security testing.
Onapsis is proud to be an Oracle partner and the only application security and compliance platform invited to the SAP Endorsed Apps Program.
Available for each Onapsis product. Onapsis Health Check Services includes expert analysis of usability and a personalized plan with specific recommendations to help customers improve product performance and maximize return on investment.
Business-critical applications are the lifeblood of an organization, and an attack against any of them has the potential for a devastating impact across the entire organization. That’s why more than 20% of the Fortune 100 and close to 30% of the Forbes Global 100 elect to partner with Onapsis to solve their biggest application security challenges.
Although Onapsis products are easy to deploy, integrate, and maintain, competing transformation projects and ongoing challenges with limited resources and flat (or declining) budgets frequently prevent customers from fully leveraging the technology and maximizing the value of Onapsis in their environment.
Onapsis Health Check Services directly address these challenges and help teams with valuable course corrections to get back on track. Our Professional Services team delivers Health Check Services for all Onapsis products with the goal of helping customers better align usage and optimize their environment. Each service begins with a point-in-time capture of existing product usage. This includes delivering a comprehensive customer technical survey and an evaluation of your current Onapsis deployment, including validation of the security rules and checks that are operational on your systems. Our experts analyze the output of point-in-time product scans and survey data to create a detailed gap analysis with recommendations and best practices for remediation. Within a few weeks, customers receive an actionable attack plan to best align their unique environment with best practice usage of Onapsis. These personalized recommendations cover how to adjust team alignment, technically optimize the product, and integrate existing tools and processes currently in use.
“Onapsis helped us identify concrete actions to take in order to improve our company processes for vulnerability management and better mitigate risk.”
– Director of IT, Risk, and Compliance, Fortune 500 Manufacturing Company
How Onapsis Health Check Services Work
Onapsis offers Health Check Services aligned to the products that are implemented in the customer environment. This includes services for Assess, Defend, and Control. Customers can purchase multiple health check services based on what is deployed.
Table 1: Onapsis Health Check Services Features and Benefits
ONAPSIS ASSESS HEALTH CHECK
Description
Benefits
Detailed product usability survey
Measurement of current product, deployment, configuration, and usage against best practice benchmarks to understand gaps
Vulnerability identification assessment
Discovery of assessment vulnerabilities and whether they are tracked in a central repository to comply with best practices
Vulnerability scanning validation
Run vulnerability scans to ensure appropriate configuration, asset tagging, and scan cadence have been enabled
Patch management process identification
Identification of the current patch management process
Issue tracking workflows and validation
Assessment of whether issues are tracked in a central repository for response
Assess gap analysis report
Delivery of detailed report outlining gap analysis between best practices and existing environment usage and deployment
Compliance policy identification*
Determine whether policies needed for compliance audits match the compliance packs implemented
Assess and Comply gap analysis report*
Delivery of detailed report outlining gap analysis between best practices and existing environment usage and deployment
Detailed product usability survey
Measure current product, deployment, configuration, and usage against best practice benchmarks to understand gaps
Notable event and incidents review
Determine if current notable events and incidents are aligned to incident profiles
Incident tracking workflows and validation
Assessment of whether incidents are tracked in a central repository for response
Asset configuration baseline check
Validation that SAP asset configuration baselines have been established per system type
SIEM integration check
Identify if SIEM integration exists and is optimized to receive data
Defend gap analysis report
Delivery of detailed report outlining gap analysis between best practices and existing environment usage and deployment
Detailed product usability survey
Measure current product, deployment, configuration, and usage against best practice benchmarks to understand gaps
Code scan results assessment
Discovery of assessment of code vulnerabilities and their prioritization for remediation
Code scan validation
Run code scan to ensure code scans are configured correctly
Code remediation validation
Validate code remediation process methodology
Control gap analysis report
Delivery of detailed report outlining gap analysis between best practices and existing environment usage and deployment
*Available for customers with Comply pack licenses
The Onapsis Platform Onapsis Control is one-third of the Onapsis Platform. The Platform provides complete attack surface management for ERP landscapes, focused on business-critical application security that directly target interconnected risk – vulnerability management, threat monitoring, compliance automation, and application security testing.
Onapsis is proud to be an Oracle partner and the only application security and compliance platform invited to the SAP Endorsed Apps Program.
Automatically Audit IT Controls Across Your SAP Landscape Eliminate Time-Consuming Manual Efforts for Testing Controls and Collecting Audit Evidence
Challenge
Increased Compliance Pressure and Enforcement for Sensitive SAP Data
Business-critical applications powered by SAP hold the customer, financial, product, employee, and other data needed to keep the organization running and progressing. This type of sensitive data is also heavily regulated by financial and privacy directives (e.g., SOX, PCI DSS, GDPR), with the consequences of non-compliance becoming increasingly steep. Regardless of industry, the pressure to maintain compliance, provide evidence of high security standards, and avoid significant financial or damage has never been greater.
IT general controls testing underpins many of these compliance requirements and regulatory frameworks. Unfortunately, testing IT general controls and collecting audit evidence for business-critical SAP applications is labor-intensive and highly prone to errors due to its manual nature. How many 1000s of hours have your under-resourced teams spent in the past year on menial audit tasks instead of making progress on other more valuable projects and initiatives?
54% of organizations say their cyber and security program is unable to help avoid getting their organization in trouble with regulators
1
~70% of cybersecurity workers feel their organization doesn’t have enough cybersecurity staff to be effective
2
Solution
Right-Sized, Frictionless Audit Capabilities with Onapsis Comply Packs
Transform Onapsis Assess into a powerful SAP audit engine with Onapsis Comply packs. Powered by research and insights from the Onapsis Research Labs, these add-on packs generate the automated testing and evidence you need to quickly validate that IT general controls are in alignment with various
Eliminate manual efforts around testing and collecting audit evidence
Identify potential violations earlier and gain prioritization capabilities to stay ahead of auditors
Consume only what you need with right-sized policy packs that fit your exact compliance needs
Automate Controls Testing & Evidence Collection
Automatically Identify Deficiencies & Potential Findings Comply packs evaluate target SAP systems against IT general controls-related elements of various regulations and frameworks (e.g., SOX, GDPR, NIST, ISO)
Improve Accuracy and Reduce Manual Effort Reduce human error in controls testing and evidence collection for more accurate and repeatable results
Offset Cybersecurity Staffing Shortages Automating manual efforts frees up resource hours and enables teams to work on higher-value projects that drive the business
“We reduced repeat ITGC deficiencies by over 40%.”
– F500 Consumer Goods Company
Gain Right-sized, Frictionless Audit Capabilities
Choose the Amount and Type of Content You Need Comply packs are based on regulations or frameworks, so you can pick and consume only the policies you want for your compliance needs
Keep Up with New Risks and New Controls The Onapsis Research Labs regularly updates policies and generates new ones based on changes in regulations and their latest security intel
“We reduced the time we spend preparing for audits by 99%”
– F100 Chemical Company
Achieve Immediate Value with Out-of-the-Box Policies for Onapsis Assess
With Onapsis, you can choose the right Comply add-on pack license(s) for your internal and external audit needs with regularly updated policies focused on popular regulations and security frameworks. You can also customize these policies in Assess to meet your exact business needs.
Sarbanes-Oxley (SOX)
Data Privacy (GDPR)
PCI DSS
ISO / NIST (ISO:27001, NIST 800-53, and NIST 800-171)
NERC CIP
“We’ve automated 83% of our ITGC tasks”
– F500 Manufacturing Company
1 A C-suite United on Cyber-Ready Futures: Findings from the 2023 Global Digital Trust Insights, PwC, 2022 2 Addressing the cybersecurity workforce staff shortage, SecurityMagazine, 2022 3 Requires Onapsis Assess subscription license(s)
This article is the result of research done by the Onapsis Research Labs in 2023. It covered the standard capabilities provided in SAP systems to register evidence of user activity and attacks.
Reflecting on over three decades of experience in tackling enterprise security, founders & CEO’s Mariano Nunez (Onapsis) and Richard Hunt (Turnkey) will share their lessons learned and provide practical tips and best practices for securing your organization. We will examine how the approach to SAP security has shifted and the most significant threats facing organizations today and where SAP security fits within the larger context of cybersecurity.
The threat intelligence and impactful research from The Onapsis Research Labs power the security responses of the largest ERP vendors. To date, the Labs have discovered and mitigated well over 1,000 vulnerabilities and zero-day threats over the years – far and away the most by any threat intelligence group.
Over the past few months, the Onapsis Research Labs has continued our close working relationship with SAP and their Product Security Research Team (PSRT) as we helped investigate and remediate a family of vulnerabilities in SAP core systems. The SAP PSRT response has been rapid and comprehensive, demonstrating their continued commitment to protecting all SAP customers in partnership with Onapsis.
In this security briefing the Onapsis Research Labs will cover this family of vulnerabilities and provide our insights and security recommendations for you and your team.
Top trends and insights on how executives can approach their transformation initiatives.
Digital transformation and innovation remain a top priority for tech executives, but how are these projects going? And, are they delivering tangible benefits to the business?
Read this report to:
Discover how leaders are measuring ROI from their transformation initiatives related to efficiency, productivity, and the ability to support new business models and products.
Explore the key factors that are separating successful transformation initiatives from failing projects.
Understand how leaders are scoping initial projects and establishing important metrics.
Learn how CIOs are increasing collaboration between business and IT, addressing change management challenges, and putting innovation in the hands of the entire organization.
