Page 27 – Onapsis

DevSecOps for SAP S/4HANA Migrations

October 28, 2021/in Webinars/by Josue

SAP S/4HANA migration projects are a huge undertaking involving your organization’s most mission-critical applications. Your business relies on these applications to function, so ensuring they stay secure, compliant, and available throughout migration and beyond is absolutely critical.

Executive Panel: The CISOs Role as a Leader in Digital Transformation

October 28, 2021/in Webinars/by Josue

Digital transformations promise efficiencies, customer satisfaction and new revenue opportunities, but they also vastly expand a company’s risk surface across new cloud, mobile applications and next-generation database technologies. CISOs must adapt their organizations to this new attack surface, or face the consequences.

5 Reasons Why You Need Vulnerability Management for Business-Critical Applications

September 15, 2021/in White Papers/by Josue

Secure your business-critical applications. Here are five reasons why you need vulnerability management capabilities for SAP, Oracle, and other enterprise systems.

Active Cyberattacks on Business-Critical SAP Applications

April 5, 2021/in Reports/by Josue

A critical cybersecurity blind spot impacting how many organizations protect their business-critical SAP applications is detailed in this joint report from Onapsis and SAP. Learn how threat actors are actively targeting these unprotected SAP applications.

Onapsis Protecting Your Mission-Critical App: How to (Properly) Understand Your Risks

March 9, 2021/in Webinars/by Josue

Mission-critical applications such as ERP, Financial Management, HCM, CRM, PLM, and SCM are essential for achieving your organization’s strategic objectives—which is why you should focus on the associated risks and costs of security, privacy, and regulatory compliance.

To evaluate and quantify the value of solutions that are designed to help manage your risks and reduce your operational costs, start by establishing a proper understanding of risk.

Watch this webinar to learn how to protect your mission-critical applications by:

Enabling the business value
Focusing on the risk and costs related to security, privacy and regulatory compliance
Establish a proper understanding of risk
Evaluate and quantify the value of solutions designed to help manage risk and reduce operational costs

You will also be able to download a knowledge brief to learn about how Best-in-Class companies utilize the dual role of contemporary IT and Security professionals in order to make strategic decisions to meet business objectives.

Volume XVII: Remote Function Call: The Whole Picture

February 7, 2021/in Publications/by Luciana Tabo

The aim of this publication is to fully introduce and explain the concept of Remote Function Call (RFC) and the impact on the Gateway and Message Server. We will focus not only on the importance of it, but also how to implement secure communication in your landscape.

Onapsis strives to provide the most complete security coverage from SAP for our customers in The Onapsis Platform (OP). It contains several modules in order to detect security levels of the RFCs, the Gateway and the Message Server.

Download this SAP Security In-depth publication to learn more.

Cybersecurity Experts Discuss How Businesses are Protecting Themselves to Remain Cyber Resilient

January 13, 2021/in Videos/by Josue

SAP Transport Inspection

December 21, 2020/in Solution Briefs/by Josue

Avoid Import Errors, Business Outages, Downgrades, Security Vulnerabilities and Compliance Violations by Inspecting all Transports Before Import

How Onapsis Transport Inspection Works

Onapsis transport inspection is based on over 150 test cases that have been developed over many years of experience with customer projects, focusing on five main areas security, compliance, robustness, maintainability and data loss prevention. Addressing transport issues from multiple angles helps ensure your applications remain secure, compliant and stable. Below are some examples of what is covered by each area.

Security

Identifies hidden transport content, deactivation of authority checks, unnoticed execution of reports and function modules after import, manipulation of logical file, path definitions, jobs and OS commands

Compliance

Reports on missing authorization group in maintenance dialog or table, inadequate settings for table logging and client dependent tables

Robustness

Checks for completeness of all objects, downgrades, correct versions of referenced objects, accidental deletion and overwriting of table content and forecast of critical database activities

Maintainability

Detects missing packages and namespace definition, invalid or missing repair key for namespace definition, modification of SAP objects and third-party objects, Cl-includes and append structures of SAP tables

Data Leak Prevention

Generates warnings in case of table data with password hash values, information about the personal security environment (PSE), HR master data and critical HR customizing

All discovered issues include a level of criticality, an explanation of the vulnerability, business impact and remediation guidance. This gives you essential context to understand if you want to accept the risk and how to prioritize remediation for those findings you elect to fix.

Transports, although essential for SAP change management, can also introduce harmful or incorrectly configured content that puts system security, compliance and stability at risk. Onapsis helps mitigate these risks by inspecting every transport (including third- party) before it is released or imported and continuously monitoring the transport queue for critical security findings.

Prevent system downtime, damage to target systems, import errors and downgrades
Protect sensitive data from manipulation and espionage, which could result in security or compliance violations
Find issues earlier when they are easier and less expensive to fix
Block transports with harmful content before they are released
Receive actionable remediation guidance for each issue Inspect third-party transports before importing into your system

Building Onapsis Transport Inspection into Your Processes

There are two main types of implementation for transport inspection-“real time” transport inspection, which addresses all five types of issues described above, and continuous monitoring of the transport queue, which focuses on security and compliance.

Implementation Type 1: “Real Time” Transport Inspection

The first implementation type integrates at two critical steps of the standard transport process-first, before a transport is released and exported from the development system and second, before a transport is imported into production. While the focus of the first integration point is more on security and compliance, the added value of the second integration point lies in the knowledge about which transports will be imported together. This enables the transport inspection to identify potential missing objects as well as any downgrades to be expected.

Step 1: Scan Each Transport Automatically before Export/Release

Focuses on security and compliance. Nevertheless, checks on missing objects are also possible by analyzing the transport’s objects and checking how they fit into the QA system.

Transport scan is triggered when someone tries to release and export a transport from DEVIf no findings, the transport proceeds as normal to release
If findings, results are presented in SAP Transport Management System user interface with a description of the finding, business impact, criticality and remediation guidance
Depending on the Risk Grading associated with the finding and depending on the developers’ authorizations, they can fix these issues and reload, continue or cancel the transport request. Or, they must request an approval, in which case all configured approvers will be notified via SAP Office Mail about this transport
If one approver approves, the transport is released, and the creator informed. If not approved, the transport is canceled, and the creator informed

Example “real-time” scan results in Eclipse development environment.

Step 2: Scan Transports Automatically before Import

Focuses on object completeness and consistency. In order to do that, all transports that are marked for import are analyzed together. The aggregated object list of all those transports is checked for referenced objects that are missing-and thus would result in import errors, downgrades, outages and performance problems.

Transport scan is triggered when someone tries to import one or multiple transports into the system
If no findings, the import proceeds as normal
If findings, results are presented in SAP Transport Management System user interface with a description of the finding, business impact, criticality and remediation guidance
The user who started the import can either accept the findings and continue or he or she can skip the import process to follow the remediation guidance

Example inspection results from prior to transport import.

Implementation Type 2: Continuous Monitoring of the Transport Queue

The second implementation type is not directly integrated into the transport process-instead, it is based on continuous monitoring of the transport queue, focusing solely on identifying security and compliance issues (e.g., new objects or content that would bring vulnerabilities into the production environment and potentially harm the system or lead to data theft or data loss).

Steps:

Transports are scanned in the background once they have been released and exported (these scans can be scheduled to run at regular intervals per user preference)
If errors are found, notifications are sent to assigned people showing the results of the scan
Detailed scan results, along with remediation guidance, can be viewed by logging into the system

SAP Custom Code Analysis

December 21, 2020/in Solution Briefs/by Josue

Find Quality, Security and Compliance Issues ABAP, SAPUI5 (FIORI), XSJS and SQLSCRIPT

How Onapsis Code Analysis Works

Onapsis code analysis is based on extensive test cases that Onapsis has developed over its many years of experience with customer projects, with a database containing patterns of the relevant practices for insecure coding, bad quality or slow code. Test cases fall into six domains, addressing code issues from all angles to ensure your applications remain secure, compliant and available. Below are some examples of common vulnerabilities by domain:

Security

Cross-site scripting, SQL injections, missing authority checks, insecure communication Compliance
Hard-coded usernames, cross-client access to business data, direct database

Performance

Usage of WAIT command, COMMIT work statement in a loop, incomplete index in WHERE condition

Maintainability

Hard-coded text in WRITE or MESSAGE, hard-coded domain, programs or methods with insufficient comment/code ratio

Robustness

Unsorted SELECT on pooled or cluster tables, hard-coded RFC destinations, missing sy-subrc checks

Data Loss Prevention

Disclosure of critical DB content, disclosure of source code, disclosure of critical variable content

All discovered issues include criticality, an explanation of the vulnerability, business impact and remediation guidance. This gives you essential context to understand if you want to accept the risk and how to prioritize remediation for those findings you elect to fix.

Manual code reviews are labor-intensive, error-prone and often fail to find all critical issues. Onapsis solves this problem by providing automatic analysis for SAP custom code, allowing you to find security, compliance and quality issues in the shortest possible time.

Reduce reliance on manual peer reviews, saving time and manpower
Find issues earlier when they are easier and less expensive to fix
Prevent critical issues from hitting production (and having exponentially worse consequences)
Receive actionable remediation guidance for each issue Validate third-party created code (e.g., contract work)

Building Onapsis Code Analysis Into Your Processes

There are multiple options for implementing Onapsis code analysis into your application development and change management processes. Many customers use a combination of approaches.

“Real-time” Scanning: Find and Fix Vulnerabilities while Coding

Receive live findings right in the development environment while you are coding
Onapsis integrates with SAP HANA Studio, Eclipse, SAP Web IDE, SAP ABAP development workbench
Developers receive an explanation of the finding, the business risk, and actionable solution, so they can remediate on the spot

Example “real-time” scan results in Eclipse development environment.

Before Release & Export: Prevent Issues from Moving to the Next System

Automatically scan before code is released to the next system
Allows you to accept risks or fix issues before deploying to the next system

Scan results are shown here.

Continuous Monitoring of Deployed Code: Protect Code in Production

Run regular scans of code that has already been deployed to production
Ensure new vulnerabilities cannot be introduced to your production environment
Check legacy code against the latest test cases, vulnerabilities and best practices

Results are shown in The Onapsis Platform

Or in the CodeProfiler Finding Manager

Safeguarding Tomorrow: Empowering SAP Customers with Advanced Cyber Risk Management

Securing SAP Business Technology Platform (BTP)

The Book on Cybersecurity for SAP

Anatomy of an Attack: C2 Incident on SAP

Your S/4HANA Cloud Journey