CONTACT AN SAP EXPERT
Search
CONTACT AN SAP EXPERT

Canadian Media Corporate Builds Code Analysis and Compliance Checks Into Development Process, Accelerate Application Delivery and Passes PCI DSS Audit

/in /by
Industry – Media Production
Company Size – 1000+ employees

Background

One of Canada’s largest media organizations has evolved into a full service multimedia publishing across four major platforms: print, online, mobile and video. Handling high volumes of credit card transactions and credit card data is daily business; therefore PCI DSS compliance is a must for the organization.

The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that store, process or transmit cardholder data. Introduced in 2004 by five major card companies (Visa, Master Card, American Express, Discover and JCB), the primary goal of the standard is to protect cardholder data and to reduce data theft and credit card fraud. 

Failure to comply with the standard can result in substantial penalties, restrictions or even barring. Payment Card Industry Security Standards Council, for example, has established fines of up $500,000 per incident for security breaches at non-compliant organizations. 

One of the major requirements regarding PCI DSS compliance is to develop and maintain secure systems and applications. After an initial assessment, the media corporation decided to bring all card data into their SAP systems and encrypt it. A lot of work went into moving credit card data from a multitude of less secure databases and files into SAP. Now that SAP was storing cardholder data, it needed to meet PCI DSS standards. 

The organization has used SAP solutions since 2002. In order to adapt its SAP solutions to specific requirements of the North American market, they had to put a lot of ABAP custom development into its SAP systems, with most of the major developments done by external companies.

Challenge

Improve custom ABAP code to meet PCI DSS requirements and pass external audit on SAP systems

Solution

Onapsis scans all ABAP code for vulnerabilities or misconfigurations against PCI DSS requirements so developers know exactly what to fix. The media corporation can produce reports from Onapsis and share these with external auditors to prove their code meets compliance. The time and resources needed to make their code compliant and prove that compliance has been significantly reduced, allowing internal teams to focus on development and accelerate application delivery

  1. Fast reliable and automated identification of code issues
  2. Tight integration into SAP change management processes
  3. Accelerate application delivery
  4. Easily produce documentation and third-party audits
  5. Ensure PCI CSS compliance at code levels

Solution

With Onapsis code analysis, the organization was able to scan their ABAP code to see if it complied with PCI DSS. Onapsis testing is comprehensive and tightly integrated with SAP and can be customized to test code specifically against PCI DSS requirements. This way developers know exactly what to fix. 

Using Onapsis also enabled the media corporation to easily produce reports and documentation that they could share with external auditors regarding the current state of their code, which significantly reduced the time and resources needed for the audit process. After a couple rounds of testing and fixing, the organization was able to use these reports to prove to auditors that their ABAP code was compliant with PCI DSS. By building Onapsis code analysis into their development process, they can now ensure these compliance baselines are implemented from the start and all new code will be compliant.

Results

  • Ensure PCI DSS compliance at code level
  • Fast, reliable and automated identification of security and compliance risks in SAP’s ABAP custom code
  • Tight integration into SAP change and transport management processes with enforced ABAP code auditing (“ABAP Code Firewall”)
  • Easily produce documentation for third party audits, freeing up development resources to focus on core competencies instead of audit preparation
  • Accelerate application delivery by building compliance checks early in the development process and providing actionable remediation guidance

Fortune 250 Biotech Case Study

/in /by
Industry – Biotechnology
Company Size – 20k+ employees, >$20B revenue

Fortune 250 Biotech Challenge

No visibility into vulnerabilities or suspicious activities that put critical supply chain and manufacturing applications – and patient safety – at risk

One of the world’s leading independent biotechnology companies depends on SAP for their supply chain, manufacturing, international trade, and other business-critical operations. Knowing that a “threat to SAP is a threat to the patients that rely on their products,” they knew they needed to harden their applications against internal and external threats. But, their already under-resourced teams didn’t know where to start. With a growing backlog of patches and no easy way to prioritize them, the organization tried to leverage their existing vulnerability management technology, but realized it didn’t sufficiently support SAP.

The team also wanted to bring SAP events into their SIEM so they could be incorporated into their incident response processes, but they lacked the threat intelligence and monitoring technology to do so. Unhappy with the SAP gaps in their existing security solutions, processes, and internal knowledge, they sought a third party technology that would give them the visibility and context they needed to help them better understand and manage their SAP attack surface.

“A threat to our SAP applications is a threat to the patients that rely on our products. With Onapsis we can be proactive with our SAP security and keep our critical applications – and patients – safe. Their vulnerability assessments allow us to understand and act on the risk within our landscape, while their continuous threat monitoring ensures we have pre-patch protection and compensating controls in place until we can apply the appropriate patch or fix.”

Global Lead of SAP Operations, F250 Biotechnology Company

Fortune 250 Biotech Solution

Onapsis automated vulnerability scans provide actionable visibility into risk within critical SAP applications, while its powerful threat monitoring acts as an early warning system for potential cyberattacks

The biotech company found their ideal solution with Onapsis, whose security technologies are designed specifically for ERP systems like SAP. The automated scans, rich research-backed results, and remediation guidance provided by Onapsis Assess offsets the organization’s lack of internal SAP security expertise. It has also enabled them to finally build a strong vulnerability management program for SAP. Now, they can quickly understand the true risk to their critical applications with the context they need to prioritize and act on it. 

With Onapsis Defend, the organization has enabled continuous threat monitoring for SAP, leveraging over 2,000 detection rules, anomaly scoring, and mitigation guidance from the industry-leading Onapsis Research Labs. Defend acts as an early warning system, alerting the chemical company of unauthorized changes, misuse, or cyberattacks targeting their SAP applications. With Defend, the company has also gained compensating controls and pre-patch protection. The unique, proactive threat intel that powers Defend allows them to monitor for potential exploit activity before patches are released (zero-day vulnerabilities) or have been applied (known, unpatched vulnerabilities). Given the growing backlog of patches and lengthy patching processes, having protection before fixes can be applied has been a key benefit.

“With Onapsis, we can now quickly identify and act on risk to our critical SAP systems. Integrating with our existing IBM QRadar solution has further accelerated our response times and given our SOC teams much-needed visibility into threats affecting our critical applications.”

Global Lead of SAP Operations, F250 Biotechnology Company

Results

Using Onapsis Assess and Defend, the Biotechnology company has experienced:

  • 83% Reduction in Mean Time to Remediation (MTTR)
  • 96% Reduction in remediation time for emergencies
  • 75% Improved incident response times

75% improved incident response times and 83% reduction in remediation time thanks to Onapsis automation and intelligence

With Onapsis Assess, the organization is able to automate their vulnerability checks and measure the security risk of each vulnerability so they can prioritize fixes. Step-by-step technical solutions and an integration with ServiceNow ensures the SAP teams handling resolution receive timely assignments and the instructions they need to effectively mitigate the vulnerability. This has helped them reduce their remediation time from more than six months to less than one (less than a week for emergencies). Integrating Onapsis Defend with their existing IBM QRadar instance means their SOC teams receive immediate notifications of suspicious or malicious activity targeting their SAP applications, including insight into root cause and remediation recommendations. Bringing SAP security events into existing incident response workflows and the rich context included with each alert has significantly reduced forensic investigation time and resulted in seventy-five percent improvement in incident response times.

Large utility company builds SAP vulnerability management program, reduces remediation time by 80%

/in /by
Industry – Utilities, Gas and Electic 
Company Size – 2k+ employees, >$2B revenue

Challenge

Unaddressed risk in critical SAP applications due to complex patching process and no visibility into other vulnerabilities

A large American utility company relies on SAP applications for many of their business-critical processes. Despite their critical nature, however, the company lacked visibility into the security posture of these applications- what vulnerabilities existed and what risk they posed to the business. Their patching process was complicated and time-consuming, and their existing vulnerability management tools didn’t sufficiently support SAP. The organization realized they had unaddressed risk within their critical systems, but they had no way to measure, understand, and act on it. With a major SAP S/4HANA migration project planned, they knew they needed a solution that could address this risk in the short-term and be used throughout the transformation.

“Onapsis removes the mystery around SAP security by increasing visibility. We can see issues — misconfigurations,missing patches or overly privileged users — what risk they pose and how to fix them.”

Enterprise Security Manager, Utility Company

Solution

Onapsis time-saving vulnerability scans provide deep visibility, detailed solutions, and business impact to identify risk and accelerate response

The utility company found their ideal solution with Onapsis Assess, which uniquely provides focused and comprehensive vulnerability management designed for SAP applications. Automated assessments, detailed solutions, and descriptions of business impact enable the organization to easily identify the true risk to their critical application landscape and understand how to respond. Onapsis Assess also significantly improved their patching processes, eliminating much of the manual work that was previously required. The included context from the Onapsis Research Labs helps them quickly determine which SAP Security Notes to prioritize, the best way to implement, and if they are missing any critical patches.

“With Onapsis, we were able to establish and maintain SAP security baselines and can now build them into transformation projects from the start. Onapsis enables us to keep SAP secure without impacting system performance or interfering with Basis teams.”

Enterprise Security Manager, Utility Company

Results

60% less time spent investigating issues and 80% reduction in mean time to remediate (MTTR) thanks to research-driven analysis provided by Onapsis
  • 80% Reduction in Mean Time to Remediation (MTTR)
  • 90% Less time spent on patching
  • 60% Reduction in investigation time

The deep visibility and research-driven results provided by Onapsis Assess give the utility company an accurate understanding of risk within their critical systems and the context they need to quickly act on it. The detailed explanations and business impact provided by Onapsis mean the company’s security teams don’t have to be SAP experts themselves; they can make informed decisions on how to respond without having to spend a lot of time investigating each issue. Integrating Onapsis Assess with their ServiceNow further facilitates remediation efforts by aligning their security teams using Onapsis with their Basis teams responsible for fixing the issues. Leveraging this workflow and arming the Basis teams with Onapsis-provided step-by-step fixes has helped reduce the company’s mean time to remediate (MTTR) by eighty percent. 

The utility company has also leveraged the customizability of Onapsis Assess to establish their own security baseline. By creating a custom scan catered to their business priorities and risk profile, they can regularly assess against it to ensure their systems continue to meet their security standards. They will use this baseline throughout their upcoming SAP S/4HANA migration to ensure their new systems are being configured securely.

Multinational Food Manufacturing Company Case Study

/in /by
Industry – Food Production
Company Size – 160k+ employees, >$115B revenue

Challenge

As one of the world’s largest food production and shipping companies, with involvement in agriculture, animal nutrition and protein, food and financial and industrial processes, this 150-year-old multinational organization with locations in 70 countries operates at a scale and reach unlike many others. This operational footprint presents them with significant challenges and opportunities from an SAP perspective. They have 400 SAP applications spanning 40 products and 25,000 users, and undertake nearly 400 active projects per month. Given this magnitude and the critical nature of these systems, the organization needed a solution that would help them identify, understand and mitigate security risks across their entire landscape. With security baselines established, they needed a way to measure and operationalize them across new and existing application use cases, including new business ventures, partnerships and growth projects from the start. 

As well as SAP security and meeting internal baselines, the organization needed support in terms of regulatory compliance, responding to and demonstrating adherence with legislation such as GDPR and CCPA. Maintaining both their security and compliance posture, despite the significant volume of change involved with managing an SAP system of this scale, was essential for achieving their ultimate goal of cyber resiliency for their business-critical applications.

  1. Understand business risk due to system vulnerabilities
  2. Streamline the SAP patching process
  3. Prevented unauthorized changes and misuse, supporting application stability
  4. Integrated directly with SIEM to monitor for SAP threats 
  5. Ensured compliance with internal and industry policies

“Most security professionals can’t spell SAP, yet 77% of global GDP passes through SAP systems. This establishes them as critical systems, but the lack of knowledge around the systems means they are often overlooked. The further up the stack you go, the more specialized this knowledge becomes. There are very few SAP security specialists that look at specific applications and how they pose a threat this is what makes Onapsis such a valuable partner for us.”

Solution

Onapsis’s pedigree in both security and compliance for SAP positioned them as the perfect solution for the food production company. The success comes from a relationship based on a partnership, instead one between customer and provider, with each side understanding the role they play. Onapsis provides the actionable insight and continuous monitoring the organization needs to understand security and compliance risk within their SAP environments, but it is ultimately up to the organization to prioritize and respond to these risks given their risk posture and tolerance. Likewise, if the organization needs additional information or support, Onapsis provides the expertise they need to act and protect their applications. By partnering with Onapsis, the organization keeps their global SAP stable, protected and compliant with security baselines. They are able to: 

  • Gain visibility to make informed decisions about levels of acceptable residual risk 
  • Discover and understand business risk due to system vulnerabilities, missing patches and misconfigurations, which helps to frame conversations around risk with internal business partners 
  • Simplify compliance and demonstrate they are in line with internal security baselines and industry regulations 
  • Streamline the patching process and understand how to prioritize missing SAP notes 
  • Continuously monitor their system health, which helps to maintain application availability and stability, and identify and prevent unauthorized changes, misuse or cyberattacks 
  • Integrate directly with their SIEM with custom alarms to inform SOC of potential exploits or threats to SAP systems &  applications 
  • In the future, manage change via code and transport analysis to accelerate development, avoid downtime or errors and minimize manual reviews

SAPinsider S/4HANA in the Cloud

/in /by

In Q4 2019, SAPinsider surveyed 182 members of their audience from 112 customer companies to understand their current ERP landscape, whether that landscape involves SAP S/4HANA and if they have plans to use a hyperscale environment. Download the survey report to see the results, including what percentage are moving to cloud environments, outcomes organizations have experienced and the actions they can take to ensure a successful ERP cloud strategy going forward, with a focus on SAP S/4HANA deployments in the cloud.

Automobile Manufacturer increases visibility to proactively manage business risks

/in /by
Industry – Automobile Manufacturer
Company Size – Top 25 fortune 500

Challenge

Expand a comprehensive cybersecurity program to include business-critical application optimization and security to strengthen resiliency of SAP systems.

Solution

The Onapsis Platform assesses SAP for vulnerabilities and misconfigurations to understand potential business impact, define remediation strategies and set baselines. With Onapsis, the company was able to build security into projects from the start, continually monitor their entire landscape and prevent configuration drift, ensuring their business-critical applications stay secure and online.

The automobile manufacturer is a longtime SAP partner and relies on the business-application software provider solutions for its global finance and purchasing processes, customer care and after-sales applications. The company is widely considered an early adopter of cybersecurity solutions and recognized as an innovator among fellow Fortune 500 companies and manufacturing organizations. In 2015, the company expanded its comprehensive cybersecurity program to include business-critical application optimization and security technologies with the goal of further strengthening the resiliency of core business applications including SAP. 

The first step for the company’s cybersecurity team was to audit and inventory its SAP applications within the network to ensure the highest possible level of visibility and monitoring in support of stringent SLAs with application owners. The second objective was to develop a continuous SAP application security management process that would accelerate and prioritize risk management and drive shared, intelligence-driven remediation processes among its SAP and application owners.

To accelerate its SAP cybersecurity objectives, the automobile manufacturer partnered with Onapsis to augment and multiply the value of application management and GRC tooling provided by SAP and other vulnerability management solutions. 

It implemented the SAP-certified Onapsis Platform, which combines a preventative, behavioral-based and context aware approach for detecting, identifying and mitigating risks to business operations, compliance with regulatory mandates and overall cybersecurity posture. 

  • Scanned and remediated vulnerabilities quickly
  • Reduced effort and time spent on QA
  • Ensured all applications meet security and compliance requirements

“The main goal of our partnership with Onapsis was to automate SAP application monitoring and vulnerability management in a way that would allow our cross-functional teams to build, deploy and manage better, more resilient SAP applications faster at a lower cost,” said the Director, SAP Center of Excellence at the company. “We knew The Onapsis Platform would enable the SAP security team to show the application teams and business owners where configuration and code imprecisions were inhibiting optimal application performance, while also prioritizing vulnerabilities and SAP Security Notes. We knew this would also provide us the compensating controls necessary to exceed baseline Sarbanes-Oxley (SOX) compliance standards.”

Results

The Onapsis Platform for SAP provided immediate value for the automobile manufacturer. 


“Before Onapsis, we had baseline operational and security controls for our SAP applications,” said Director, SAP Center of Excellence at the manufacturer. “Now after implementing The Onapsis Platform, we have an enhanced level of visibility that allows us to proactively manage potential risks to the stability, integrity and performance of the applications we rely on to run our core business operations. It is truly a case where cybersecurity has enhanced the resiliency and stability of our business operations.” 

“Onapsis is a true partner to us,” continued the Director. “We count on the Onapsis Research Labs to alert us to the latest critical vulnerabilities and rely on The Onapsis Platform to automate SAP risk management practices. Our teams now communicate more effectively and Onapsis has become an integral part of our overall cybersecurity strategy.”

Global advertising company saves time and money migrating to SAP HANA with Onapsis

/in /by
Speak to Us
Industry – Advertising 
Company Size – 54k+ employees, >$9B revenue

Background

Like many large companies, this multi-national global advertising company relies on SAP as a key component of its business. Their SAP implementation processes $6.0 billion dollars a year, has 30,000+ users across 20 countries and is used for almost every function including finance, operations, reporting and analytics. 

Challenge

Migrate SAP ECC to HANA while ensuring security and compliance.

Solution

The Onapsis Platform enabled the firm to complete migration one year ahead of schedule due to stable, tested applications, while strengthening security and compliance.

As a company that appeals to marketing and advertising professionals, this company wanted to be ahead of the curve, so they launched a business digital transformation project with a goal of creating shared service centers on a global instance of SAP HANA. 

The champion for this project was the Vice President of Global SAP who is responsible for the uptime, performance and security of the key data and processes that are part of the SAP implementation. He was faced with the problem of moving critical data into SAP HANA and not being able to address key SAP security risks with the generic security products that the organization currently used, as none of these looked at SAP specifically. 

In 2017, the vice president turned to Onapsis to address this challenge after researching organizations that are experts in business-critical application security. With The Onapsis Platform the company was able to migrate and upgrade applications in a phased approach, ensuring each phase was secure and stable before moving on to the next. This saved them significant resource time and budget as the program was able to move forward quickly after each new application or environment was tested and proven stable by Onapsis.

  • Scanned and remediated vulnerabilities quickly
  • Improved developer skills
  • Accelerated development
  • Ensured all code meets security and compliance requirements

“We could have waited to implement security after the migration, but it would have been too expensive. We were better off doing it as part of our ‘build’. As a result of our investment in the Onapsis Platform, we were able to decrease the project timeline and significantly reduce our estimated budget. A project that was originally scoped to be completed in 2020 finished a year early.

VICE PRESIDENT OF GLOBAL SAP, MULTI-NATIONAL ADVERTISING FIRM

Results

Additionally, many SAP BASIS and security teams face an overwhelming amount of security notes from SAP, making it difficult to prioritize and configure their landscapes to ensure security. SAP BASIS and security professionals are challenged with the balance of system uptime and security and could not address this with built-in tools available from SAP. With Onapsis, both teams were able to understand each of their organization’s missing security notes as well as the business impact, helping them prioritize implementation. 

As a result of working with Onapsis, the firm was able to see immediate success with the product and significant cost savings in their transformation project. If companies are not addressing SAP security they are running a big risk to their business, especially when considering the sizeable investment they’ve already made in SAP.

Speak to Us
Onapsis Platform for SAP

Onapsis Platform for SAP

/in /by

Organizations are facing increasing pressure to optimize business-critical SAP applications by balancing strategic transformation initiatives, application performance, regulatory compliance and cybersecurity requirements. The Onapsis Platform automates testing, change, audit and security processes so cross-functional teams can focus on improving SAP availability and performance, accelerating cloud migrations and S/4HANA implementations, streamlining audit processes and hardening security on-premises and in the cloud.

  • Automated Governance
    Ensure IT controls are continually tested and validated to meet compliance requirements and enforce policies to reduce audit burdens and maintain continuous compliance.
  • Continuous Monitoring
    Control and mitigate operational risks associated with routine code, application and system maintenance, transports, patching and modernization initiatives.
  • Change Assurance
    Reduce the operational risk associated with ERP maintenance and modernization, ensuring the reliability and performance of business-critical applications.
  • Automate the Audit
    Establish an automated and repeatable compliance reporting and audit process providing efficiencies and freeing up valuable resources.
  • Actionable Insights
    Discover, assess and remediate application-layer vulnerabilities, system-level misconfigurations, custom code issues and bad transports to ensure ERP systems are protected and available.
  • Continuous Monitoring
    Receive real-time visibility and threat alerts to respond quickly to unauthorized changes, misuse, or cyberattacks targeting SAP systems and business-critical applications.
  • Secure the Core
    Secure the core of your business by providing code, application and ERP system-level visibility and protection against internal and external attacks.
  • Cloud with Confidence
    Accelerate cloud migration and digital transformation by ensuring your ERP applications are secure and ready for the cloud.


ASSESS

Provides actionable insight to quickly discover your SAP footprint, assess and eliminate application vulnerabilities, prioritize remediation and improve SAP code and transport quality.

Evaluation: Understand the SAP footprint with system and interface analysis to generate asset inventories and topology—Assess configurations and code to identify risk

Remediation: Streamline and accelerate remediation of system and code vulnerabilities and misconfigurations with ticketing system integration

Prioritization: Proactively identify misconfigurations and vulnerabilities to measure business impact to help prioritize fixing and patching ERP systems to reduce risk

CONTROL
Eliminates operational risks associated with SAP maintenance and modernization by proactively improving and hardening code, assessing transports and enforcing configuration policies.

Strength: Continually assess code, transports and configurations to maintain a desired state through regular changes, upgrades and optimization

Integrity: Enforce approval of code, transports and system configurations to ensure stability, security and robustness of SAP

Prevention: Automatically block poor code, transport error and critical configuration changes to adhere to corporate policies

COMPLY
Enables automated governance with compliance policy enforcement and reporting capabilities to significantly reduce the burden of proving compliance.

Define: Simplify audit processes to record, log and audit activity for regulatory compliance reporting such as SOX, GDPR and others

Test: Automate continuous compliance assessments of SAP systems to proactively measure risk, understand compliance impact and stay ahead of the audit cycle

Report: Get started with 14 out-of-the-box compliance policies and customize policies to meet specific IT controls and compliance requirements

DEFEND
Delivers continuous monitoring for complete, real-time visibility into SAP systems so you can quickly respond to internal and external threats.

Detection: Continuous monitoring and visibility of threats against SAP systems to detect cyberattacks and privilege misuse

Response: Accelerate risk mitigation and remediation with automated alarm notifications and SIEM integration

Alerting: Immediate identification and notification of unauthorized use, improper transactions and contextual attack based on likelihood of success

SAP Applications

The Onapsis Platform delivers a near real-time preventive, detective and corrective approach for securing SAP systems, whether deployed on-premises, or in a private, public or hybrid cloud environment. The Onapsis Platform provides unmatched coverage and protection across SAP NetWeaver®, ABAP®, J2EE, SAP HANA® and S/4HANA® platforms. The platform integrates with network security, GRC solutions, SIEM solutions and workflows as well as leading cloud providers.

Powered by Onapsis Research Labs
Onapsis Research Labs is the world’s leading team of security experts who combine their deep knowledge of critical ERP applications and decades of threat research experience to deliver impactful security insights and threat intelligence focused on the business-critical applications from SAP, Oracle, and SaaS providers. Onapsis Research Labs is, far and away, the most prolific and most celebrated contributor of vulnerability research by the SAP Product Security Response Team.

Sitemap  | Terms of Use | Privacy Policy   |  Quality Policy  |  Disclosure PolicySecurity Vulnerability Reporting Guidelines |  ©2025 Onapsis  |  All rights reserved