Industry – Large enterprise, E-Commerce Marketplace
Company Size – 40k+ employees >$13B revenue
Challenge
MercadoLibre’s top executive management had always had a highly proactive approach to protecting their sensitive information from cyberattacks. In light of the increased threats to SAP® environments, Diego Cabrera Canay, Director of Financial Planning, Analysis & Control at Mercadolibre, was faced with the challenge of securing the Company’s business-critical SAP platform.
Diego evaluated the situation together with two colleagues: Jorge O’Higgins, Sr. Manager Information Security, and Sebastian Monaco, Sr. SAP security analyst. “We realized we needed to know where we were standing regarding SAP application security risks, beyond user access controls,” explained Sebastian.
They soon came to the conclusion that they needed to define a process to manage the implementation of SAP Security Notes and protect their systems against known vulnerabilities. “SAP Security Notes are applied by our BASIS teams. However, we did not have the capabilities to understand which ones we were missing and the ones we needed to implement quickly,” mentioned Diego. “We could also not easily verify if they had actually been implemented.”
“While we had processes and products in place to assess the security of our Web applications, operating systems, and databases, none of them could help us review our SAP applications in depth. Onapsis filled this gap perfectly.”
Solution
MercadoLibre selected Onapsis, the first and only SAP-certified solution for automated application security assessments of SAP platforms. “Onapsis was the only product in the market that could provide us with these capabilities,” highlighted Jorge.
Onapsis empowers Compliance, Information Security and SAP professionals to go beyond Segregation of Duties controls. The product closely inspects the SAP application layer (NetWeaver/BASIS) for vulnerabilities and unsafe configurations of technical parameters, missing SAP security patches, insecure interfaces between SAP components and users with risky technical authorizations (for both ABAP and Java-based SAP systems.) The product, which provides continuous monitoring capabilities, eliminates the SAP security gap many organizations suffer from by reporting precisely about existing threats affecting their SAP platform and providing actionable remediation information.
“As a publicly-traded company, we have to be SOX compliant. We knew we needed to stay current regarding modern requirements affecting our SAP environment, and Onapsis was the only product that was able to help us to detect and mitigate gaps in the SAP application security layer.”
Results
As a publicly-traded company, we have to be SOX compliant. We knew we needed to stay current regarding modern requirements affecting our SAP environment, and Onapsis was the only product that was able to help us to detect and mitigate gaps in the SAP application security layer. Onapsis helped us to streamline the process of implementing SAP Security Notes. We can now automatically identify which ones really affect our platform in a prioritized way, also helping us verify their correct implementation.
Before Onapsis MercadoLibre was only prepared to perform ad-hoc reviews in the case of incidents. Today, its security posture is much more robust: “We have a proactive and efficient solution to run our SAP systems securely, minimizing the probability of successful attacks to our business-critical systems,” commented Diego.
