Sitemap | Terms of Use | Privacy Policy |
Quality Policy | Disclosure Policy |
Security Vulnerability Reporting Guidelines |
©2025 Onapsis | All rights reserved
SAPinsider S/4HANA in the Cloud
In Q4 2019, SAPinsider surveyed 182 members of their audience from 112 customer companies to understand their current ERP landscape, whether that landscape involves SAP S/4HANA and if they have plans to use a hyperscale environment. Download the survey report to see the results, including what percentage are moving to cloud environments, outcomes organizations have experienced and the actions they can take to ensure a successful ERP cloud strategy going forward, with a focus on SAP S/4HANA deployments in the cloud.
Automobile Manufacturer increases visibility to proactively manage business risks
Industry – Automobile Manufacturer
Company Size – Top 25 fortune 500
Challenge
Expand a comprehensive cybersecurity program to include business-critical application optimization and security to strengthen resiliency of SAP systems.
Solution
The Onapsis Platform assesses SAP for vulnerabilities and misconfigurations to understand potential business impact, define remediation strategies and set baselines. With Onapsis, the company was able to build security into projects from the start, continually monitor their entire landscape and prevent configuration drift, ensuring their business-critical applications stay secure and online.
The automobile manufacturer is a longtime SAP partner and relies on the business-application software provider solutions for its global finance and purchasing processes, customer care and after-sales applications. The company is widely considered an early adopter of cybersecurity solutions and recognized as an innovator among fellow Fortune 500 companies and manufacturing organizations. In 2015, the company expanded its comprehensive cybersecurity program to include business-critical application optimization and security technologies with the goal of further strengthening the resiliency of core business applications including SAP.
The first step for the company’s cybersecurity team was to audit and inventory its SAP applications within the network to ensure the highest possible level of visibility and monitoring in support of stringent SLAs with application owners. The second objective was to develop a continuous SAP application security management process that would accelerate and prioritize risk management and drive shared, intelligence-driven remediation processes among its SAP and application owners.
To accelerate its SAP cybersecurity objectives, the automobile manufacturer partnered with Onapsis to augment and multiply the value of application management and GRC tooling provided by SAP and other vulnerability management solutions.
It implemented the SAP-certified Onapsis Platform, which combines a preventative, behavioral-based and context aware approach for detecting, identifying and mitigating risks to business operations, compliance with regulatory mandates and overall cybersecurity posture.
- Scanned and remediated vulnerabilities quickly
- Reduced effort and time spent on QA
- Ensured all applications meet security and compliance requirements
“The main goal of our partnership with Onapsis was to automate SAP application monitoring and vulnerability management in a way that would allow our cross-functional teams to build, deploy and manage better, more resilient SAP applications faster at a lower cost,” said the Director, SAP Center of Excellence at the company. “We knew The Onapsis Platform would enable the SAP security team to show the application teams and business owners where configuration and code imprecisions were inhibiting optimal application performance, while also prioritizing vulnerabilities and SAP Security Notes. We knew this would also provide us the compensating controls necessary to exceed baseline Sarbanes-Oxley (SOX) compliance standards.”
Results
The Onapsis Platform for SAP provided immediate value for the automobile manufacturer.
“Before Onapsis, we had baseline operational and security controls for our SAP applications,” said Director, SAP Center of Excellence at the manufacturer. “Now after implementing The Onapsis Platform, we have an enhanced level of visibility that allows us to proactively manage potential risks to the stability, integrity and performance of the applications we rely on to run our core business operations. It is truly a case where cybersecurity has enhanced the resiliency and stability of our business operations.”
“Onapsis is a true partner to us,” continued the Director. “We count on the Onapsis Research Labs to alert us to the latest critical vulnerabilities and rely on The Onapsis Platform to automate SAP risk management practices. Our teams now communicate more effectively and Onapsis has become an integral part of our overall cybersecurity strategy.”
Global advertising company saves time and money migrating to SAP HANA with Onapsis
Industry – Advertising
Company Size – 54k+ employees, >$9B revenue
Background
Like many large companies, this multi-national global advertising company relies on SAP as a key component of its business. Their SAP implementation processes $6.0 billion dollars a year, has 30,000+ users across 20 countries and is used for almost every function including finance, operations, reporting and analytics.
Challenge
Migrate SAP ECC to HANA while ensuring security and compliance.
Solution
The Onapsis Platform enabled the firm to complete migration one year ahead of schedule due to stable, tested applications, while strengthening security and compliance.
As a company that appeals to marketing and advertising professionals, this company wanted to be ahead of the curve, so they launched a business digital transformation project with a goal of creating shared service centers on a global instance of SAP HANA.
The champion for this project was the Vice President of Global SAP who is responsible for the uptime, performance and security of the key data and processes that are part of the SAP implementation. He was faced with the problem of moving critical data into SAP HANA and not being able to address key SAP security risks with the generic security products that the organization currently used, as none of these looked at SAP specifically.
In 2017, the vice president turned to Onapsis to address this challenge after researching organizations that are experts in business-critical application security. With The Onapsis Platform the company was able to migrate and upgrade applications in a phased approach, ensuring each phase was secure and stable before moving on to the next. This saved them significant resource time and budget as the program was able to move forward quickly after each new application or environment was tested and proven stable by Onapsis.
- Scanned and remediated vulnerabilities quickly
- Improved developer skills
- Accelerated development
- Ensured all code meets security and compliance requirements
“We could have waited to implement security after the migration, but it would have been too expensive. We were better off doing it as part of our ‘build’. As a result of our investment in the Onapsis Platform, we were able to decrease the project timeline and significantly reduce our estimated budget. A project that was originally scoped to be completed in 2020 finished a year early.
VICE PRESIDENT OF GLOBAL SAP, MULTI-NATIONAL ADVERTISING FIRM
Results
Additionally, many SAP BASIS and security teams face an overwhelming amount of security notes from SAP, making it difficult to prioritize and configure their landscapes to ensure security. SAP BASIS and security professionals are challenged with the balance of system uptime and security and could not address this with built-in tools available from SAP. With Onapsis, both teams were able to understand each of their organization’s missing security notes as well as the business impact, helping them prioritize implementation.
As a result of working with Onapsis, the firm was able to see immediate success with the product and significant cost savings in their transformation project. If companies are not addressing SAP security they are running a big risk to their business, especially when considering the sizeable investment they’ve already made in SAP.
Defend by Onapsis
Continuous threat monitoring and pre-patch protection for business-critical SAP applications with Defend by Onapsis.
Customizable research-based alerts, anomaly detection, descriptions of root cause, and remediation guidance accelerate analysis and incident response.
Business-critical applications are the lifeblood of an organization, supporting financial, supply chain, sales, and other business processes. Security teams have traditionally relied on defense-in-depth strategies in an attempt to protect the application layer. Unfortunately, this layered approach is no longer sufficient for many reasons, including digital transformation and modernization initiatives eroding the perimeter. Adding insult to injury, most enterprises lag behind in applying important patches to their most critical systems.
The result is that the critical application layer is now more exposed than ever before. Threat actors have taken notice, targeting this layer directly through a variety of attack vectors and at an accelerated pace. To protect their critical business operations and data, organizations need continuous threat monitoring designed specifically for these applications. Existing defense-in-depth models surround, but ultimately neglect this layer, creating a large security blindspot. Without this visibility and context, organizations are unable to identify potential threats, understand the risk, and effectively protect their ERP systems.
Onapsis Defend uniquely addresses these challenges by enabling continuous threat monitoring, detection, and response for business-critical applications. Powered by the industry-leading Onapsis Research Labs, Defend acts as an early warning system for unauthorized changes, misuse, or cyberattacks targeting these applications. Security Operations Centers (SOCs) can automatically monitor for more than 2,000 threat indicators, including exploit activity against zero-days and known, unpatched vulnerabilities, providing “pre-patch” protection for an organization’s critical systems. Real-time alerts, easily integrated into SIEMs, provide valuable details on severity, anomaly score, root cause, and recommended remediation steps to accelerate analysis and incident response times.
“We knew moving our SAP instance to a cloud environment would introduce new risks… we can now continually monitor risk, ensure the integrity and security of our supply chain and protect our business.”
— CISO, Global Apparel Manufacturer
How Onapsis Defend Works
Sensors are deployed – either on-premises or in the cloud – to target SAP systems. Defend discovers critical assets across the full landscape and extracts data to analyze for notable security events and user activity. Full visibility into the details of each incident includes the context, severity, anomaly score, root cause, and recommended action for remediation. Incidents can be managed within the console or assigned to external tools and shared with additional stakeholders. The integration framework and configuration interface allows system incidents within SAP to be exported into SIEM and syslog tools for further investigation.
Security And Compliance
Onapsis’ highest priority is the security of our software and the confidentiality, integrity, and availability of customer information as it flows through that software. We embed the strongest possible security measures into our software development life cycle (SDLC) and into the operating system, database, web security, and logging layers of our products. Onapsis contracts with accredited, third-party, auditing companies who have audited our SDLC process and we have the following certifications: ISO 9001, ISO 20243:2018, ISO 27001:2013, SOC 1 Type 1/2, SOC 2 Type 1/2, and Veracode Verified Program. Our product design and development requirements follow the OWASP ASVA v4 framework or other industry standard guidelines.
Onapsis Professional Services
Achieve your business objectives at every stage of your journey. Onapsis’ comprehensive professional services offerings target:
Implementation: A paired delivery approach to accelerate time-to-value
Education: Knowledge for teams to successfully operate our platform
Optimization: Enable continuous improvement and alignment to business needs
Administration: Alleviate resource constraints
Onapsis Research Labs
The award-winning Onapsis Research Labs is a team of cybersecurity experts who combine in-depth knowledge and experience to deliver security insights and threat intel affecting mission critical applications from SAP, Oracle, and SaaS providers. They have discovered over 1,000 zero-day vulnerabilities and multiple critical global CERT alerts have been based on their novel research. Onapsis automatically updates its products with the latest threat intelligence and other security guidance from the Onapsis Research Labs. This provides customers with advanced notification on critical issues, comprehensive coverage, improved configurations and pre-patch protection ahead of scheduled vendor updates.
Licensing
Onapsis Defend is licensed as an annual subscription based on the number of target systems. Subscription includes access to all updates available for the respective software license, including Onapsis Research Labs threat insights, technical support, and a dedicated account manager.
Additional premium licenses for Onapsis Defend are available to extend its capabilities:
- Network Detection Rule Pack: This subscription license grants access to regular updates of Snort®* rules for the most critical and network-detectable threats. These vendor-agnostic rules can be imported across an enterprise security stack into existing network security products to provide organizations with an additional layer of defense.
- Threat Intel Center: This subscription license grants access to a centralized repository of new and ongoing threat research, directly from the Onapsis Research Labs, within the Onapsis Platform. The Threat Intel Center provides a detailed, high-impact view of the evolving SAP threat landscape with one-click access to a comprehensive research library within the Onapsis Platform.
The Onapsis Platform
Onapsis Control is one-third of the Onapsis Platform. The Platform provides complete attack surface management for ERP landscapes, focused on business-critical application security that directly target interconnected risk – vulnerability management, threat monitoring, compliance automation, and application security testing.
Onapsis is proud to be an Oracle partner and the only application security and compliance platform invited to the SAP Endorsed Apps Program.
Table 1: Onapsis Defend Features And Benefits
| Description | Benefits |
| Detection Rules | 2,000+ detection rules across a wide range of SAP assets (e.g., ABAP, JAVA, HANA, SAProuter) identify notable security events, including inappropriate privilege escalation, system misconfigurations, indicators of compromise or known exploits, dangerous RFC or program executions, user access misuse or abuse, and more. |
| Zero-Day Detection Capabilities | Detection rules triggered by the potential exploitation of vulnerabilities for which SAP has not yet released a security note (‘patch”), and which have not been publicly disclosed. This gives users protection from attacks against critical vulnerabilities as early as possible. |
| Predefined Incident Profiles | Used to specify which events or activities users want to be alerted to, that may require immediate action or further investigation. Defend includes several predefined incident profiles to help users get started with monitoring SAP systems. These profiles will create an incident to notify users when the actions specified in the profile have occurred on the targeted assets (e.g., an intrusion attempt or other negative behavior). |
| Customizable Incident Profiles | Define the criteria used to trigger incident notifications, so users are only alerted to activity that they have deemed significant enough to require notification, immediate action, or further investigation. This includes customization to mitigate threats related to user actions such as key operations, authorization assignments, and sensitive data access. |
| Root Cause Identification and Recommended Actions | Incident context, severity, root cause, and recommended mitigation actions are provided for each event and incident to support and accelerate investigation and response efforts. |
| AI-based Anomaly Detection | Each recorded activity includes an anomaly score (0-100) based on machine learning models developed by the Onapsis Research Labs, with higher scores denoting larger threats and business impact. These scores can also be used to further customize and create incident profiles unique to your organization.This helps users better direct mitigation and remediation efforts to the most suspicious or anomalous threats facing their organization. |
| Onapsis Research Labs Threat Intelligence | Detection rules automatically incorporate the deep research from the Onapsis Research Labs. Updates with the latest threat intelligence and other security guidance from the Onapsis Research Labs are included at no cost. This provides advanced notifications on critical issues, configurations and pre-patch protection, ahead of scheduled vendor updates. |
| SIEM Integrations | Import Defend issues and incidents into existing SIEMs and workflows used by the SOC. The integration allows system incidents within SAP to be incorporated into the wider security management and incident response process. |
| Premium Add-on License: Network Detection Rule Pack | Includes regular updates of Snort* rules defined by the Onapsis Research Labs. These rules extend Onapsis threat intelligence to network security applications, augmenting their ability to detect (and potentially stop) the most critical, Onapsis-researched threats to ERP applications. Snort rules are open source and vendor agnostic, allowing broader distribution across multiple layers of an organization’s defense-in-depth security stack. |
| Premium Add-on License: Threat Intel Center | Delivers a regularly-updated and curated library of new and ongoing threat research directly from the Onapsis Research Labs. The Threat Intel Center provides one-click access to comprehensive research designed for both the education of cybersecurity team members and providing organization-specific business impact for cybersecurity leaders. |
Table 2: Onapsis Defend Components and Description
| Technology Component and Description | Details |
| Supported Business-Critical Systems | All SAP applications that run: SAP NetWeaver ABAPSAP NetWeaver JAVASAP HANA Database SAProuter |
| Console – Provides the management and reporting interface for the Onapsis Platform. Deployable on-premises or in the cloud. | Hardware requirements: HD: 200 GB CPUs: 8 cores (2+GHz) 16 recommended RAM: 16 GB |
| Sensors – Virtual devices that find and analyze systems. Deployable on-premises or in the cloud. Each installation requires at least one sensor. The number of sensors needed is based on landscape size, complexity, and network segmentation. The sensor receives updates from the console. | Hardware requirements: HD: 200 GB CPUs: 8 cores (2+GHz), 16 recommended RAM: 16 GB |
| Virtualization Technology: The console and sensor(s) are delivered in a pre-built virtual appliance in Open Virtualization Appliance (OVA) format. The OVA is self-contained and includes a Linux-based OS and the Onapsis solution. | Supported virtualization platforms: VMware KVM Microsoft Hyper-V Supported cloud platforms: Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) |
| ABAP and Java Add-Ons (SAP-Certified) – Discovers ABAP and Java systems and extracts technical information for analysis in the Onapsis Platform. | The add-on runs as a component on top of your SAP systems and, therefore, does not interact with any functional (business-related) SAP modules. |
| Browser Compatibility | Supported browsers:Google Chrome*Microsoft Edge Mozilla Firefox Apple Safari *recommended |
| SIEM and Syslog Integration – Integration profiles can be created to import incident data to Security Information and Event Management (SIEM) and Syslog tools for correlation, reporting and investigations | Supported integrations with:SplunkMicrosoft Sentinel IBM QRadarArcSight Enterprise Security ManagerElasticsearch Kibana Other integrations possible if SIEM can listen for incoming syslog traffic and ingest LEEF, CEF, JSON formats. |
| Network Detection Rule Pack^ | Vendor-agnostic, open-source rules formatted to support Snort* 2.0+ |
^ Requires purchase of premium add-on Network Detection Rule Pack license
* Snort is a registered trademark of Cisco. All rights reserved.
Onapsis Control for Code
Extend DevSecOps to SAP applications with the ability to perform dynamic, static, and interactive analysis to detect more security issues earlier in the development cycle with Onapsis Control for Code. Step-by-step remediation instructions and integrations with developer tools accelerate time to vulnerability identification and remediation.
Business-critical SAP applications are top attack targets for threat actors and an increasing area of concern for enterprises. However, many organizations struggle to build successful SAP testing programs due to inadequate tools that don’t sufficiently support components, languages, and frameworks unique to SAP. Further, these tools frequently don’t integrate with SAP development and change management environments. Consequently, most organizations revert to manual security testing. However, this can’t be the practical answer, as manual reviews take too much time and are prone to human error. Consider that the average SAP application contains over 2 million lines of custom code.¹
The accelerated pace of digital transformation projects, such as SAP S/4HANA migrations and RISE with SAP, puts increased pressure on all teams involved in the application development cycle. It forces teams to attempt balancing speed and security…with security frequently tabled in order to meet abbreviated project timelines. Tight development cycles lead to the use of third-party code libraries and developers. However, with little visibility here as well, organizations are forced into doing a greater number of manual reviews (if any at all, sadly) to stop the introduction of new security issues. Preventing critical issues from getting into production systems is imperative. This is why the ability to perform multiple types of testing across the development lifecycle for your SAP custom applications is important. It is critical to test for and discover errors earlier in development when they’re easier and cheaper to fix.
Onapsis Control for Code directly addresses these challenges, providing application security testing through automated review of custom SAP code and one-click fix remediation for common code errors. Recognized in the Gartner Magic Quadrant for Application Security Testing three years in a row, our automated assessments, integrations with SAP development environments and change management, and step-by-step remediation instructions all empower teams to help them rapidly identify and fix issues before they negatively impact critical production environments and business continuity.
“Onapsis helps us address security code and compliance issues and avoid costly rework and manual analysis.”
– Security Architecture Manager, Fortune 100 Chemical Company
How Onapsis Control for Code Works
Onapsis Control for Code works by scanning systems and inspecting code directly within development environments or code repositories. With a large focus on vulnerable and insecure code, Control for Code leverages extensive test cases across multiple domains based on the best practices and in-depth security analysis and research of SAP applications from the Onapsis Research Labs. Millions of lines of code can be automatically scanned in minutes, and remediation guidance is provided to keep pace with accelerated development cycles. Control for Code identifies vulnerabilities including incomplete or erroneous code, and the testing also enables continuous progress checks during code development. One-click fix functionality enables bulk code scans that identify and automate remediation for the most common code errors with a single click.
Security And Compliance
Onapsis’ highest priority is the security of our software and the confidentiality, integrity, and availability of customer information as it flows through that software. We embed the strongest possible security measures into our software development life cycle (SDLC) and into the operating system, database, web security, and logging layers of our products. Onapsis contracts with accredited, third-party auditing companies who have audited our SDLC process, and we have the following certifications: ISO 9001, ISO 20243:2018, ISO 27001:2013, SOC 1 Type 1/2, SOC 2 Type 1/2, and Veracode Verified Program. Our product design and development requirements follow the OWASP ASVA v4 framework or other industry standard guidelines.
Onapsis Professional Services
Achieve your business objectives at every stage of your journey. Onapsis’ comprehensive professional services offerings target:
Implementation: A paired delivery approach to accelerate time-to-value
Education: Knowledge for teams to successfully operate our platform
Optimization: Enable continuous improvement and alignment to business needs
Administration: Alleviate resource constraints
Onapsis Research Labs
The award-winning Onapsis Research Labs is a team of cybersecurity experts who combine in-depth knowledge and experience to deliver security insights and threat intel affecting mission critical applications from SAP, Oracle, and SaaS providers. They have discovered over 1,000 zero-day vulnerabilities and multiple critical global CERT alerts have been based on their novel research. Onapsis automatically updates its products with the latest threat intelligence and other security guidance from the Onapsis Research Labs. This provides customers with advanced notification on critical issues, comprehensive coverage, improved configurations and pre-patch protection ahead of scheduled vendor updates.
Licensing
Onapsis Control for Code is licensed as an annual subscription based on the number of target systems. Subscription includes access to all updates available for the respective software license, technical support, and a dedicated account manager.
Expand and enhance your Control for Code deployment with additional premium capabilities:
- On Change Control: Licensed as an annual subscription based on the number of target systems, it provides a detailed security scanning and approval framework for change management that integrates with SAP CHaRM. It offers a single view of detailed security scans, approvals, and notes related to system changes in addition to enabling automatic notifications to improve workflows.
- Control for Transports: Licensed as an annual subscription based on the number of target systems, it provides the ability to check development objects, system settings, application configuration, and data within SAP transports for vulnerabilities. Step-by-step remediation instructions identify flawed transport requests and help prevent costly production errors as well as reduce the risk of system downtime.
- One-Click Fix Premium: Licensed as an annual subscription based on the number of target systems, it upgrades the included One-Click Fix feature to provide automated correction for up to 80% of the most common code errors for ABAP applications. Drastically reduce manual code review cycles by automatically replacing incorrect code with corrected lines of code. Run simulations prior to import to better understand the potential impact of newly written code on production systems.
The Onapsis Platform
Onapsis Control is one-third of the Onapsis Platform. The Platform provides complete attack surface management for ERP landscapes, focused on business-critical application security that directly target interconnected risk – vulnerability management, threat monitoring, compliance automation, and application security testing.
Onapsis is proud to be an Oracle partner and the only application security and compliance platform invited to the SAP Endorsed Apps Program.
Table 1: Onapsis Control for Code Features and Benefits
| Description | Benefits |
| Out-of-the-Box Custom Code Scans | Save time by scanning millions of lines of code in minutes for ABAP, Fiori, and HANA Native applications Scans performed for HANA Native include code languages such as SAPUI5, SQLScript, CDS, XSJS, and Node.js. Scans performed for Fiori include code languages such as ABAP and SAPUI5. New ABAP syntax is supported as well as older objects such as SAP LSMW. |
| Multi-layered Scan Engine | Multiple scanners run in parallel with hundreds of automated, predefined test cases across a wide swath of use cases. Prioritize code issues based on probability and impact to accelerate your time-to-resolution. |
| SAST (Static Analysis) | Based on patented global data and control flow analysis |
| DAST (Dynamic Analysis) | Identifies vulnerabilities that are not part of the expected result set including incomplete/erroneous code |
| IAST (Interactive Analysis) | Continuous process custom-built to check code in SAP development environments against analysis engine for processing in a runtime environment |
| Broad Set of Predefined Test Cases Across Multiple Domains | Hundreds of test cases are available out of the box and maintained by the SAP security experts at Onapsis. Test case domains include but are not limited to security, compliance, data loss prevention, code performance, robustness, and maintainability. |
| Onapsis Global Data and Control Flow Analysis | Onapsis’ patented analysis capabilities deliver more accurate detection and significantly lower rates of false positives for code issues, saving valuable time and resources for application development teams. |
| Deep, Broad Support for SAP Integrated Development Environments (IDEs) | Use Control wherever you currently develop applications, including support for SAP ABAP Development Workbench, Eclipse, HANA Studio, SAP WebIDE, Visual Studio Code, and Business Application Studio development platforms. |
| CI/CD Tool Support for Automated Development | Develop where you want with plugins available for CI/CD tools such as Microsoft Azure Pipelines and Jenkins. An Onapsis API is available for additional extensibility. |
| One-Click Fix Bulk Code Correction | Scans millions of lines of code in minutes to provide automatic corrections for the most common errors seen by Onapsis experts in SAP application development, providing significant time savings. |
| Quick Scan Error Check | Alerts developer to code errors while typing for immediate correction. |
| SAP Application Workflow Integrations | Seamless integration with SAP ATC Cockpit, SAP CHaRM (Change Request System), and SAP TMS (Transport Management System) for increased productivity. |
| Leading Third-Party Vendor Integrations | Seamless integrations with workflow management tools from Rev-Trac and Basis Technologies enable DevSecOps for SAP application development. |
| Premium Add-on License: Control for Transports | Enables the scanning of SAP transports for objects and data vulnerabilities to identify, block, and mitigate bad transports prior to production import |
| Premium Add-on License: On Change Control | Empowers teams by integrating automated workflows, gates, communication, and detailed code and transport scans into SAP CHaRM |
| Premium Add-on License: One Click Fix Premium | Automatically corrects up to 80% of the most common code development errors with a single click |
Table 2: Onapsis Control for Code Components and Description
| Technology Component and Description | Details |
| Central System: Collects communication event data from all systems. The Cockpit is used to run scans, and Finding Manager is used to view results. | Can be a separate SAP system or part of an existing SAP system |
| Scanning System: The system is where the actual code scanning is performed by the Onapsis multilayered scan engine. | Hardware Requirements: CPU: Quad-Core or 2x Dual-CoreHD: 7 GB RAM: 4 GB Supported Operating Systems:Linux: 64-bit SUSE Linux Enterprise Server 11, 12, 15; 64-bit Red Hat Enterprise Linux 5, 6, 7, 8Windows: Windows Server R2 x64: 2003, 2008, 2012, 2016 Additional Requirements: .NET Framework 4.0 and higher |
| SAP Systems Supported | ABAP Foundation on HANA (any version)SAP S/4HANA Foundation (any version)SAP S/4HANA 1709,1809,1909, 2020, 2021, 2022SAP/BW for HANA (any version)SAP NetWeaver 7.00 SP27 or higher, 7.01 SP12 or higher, 7.02 SP12 or higher, 7.31 SP05 or higher, 7.40, 7.50, 7.51, 7.52 |
| Central System: Collects communication event data from all systems. The Cockpit is used to run scans, and Finding Manager is used to view results. | Can be a separate SAP system or part of an existing SAP system |
¹ SAP® ABAP Code Quality Benchmark E-book
Assess by Onapsis
Vulnerability management for business-critical applications such as SAP and Oracle.
Gain deep visibility into the attack surface across your entire application landscape, automated assessments with detailed solutions, and descriptions of associated risk and business impact.
Business-critical applications are the lifeblood of an organization, supporting financial, supply chain, sales, and other business processes. An attack against them has the potential for a devastating impact across the organization. Traditionally, organizations have relied on a “defense-in-depth” security model to protect these critical systems. Unfortunately, this layered approach is no longer sufficient for many reasons, including modernization and digital transformation initiatives eroding the perimeter.
However, InfoSec professionals are still responsible for evaluating their organization’s risk and overall cybersecurity posture, including vulnerability management and application security. They frequently lack visibility into their organization’s most critical business applications because the tools they traditionally rely on don’t adequately cover these systems. Security administrators are typically responsible for vulnerability management for the business. However, their tools don’t cover business critical applications and they often rely on cohorts within application teams for remediation.
A lack of visibility and tools aren’t the only challenge; the applications themselves are also complex. The frequency of releases, the complexity of patching processes, and size of application landscapes mean enterprises are facing a growing backlog of patches and lack prioritization tools.
Onapsis Assess directly addresses these challenges for enterprise teams. It provides focused and comprehensive vulnerability management for business-critical applications like those from SAP and Oracle. It provides deep visibility into the entire application landscape, automated assessments with detailed solutions, and descriptions of associated risk and business impact. Onapsis Assess aligns InfoSec and IT Teams and lets them make empowered decisions on how to respond to incidents, reduce investigation and remediation times, and achieve greater risk reduction with less effort.
“Onapsis removes the mystery around SAP security by increasing visibility. We can see issues — misconfigurations, missing patches or unusual user activity — what risk they pose and how to fix them.”
– Enterprise Security Manager, Fortune 500 Utility Company
How Onapsis Assess Works
Sensors are deployed – either on-premises or in the cloud – which provide deep scanning of assets at the system, application, and code level. Assess runs scans with preset and customizable policies and modules which search assets for a comprehensive and regularly updated set of known issues, including missing patches, unsecured or incorrect configurations, and risky user authorizations/ permissions. With any licensed Comply pack, Assess can run scans for compliance with IT General Controls related to various regulations and frameworks, such as Sarbanes-Oxley, GDPR, and NIST. Custom policies and modules allow alignment with organizational policies and best practices. The results are displayed in a single dashboard to prioritize risks and identify action for mitigation. Each vulnerability identified contains an explanation of the business impact, severity, and remediation steps for resolution.
Security And Compliance
Onapsis’ highest priority is the security of our software and the confidentiality, integrity, and availability of customer information as it flows through that software. We embed the strongest possible security measures into our software development life cycle (SDLC) and into the operating system, database, web security, and logging layers of our products. Onapsis contracts with accredited, third-party auditing companies who have audited our SDLC process, and we have the following certifications: ISO 9001, ISO 20243:2018, ISO 27001:2013, SOC 1 Type 1/2, SOC 2 Type 1/2, and Veracode Verified Program. Our product design and development requirements follow the OWASP ASVA v4 framework or other industry standard guidelines.
Deployment Options
Onapsis Assess can be deployed on-premises, in your cloud environment (all major cloud providers supported), or in the Onapsis cloud environment, as SaaS. Technical components needed to support each deployment type are described in Table 2.
The Onapsis Platform
Onapsis Assess is one-third of the Onapsis Platform. The Platform provides complete attack surface management for ERP landscapes, focused on business-critical application security that directly target interconnected risk – vulnerability management, threat monitoring, compliance automation, and application security testing.
Onapsis Professional Services
Achieve your business objectives at every stage of your journey. Onapsis’ comprehensive professional services offerings target:
Implementation: A paired delivery approach to accelerate time-to-value
Education: Knowledge for teams to successfully operate our platform
Optimization: Enable continuous improvement and alignment to business needs
Administration: Alleviate resource constraints
Onapsis Research Labs
The award-winning Onapsis Research Labs is a team of cybersecurity experts who combine in-depth knowledge and experience to deliver security insights and threat intel affecting mission critical applications from SAP, Oracle, and SaaS providers. They have discovered over 1,000 zero-day vulnerabilities and multiple critical global CERT alerts have been based on their novel research. Onapsis automatically updates its products with the latest threat intelligence and other security guidance from the Onapsis Research Labs. This provides customers with advanced notification on critical issues, comprehensive coverage, improved configurations and pre-patch protection ahead of scheduled vendor updates.
Licensing
Onapsis Assess is licensed as an annual subscription based on the number of target systems. Subscription includes access to all updates available for the respective software license, technical support, and a dedicated account manager. Onapsis Assess currently features two license tiers – Assess and Assess Baseline. The Assess Baseline license focuses on helping customers jumpstart their vulnerability management process quickly and easily by addressing issues aligned with the officially published SAP Security Baseline Template and supported by the insights of the Onapsis Research Labs.
Expand and enhance your Assess deployment with additional, premium capabilities:
- Assess for Code: Licensed as an annual subscription based on the number of target systems, this provides access to vulnerability scanning for issues in custom code previously deployed to production. InfoSec teams gain much-needed visibility into security issues within custom code and a more complete view of the SAP application attack surface.
- Assess for Code: Licensed as an annual subscription based on the number of target systems, this provides access to vulnerability scanning for issues in custom code previously deployed to production. InfoSec teams gain much-needed visibility into security issues within custom code and a more complete view of the SAP application attack surface.
- Comply Packs: Licensed as an annual subscription based on the number of target systems, these policy packs provide right-sized, frictionless audit packs that automatically audit ERP IT general controls against various regulatory requirements, eliminating 1000s of hours of manual work. Available policies include Sarbanes-Oxley (SOX), Data Privacy (GDPR), NIST/ISO (ISO:27001, NIST 800-53, NIST 800-171), NERC CIP, and PCI.
- Threat Intel Center: This subscription license grants access to a centralized repository of new and ongoing threat research, directly from the Onapsis Research Labs, within the Onapsis Platform. The Threat Intel Center provides a detailed, high-impact view of the evolving ERP threat landscape with one-click access to a comprehensive research library within the Onapsis Platform.
Table 1: Onapsis Assess Features And Benefits
| Description | Benefits |
| Agentless Scanning | Virtual devices are deployed on premises or in the cloud to provide deep scanning of assets at system, application and code levels and analyze system vulnerabilities without sacrificing system performance |
| Out of-the-Box Vulnerability Scanning | Thousands of vulnerability checks are ready to go out of the box and are grouped into standard policies based on the target system (e.g., SAP, Oracle), allowing for full vulnerability scanning of your business-critical applications. |
| Custom Policy Creation* | Users can create custom policies to include the set of vulnerability checks that meets their needs. |
| Standard and Custom Vulnerability Checks* | Onapsis provides predefined vulnerability checks, called modules, but also enables the ability to define custom checks. |
| Unified Single Dashboard | Shows issue data and trends from recent scans, with graphical visualizations to provide quick insights into system issues. |
| Exportable Executive Reports | Summary reports demonstrate current risk standing, status over time, and mitigation efforts, allowing results of vulnerability management efforts to be more easily shared with stakeholders across the business. |
| Risk and Remediation Guidance | Detailed explanations of the business impact of identified problems within each system, along with an associated risk score and step-by-step remediation instructions, accelerates time to resolution. |
| Integrated Workflows and ITSM integration | Built in workflow capability allows for issue assignment and acceptance either manually via an automated workflow engine. Integration with IT Service Management tools enables automatic ticket creation for faster remediation. |
| Exportable Executive Reports | Summary reports demonstrate current risk standing, status over time, and mitigation efforts, allowing results of vulnerability management efforts to be more easily shared with stakeholders across the business. |
| Custom Reporting | Create custom reports via the Onapsis Platform API in order to share reports regarding risk posture trends and assessments. |
| Onapsis Security Advisor | Feature that leverages AI and 14+ years of Onapsis data and experience from security engagements to help security and IT leaders answer the question, “How are we doing with SAP security?” Acts as a personalized, trusted “security advisor” to help you establish better security goals, guide your ERP security journey, and track progress in comparison to baselines and other companies and industries at different stages. |
| Onapsis Research Labs Threat Intelligence | Vulnerability checks are regularly updated and added based on the latest investigation results from the Onapsis Research Labs. |
| Premium Add-on License: Assess for Code | Extends vulnerability scanning to custom code deployed to production. This gives security teams a more complete view of their SAP application attack surface. |
| Premium Add-on License: Onapsis Comply packs* | Adds right-sized, frictionless SAP audit packs to the Assess scanning engine. |
| Premium Add-on License: Threat Intel Center* | Delivers a regularly-updated and curated library of new and ongoing threat research, directly from the Onapsis Research Labs. The Threat Intel Center provides one-click access to comprehensive research designed for both the education of cybersecurity team members and providing organization-specific business impact for cybersecurity leaders. |
Table 2: Onapsis Assess for Code Components and Description
| Technology Component and Description | Details |
| Business Critical Systems Supported | All SAP applications that run:SAP NetWeaver – ABAPSAP NetWeaver – JAVASAP HANA DatabaseSAP SuccessFactorsSAP Business Objects (BOBJ)Oracle E-Business Suite (EBS) |
| Console for Onapsis Platform: Onapsis Virtual Appliance provides the management and reporting interface for the Onapsis Platform and control for all sensors. Can be deployed on premises or in the cloud. | Hardware requirements: HD: 200 GBCPUs: 8 cores (2+GHz) 16 recommendedRAM: 16 GB |
| Sensors for Onapsis Platform: Onapsis Virtual Appliances, virtual “headless” devices that perform workloads to find and analyze system vulnerabilities. Each installation requires at least one sensor. The number of sensors needed is based on landscape size, complexity, and network segmentation. The sensor receives updates from the console. Can be deployed on premises or in the cloud. | Hardware requirements: HD: 200 GBCPUs: 8 cores (2+GHz), 16 recommendedRAM: 16 GB |
| Virtualization Technology: The console and sensor(s) are delivered in a pre-built virtual appliance in Open Virtualization Appliance (OVA) format. The OVA is self-contained and includes a Linux-based OS and the Onapsis solution. | Supported virtualization platforms: VMware KVM Microsoft Hyper-V Supported cloud platforms:Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) |
| Onapsis SaaS Connector: Required for SaaS deployments; allows the Onapsis Platform to interact with your systems. | Technical requirements: Ubuntu 20.04CPUs: 1 RAM: 1 GB |
| Browser Compatibility | Supported browsers:Google Chrome*Microsoft Edge Mozilla Firefox Apple Safari *recommended |
*Not available with Assess Baseline license
Onapsis Platform for SAP
Organizations are facing increasing pressure to optimize business-critical SAP applications by balancing strategic transformation initiatives, application performance, regulatory compliance and cybersecurity requirements. The Onapsis Platform automates testing, change, audit and security processes so cross-functional teams can focus on improving SAP availability and performance, accelerating cloud migrations and S/4HANA implementations, streamlining audit processes and hardening security on-premises and in the cloud.
- Automated Governance
Ensure IT controls are continually tested and validated to meet compliance requirements and enforce policies to reduce audit burdens and maintain continuous compliance. - Continuous Monitoring
Control and mitigate operational risks associated with routine code, application and system maintenance, transports, patching and modernization initiatives. - Change Assurance
Reduce the operational risk associated with ERP maintenance and modernization, ensuring the reliability and performance of business-critical applications. - Automate the Audit
Establish an automated and repeatable compliance reporting and audit process providing efficiencies and freeing up valuable resources. - Actionable Insights
Discover, assess and remediate application-layer vulnerabilities, system-level misconfigurations, custom code issues and bad transports to ensure ERP systems are protected and available. - Continuous Monitoring
Receive real-time visibility and threat alerts to respond quickly to unauthorized changes, misuse, or cyberattacks targeting SAP systems and business-critical applications. - Secure the Core
Secure the core of your business by providing code, application and ERP system-level visibility and protection against internal and external attacks. - Cloud with Confidence
Accelerate cloud migration and digital transformation by ensuring your ERP applications are secure and ready for the cloud.
Provides actionable insight to quickly discover your SAP footprint, assess and eliminate application vulnerabilities, prioritize remediation and improve SAP code and transport quality.
Evaluation: Understand the SAP footprint with system and interface analysis to generate asset inventories and topology—Assess configurations and code to identify risk
Remediation: Streamline and accelerate remediation of system and code vulnerabilities and misconfigurations with ticketing system integration
Prioritization: Proactively identify misconfigurations and vulnerabilities to measure business impact to help prioritize fixing and patching ERP systems to reduce risk
Eliminates operational risks associated with SAP maintenance and modernization by proactively improving and hardening code, assessing transports and enforcing configuration policies.
Strength: Continually assess code, transports and configurations to maintain a desired state through regular changes, upgrades and optimization
Integrity: Enforce approval of code, transports and system configurations to ensure stability, security and robustness of SAP
Prevention: Automatically block poor code, transport error and critical configuration changes to adhere to corporate policies
Enables automated governance with compliance policy enforcement and reporting capabilities to significantly reduce the burden of proving compliance.
Define: Simplify audit processes to record, log and audit activity for regulatory compliance reporting such as SOX, GDPR and others
Test: Automate continuous compliance assessments of SAP systems to proactively measure risk, understand compliance impact and stay ahead of the audit cycle
Report: Get started with 14 out-of-the-box compliance policies and customize policies to meet specific IT controls and compliance requirements
Delivers continuous monitoring for complete, real-time visibility into SAP systems so you can quickly respond to internal and external threats.
Detection: Continuous monitoring and visibility of threats against SAP systems to detect cyberattacks and privilege misuse
Response: Accelerate risk mitigation and remediation with automated alarm notifications and SIEM integration
Alerting: Immediate identification and notification of unauthorized use, improper transactions and contextual attack based on likelihood of success
SAP Applications
The Onapsis Platform delivers a near real-time preventive, detective and corrective approach for securing SAP systems, whether deployed on-premises, or in a private, public or hybrid cloud environment. The Onapsis Platform provides unmatched coverage and protection across SAP NetWeaver®, ABAP®, J2EE, SAP HANA® and S/4HANA® platforms. The platform integrates with network security, GRC solutions, SIEM solutions and workflows as well as leading cloud providers.
Powered by Onapsis Research Labs
Onapsis Research Labs is the world’s leading team of security experts who combine their deep knowledge of critical ERP applications and decades of threat research experience to deliver impactful security insights and threat intelligence focused on the business-critical applications from SAP, Oracle, and SaaS providers. Onapsis Research Labs is, far and away, the most prolific and most celebrated contributor of vulnerability research by the SAP Product Security Response Team.
5 HERAUSFORDERUNGEN FÜR DEN CIO
The Chief Information Officer (CIO) holds responsibility for all IT decisions affecting the company, a task that has increased in complexity in recent years. This e-book reviews five challenges CIOs face when dealing with SAP security, including recommendations for overcoming these challenges.