Industry – Advertising Company Size – 54k+ employees, >$9B revenue
Background
Like many large companies, this multi-national global advertising company relies on SAP as a key component of its business. Their SAP implementation processes $6.0 billion dollars a year, has 30,000+ users across 20 countries and is used for almost every function including finance, operations, reporting and analytics.
Challenge
Migrate SAP ECC to HANA while ensuring security and compliance.
Solution
The Onapsis Platform enabled the firm to complete migration one year ahead of schedule due to stable, tested applications, while strengthening security and compliance.
As a company that appeals to marketing and advertising professionals, this company wanted to be ahead of the curve, so they launched a business digital transformation project with a goal of creating shared service centers on a global instance of SAP HANA.
The champion for this project was the Vice President of Global SAP who is responsible for the uptime, performance and security of the key data and processes that are part of the SAP implementation. He was faced with the problem of moving critical data into SAP HANA and not being able to address key SAP security risks with the generic security products that the organization currently used, as none of these looked at SAP specifically.
In 2017, the vice president turned to Onapsis to address this challenge after researching organizations that are experts in business-critical application security. With The Onapsis Platform the company was able to migrate and upgrade applications in a phased approach, ensuring each phase was secure and stable before moving on to the next. This saved them significant resource time and budget as the program was able to move forward quickly after each new application or environment was tested and proven stable by Onapsis.
Scanned and remediated vulnerabilities quickly
Improved developer skills
Accelerated development
Ensured all code meets security and compliance requirements
“We could have waited to implement security after the migration, but it would have been too expensive. We were better off doing it as part of our ‘build’. As a result of our investment in the Onapsis Platform, we were able to decrease the project timeline and significantly reduce our estimated budget. A project that was originally scoped to be completed in 2020 finished a year early.
VICE PRESIDENT OF GLOBAL SAP, MULTI-NATIONAL ADVERTISING FIRM
Results
Additionally, many SAP BASIS and security teams face an overwhelming amount of security notes from SAP, making it difficult to prioritize and configure their landscapes to ensure security. SAP BASIS and security professionals are challenged with the balance of system uptime and security and could not address this with built-in tools available from SAP. With Onapsis, both teams were able to understand each of their organization’s missing security notes as well as the business impact, helping them prioritize implementation.
As a result of working with Onapsis, the firm was able to see immediate success with the product and significant cost savings in their transformation project. If companies are not addressing SAP security they are running a big risk to their business, especially when considering the sizeable investment they’ve already made in SAP.
Vulnerability management for business-critical applications such as SAP and Oracle.
Gain deep visibility into the attack surface across your entire application landscape, automated assessments with detailed solutions, and descriptions of associated risk and business impact.
Business-critical applications are the lifeblood of an organization, supporting financial, supply chain, sales, and other business processes. An attack against them has the potential for a devastating impact across the organization. Traditionally, organizations have relied on a “defense-in-depth” security model to protect these critical systems. Unfortunately, this layered approach is no longer sufficient for many reasons, including modernization and digital transformation initiatives eroding the perimeter.
However, InfoSec professionals are still responsible for evaluating their organization’s risk and overall cybersecurity posture, including vulnerability management and application security. They frequently lack visibility into their organization’s most critical business applications because the tools they traditionally rely on don’t adequately cover these systems. Security administrators are typically responsible for vulnerability management for the business. However, their tools don’t cover business critical applications and they often rely on cohorts within application teams for remediation.
A lack of visibility and tools aren’t the only challenge; the applications themselves are also complex. The frequency of releases, the complexity of patching processes, and size of application landscapes mean enterprises are facing a growing backlog of patches and lack prioritization tools.
Onapsis Assess directly addresses these challenges for enterprise teams. It provides focused and comprehensive vulnerability management for business-critical applications like those from SAP and Oracle. It provides deep visibility into the entire application landscape, automated assessments with detailed solutions, and descriptions of associated risk and business impact. Onapsis Assess aligns InfoSec and IT Teams and lets them make empowered decisions on how to respond to incidents, reduce investigation and remediation times, and achieve greater risk reduction with less effort.
“Onapsis removes the mystery around SAP security by increasing visibility. We can see issues — misconfigurations, missing patches or unusual user activity — what risk they pose and how to fix them.”
– Enterprise Security Manager, Fortune 500 Utility Company
How Onapsis Assess Works
Sensors are deployed – either on-premises or in the cloud – which provide deep scanning of assets at the system, application, and code level. Assess runs scans with preset and customizable policies and modules which search assets for a comprehensive and regularly updated set of known issues, including missing patches, unsecured or incorrect configurations, and risky user authorizations/ permissions. With any licensed Comply pack, Assess can run scans for compliance with IT General Controls related to various regulations and frameworks, such as Sarbanes-Oxley, GDPR, and NIST. Custom policies and modules allow alignment with organizational policies and best practices. The results are displayed in a single dashboard to prioritize risks and identify action for mitigation. Each vulnerability identified contains an explanation of the business impact, severity, and remediation steps for resolution.
Security And Compliance
Onapsis’ highest priority is the security of our software and the confidentiality, integrity, and availability of customer information as it flows through that software. We embed the strongest possible security measures into our software development life cycle (SDLC) and into the operating system, database, web security, and logging layers of our products. Onapsis contracts with accredited, third-party auditing companies who have audited our SDLC process, and we have the following certifications: ISO 9001, ISO 20243:2018, ISO 27001:2013, SOC 1 Type 1/2, SOC 2 Type 1/2, and Veracode Verified Program. Our product design and development requirements follow the OWASP ASVA v4 framework or other industry standard guidelines.
Deployment Options
Onapsis Assess can be deployed on-premises, in your cloud environment (all major cloud providers supported), or in the Onapsis cloud environment, as SaaS. Technical components needed to support each deployment type are described in Table 2.
The Onapsis Platform
Onapsis Assess is one-third of the Onapsis Platform. The Platform provides complete attack surface management for ERP landscapes, focused on business-critical application security that directly target interconnected risk – vulnerability management, threat monitoring, compliance automation, and application security testing.
Onapsis Professional Services Achieve your business objectives at every stage of your journey. Onapsis’ comprehensive professional services offerings target:
Implementation: A paired delivery approach to accelerate time-to-value Education: Knowledge for teams to successfully operate our platform Optimization: Enable continuous improvement and alignment to business needs Administration: Alleviate resource constraints
Onapsis Research Labs The award-winning Onapsis Research Labs is a team of cybersecurity experts who combine in-depth knowledge and experience to deliver security insights and threat intel affecting mission critical applications from SAP, Oracle, and SaaS providers. They have discovered over 1,000 zero-day vulnerabilities and multiple critical global CERT alerts have been based on their novel research. Onapsis automatically updates its products with the latest threat intelligence and other security guidance from the Onapsis Research Labs. This provides customers with advanced notification on critical issues, comprehensive coverage, improved configurations and pre-patch protection ahead of scheduled vendor updates.
Licensing
Onapsis Assess is licensed as an annual subscription based on the number of target systems. Subscription includes access to all updates available for the respective software license, technical support, and a dedicated account manager. Onapsis Assess currently features two license tiers – Assess and Assess Baseline. The Assess Baseline license focuses on helping customers jumpstart their vulnerability management process quickly and easily by addressing issues aligned with the officially published SAP Security Baseline Template and supported by the insights of the Onapsis Research Labs.
Expand and enhance your Assess deployment with additional, premium capabilities:
Assess for Code: Licensed as an annual subscription based on the number of target systems, this provides access to vulnerability scanning for issues in custom code previously deployed to production. InfoSec teams gain much-needed visibility into security issues within custom code and a more complete view of the SAP application attack surface.
Assess for Code: Licensed as an annual subscription based on the number of target systems, this provides access to vulnerability scanning for issues in custom code previously deployed to production. InfoSec teams gain much-needed visibility into security issues within custom code and a more complete view of the SAP application attack surface.
Comply Packs: Licensed as an annual subscription based on the number of target systems, these policy packs provide right-sized, frictionless audit packs that automatically audit ERP IT general controls against various regulatory requirements, eliminating 1000s of hours of manual work. Available policies include Sarbanes-Oxley (SOX), Data Privacy (GDPR), NIST/ISO (ISO:27001, NIST 800-53, NIST 800-171), NERC CIP, and PCI.
Threat Intel Center: This subscription license grants access to a centralized repository of new and ongoing threat research, directly from the Onapsis Research Labs, within the Onapsis Platform. The Threat Intel Center provides a detailed, high-impact view of the evolving ERP threat landscape with one-click access to a comprehensive research library within the Onapsis Platform.
Table 1: Onapsis Assess Features And Benefits
Description
Benefits
Agentless Scanning
Virtual devices are deployed on premises or in the cloud to provide deep scanning of assets at system, application and code levels and analyze system vulnerabilities without sacrificing system performance
Out of-the-Box Vulnerability Scanning
Thousands of vulnerability checks are ready to go out of the box and are grouped into standard policies based on the target system (e.g., SAP, Oracle), allowing for full vulnerability scanning of your business-critical applications.
Custom Policy Creation*
Users can create custom policies to include the set of vulnerability checks that meets their needs.
Standard and Custom Vulnerability Checks*
Onapsis provides predefined vulnerability checks, called modules, but also enables the ability to define custom checks.
Unified Single Dashboard
Shows issue data and trends from recent scans, with graphical visualizations to provide quick insights into system issues.
Exportable Executive Reports
Summary reports demonstrate current risk standing, status over time, and mitigation efforts, allowing results of vulnerability management efforts to be more easily shared with stakeholders across the business.
Risk and Remediation Guidance
Detailed explanations of the business impact of identified problems within each system, along with an associated risk score and step-by-step remediation instructions, accelerates time to resolution.
Integrated Workflows and ITSM integration
Built in workflow capability allows for issue assignment and acceptance either manually via an automated workflow engine. Integration with IT Service Management tools enables automatic ticket creation for faster remediation.
Exportable Executive Reports
Summary reports demonstrate current risk standing, status over time, and mitigation efforts, allowing results of vulnerability management efforts to be more easily shared with stakeholders across the business.
Custom Reporting
Create custom reports via the Onapsis Platform API in order to share reports regarding risk posture trends and assessments.
Onapsis Security Advisor
Feature that leverages AI and 14+ years of Onapsis data and experience from security engagements to help security and IT leaders answer the question, “How are we doing with SAP security?” Acts as a personalized, trusted “security advisor” to help you establish better security goals, guide your ERP security journey, and track progress in comparison to baselines and other companies and industries at different stages.
Onapsis Research Labs Threat Intelligence
Vulnerability checks are regularly updated and added based on the latest investigation results from the Onapsis Research Labs.
Premium Add-on License: Assess for Code
Extends vulnerability scanning to custom code deployed to production. This gives security teams a more complete view of their SAP application attack surface.
Premium Add-on License: Onapsis Comply packs*
Adds right-sized, frictionless SAP audit packs to the Assess scanning engine.
Premium Add-on License: Threat Intel Center*
Delivers a regularly-updated and curated library of new and ongoing threat research, directly from the Onapsis Research Labs. The Threat Intel Center provides one-click access to comprehensive research designed for both the education of cybersecurity team members and providing organization-specific business impact for cybersecurity leaders.
Table 2: Onapsis Assess for Code Components and Description
Technology Component and Description
Details
Business Critical Systems Supported
All SAP applications that run:SAP NetWeaver – ABAPSAP NetWeaver – JAVASAP HANA DatabaseSAP SuccessFactorsSAP Business Objects (BOBJ)Oracle E-Business Suite (EBS)
Console for Onapsis Platform: Onapsis Virtual Appliance provides the management and reporting interface for the Onapsis Platform and control for all sensors. Can be deployed on premises or in the cloud.
Sensors for Onapsis Platform: Onapsis Virtual Appliances, virtual “headless” devices that perform workloads to find and analyze system vulnerabilities. Each installation requires at least one sensor. The number of sensors needed is based on landscape size, complexity, and network segmentation. The sensor receives updates from the console. Can be deployed on premises or in the cloud.
Virtualization Technology: The console and sensor(s) are delivered in a pre-built virtual appliance in Open Virtualization Appliance (OVA) format. The OVA is self-contained and includes a Linux-based OS and the Onapsis solution.
Supported virtualization platforms: VMware KVM Microsoft Hyper-V Supported cloud platforms:Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP)
Onapsis SaaS Connector: Required for SaaS deployments; allows the Onapsis Platform to interact with your systems.
Extend DevSecOps to SAP applications with the ability to perform dynamic, static, and interactive analysis to detect more security issues earlier in the development cycle with Onapsis Control for Code. Step-by-step remediation instructions and integrations with developer tools accelerate time to vulnerability identification and remediation.
Business-critical SAP applications are top attack targets for threat actors and an increasing area of concern for enterprises. However, many organizations struggle to build successful SAP testing programs due to inadequate tools that don’t sufficiently support components, languages, and frameworks unique to SAP. Further, these tools frequently don’t integrate with SAP development and change management environments. Consequently, most organizations revert to manual security testing. However, this can’t be the practical answer, as manual reviews take too much time and are prone to human error. Consider that the average SAP application contains over 2 million lines of custom code.¹
The accelerated pace of digital transformation projects, such as SAP S/4HANA migrations and RISE with SAP, puts increased pressure on all teams involved in the application development cycle. It forces teams to attempt balancing speed and security…with security frequently tabled in order to meet abbreviated project timelines. Tight development cycles lead to the use of third-party code libraries and developers. However, with little visibility here as well, organizations are forced into doing a greater number of manual reviews (if any at all, sadly) to stop the introduction of new security issues. Preventing critical issues from getting into production systems is imperative. This is why the ability to perform multiple types of testing across the development lifecycle for your SAP custom applications is important. It is critical to test for and discover errors earlier in development when they’re easier and cheaper to fix.
Onapsis Control for Code directly addresses these challenges, providing application security testing through automated review of custom SAP code and one-click fix remediation for common code errors. Recognized in the Gartner Magic Quadrant for Application Security Testing three years in a row, our automated assessments, integrations with SAP development environments and change management, and step-by-step remediation instructions all empower teams to help them rapidly identify and fix issues before they negatively impact critical production environments and business continuity.
“Onapsis helps us address security code and compliance issues and avoid costly rework and manual analysis.”
– Security Architecture Manager, Fortune 100 Chemical Company
How Onapsis Control for Code Works
Onapsis Control for Code works by scanning systems and inspecting code directly within development environments or code repositories. With a large focus on vulnerable and insecure code, Control for Code leverages extensive test cases across multiple domains based on the best practices and in-depth security analysis and research of SAP applications from the Onapsis Research Labs. Millions of lines of code can be automatically scanned in minutes, and remediation guidance is provided to keep pace with accelerated development cycles. Control for Code identifies vulnerabilities including incomplete or erroneous code, and the testing also enables continuous progress checks during code development. One-click fix functionality enables bulk code scans that identify and automate remediation for the most common code errors with a single click.
Security And Compliance
Onapsis’ highest priority is the security of our software and the confidentiality, integrity, and availability of customer information as it flows through that software. We embed the strongest possible security measures into our software development life cycle (SDLC) and into the operating system, database, web security, and logging layers of our products. Onapsis contracts with accredited, third-party auditing companies who have audited our SDLC process, and we have the following certifications: ISO 9001, ISO 20243:2018, ISO 27001:2013, SOC 1 Type 1/2, SOC 2 Type 1/2, and Veracode Verified Program. Our product design and development requirements follow the OWASP ASVA v4 framework or other industry standard guidelines.
Onapsis Professional Services Achieve your business objectives at every stage of your journey. Onapsis’ comprehensive professional services offerings target:
Implementation: A paired delivery approach to accelerate time-to-value Education: Knowledge for teams to successfully operate our platform Optimization: Enable continuous improvement and alignment to business needs Administration: Alleviate resource constraints
Onapsis Research Labs The award-winning Onapsis Research Labs is a team of cybersecurity experts who combine in-depth knowledge and experience to deliver security insights and threat intel affecting mission critical applications from SAP, Oracle, and SaaS providers. They have discovered over 1,000 zero-day vulnerabilities and multiple critical global CERT alerts have been based on their novel research. Onapsis automatically updates its products with the latest threat intelligence and other security guidance from the Onapsis Research Labs. This provides customers with advanced notification on critical issues, comprehensive coverage, improved configurations and pre-patch protection ahead of scheduled vendor updates.
Licensing
Onapsis Control for Code is licensed as an annual subscription based on the number of target systems. Subscription includes access to all updates available for the respective software license, technical support, and a dedicated account manager.
Expand and enhance your Control for Code deployment with additional premium capabilities:
On Change Control: Licensed as an annual subscription based on the number of target systems, it provides a detailed security scanning and approval framework for change management that integrates with SAP CHaRM. It offers a single view of detailed security scans, approvals, and notes related to system changes in addition to enabling automatic notifications to improve workflows.
Control for Transports: Licensed as an annual subscription based on the number of target systems, it provides the ability to check development objects, system settings, application configuration, and data within SAP transports for vulnerabilities. Step-by-step remediation instructions identify flawed transport requests and help prevent costly production errors as well as reduce the risk of system downtime.
One-Click Fix Premium: Licensed as an annual subscription based on the number of target systems, it upgrades the included One-Click Fix feature to provide automated correction for up to 80% of the most common code errors for ABAP applications. Drastically reduce manual code review cycles by automatically replacing incorrect code with corrected lines of code. Run simulations prior to import to better understand the potential impact of newly written code on production systems.
The Onapsis Platform Onapsis Control is one-third of the Onapsis Platform. The Platform provides complete attack surface management for ERP landscapes, focused on business-critical application security that directly target interconnected risk – vulnerability management, threat monitoring, compliance automation, and application security testing.
Onapsis is proud to be an Oracle partner and the only application security and compliance platform invited to the SAP Endorsed Apps Program.
Table 1: Onapsis Control for Code Features and Benefits
Description
Benefits
Out-of-the-Box Custom Code Scans
Save time by scanning millions of lines of code in minutes for ABAP, Fiori, and HANA Native applications Scans performed for HANA Native include code languages such as SAPUI5, SQLScript, CDS, XSJS, and Node.js. Scans performed for Fiori include code languages such as ABAP and SAPUI5. New ABAP syntax is supported as well as older objects such as SAP LSMW.
Multi-layered Scan Engine
Multiple scanners run in parallel with hundreds of automated, predefined test cases across a wide swath of use cases. Prioritize code issues based on probability and impact to accelerate your time-to-resolution.
SAST (Static Analysis)
Based on patented global data and control flow analysis
DAST (Dynamic Analysis)
Identifies vulnerabilities that are not part of the expected result set including incomplete/erroneous code
IAST (Interactive Analysis)
Continuous process custom-built to check code in SAP development environments against analysis engine for processing in a runtime environment
Broad Set of Predefined Test Cases Across Multiple Domains
Hundreds of test cases are available out of the box and maintained by the SAP security experts at Onapsis. Test case domains include but are not limited to security, compliance, data loss prevention, code performance, robustness, and maintainability.
Onapsis Global Data and Control Flow Analysis
Onapsis’ patented analysis capabilities deliver more accurate detection and significantly lower rates of false positives for code issues, saving valuable time and resources for application development teams.
Deep, Broad Support for SAP Integrated Development Environments (IDEs)
Use Control wherever you currently develop applications, including support for SAP ABAP Development Workbench, Eclipse, HANA Studio, SAP WebIDE, Visual Studio Code, and Business Application Studio development platforms.
CI/CD Tool Support for Automated Development
Develop where you want with plugins available for CI/CD tools such as Microsoft Azure Pipelines and Jenkins. An Onapsis API is available for additional extensibility.
One-Click Fix Bulk Code Correction
Scans millions of lines of code in minutes to provide automatic corrections for the most common errors seen by Onapsis experts in SAP application development, providing significant time savings.
Quick Scan Error Check
Alerts developer to code errors while typing for immediate correction.
SAP Application Workflow Integrations
Seamless integration with SAP ATC Cockpit, SAP CHaRM (Change Request System), and SAP TMS (Transport Management System) for increased productivity.
Leading Third-Party Vendor Integrations
Seamless integrations with workflow management tools from Rev-Trac and Basis Technologies enable DevSecOps for SAP application development.
Premium Add-on License: Control for Transports
Enables the scanning of SAP transports for objects and data vulnerabilities to identify, block, and mitigate bad transports prior to production import
Premium Add-on License: On Change Control
Empowers teams by integrating automated workflows, gates, communication, and detailed code and transport scans into SAP CHaRM
Premium Add-on License: One Click Fix Premium
Automatically corrects up to 80% of the most common code development errors with a single click
Table 2: Onapsis Control for Code Components and Description
Technology Component and Description
Details
Central System: Collects communication event data from all systems. The Cockpit is used to run scans, and Finding Manager is used to view results.
Can be a separate SAP system or part of an existing SAP system
Scanning System: The system is where the actual code scanning is performed by the Onapsis multilayered scan engine.
Supported Operating Systems:Linux: 64-bit SUSE Linux Enterprise Server 11, 12, 15; 64-bit Red Hat Enterprise Linux 5, 6, 7, 8Windows: Windows Server R2 x64: 2003, 2008, 2012, 2016
Additional Requirements: .NET Framework 4.0 and higher
SAP Systems Supported
ABAP Foundation on HANA (any version)SAP S/4HANA Foundation (any version)SAP S/4HANA 1709,1809,1909, 2020, 2021, 2022SAP/BW for HANA (any version)SAP NetWeaver 7.00 SP27 or higher, 7.01 SP12 or higher, 7.02 SP12 or higher, 7.31 SP05 or higher, 7.40, 7.50, 7.51, 7.52
Central System: Collects communication event data from all systems. The Cockpit is used to run scans, and Finding Manager is used to view results.
Can be a separate SAP system or part of an existing SAP system
Continuous threat monitoring and pre-patch protection for business-critical SAP applications with Defend by Onapsis.
Customizable research-based alerts, anomaly detection, descriptions of root cause, and remediation guidance accelerate analysis and incident response.
Business-critical applications are the lifeblood of an organization, supporting financial, supply chain, sales, and other business processes. Security teams have traditionally relied on defense-in-depth strategies in an attempt to protect the application layer. Unfortunately, this layered approach is no longer sufficient for many reasons, including digital transformation and modernization initiatives eroding the perimeter. Adding insult to injury, most enterprises lag behind in applying important patches to their most critical systems.
The result is that the critical application layer is now more exposed than ever before. Threat actors have taken notice, targeting this layer directly through a variety of attack vectors and at an accelerated pace. To protect their critical business operations and data, organizations need continuous threat monitoring designed specifically for these applications. Existing defense-in-depth models surround, but ultimately neglect this layer, creating a large security blindspot. Without this visibility and context, organizations are unable to identify potential threats, understand the risk, and effectively protect their ERP systems.
Onapsis Defend uniquely addresses these challenges by enabling continuous threat monitoring, detection, and response for business-critical applications. Powered by the industry-leading Onapsis Research Labs, Defend acts as an early warning system for unauthorized changes, misuse, or cyberattacks targeting these applications. Security Operations Centers (SOCs) can automatically monitor for more than 2,000 threat indicators, including exploit activity against zero-days and known, unpatched vulnerabilities, providing “pre-patch” protection for an organization’s critical systems. Real-time alerts, easily integrated into SIEMs, provide valuable details on severity, anomaly score, root cause, and recommended remediation steps to accelerate analysis and incident response times.
“We knew moving our SAP instance to a cloud environment would introduce new risks… we can now continually monitor risk, ensure the integrity and security of our supply chain and protect our business.”
— CISO, Global Apparel Manufacturer
How Onapsis Defend Works
Sensors are deployed – either on-premises or in the cloud – to target SAP systems. Defend discovers critical assets across the full landscape and extracts data to analyze for notable security events and user activity. Full visibility into the details of each incident includes the context, severity, anomaly score, root cause, and recommended action for remediation. Incidents can be managed within the console or assigned to external tools and shared with additional stakeholders. The integration framework and configuration interface allows system incidents within SAP to be exported into SIEM and syslog tools for further investigation.
Security And Compliance
Onapsis’ highest priority is the security of our software and the confidentiality, integrity, and availability of customer information as it flows through that software. We embed the strongest possible security measures into our software development life cycle (SDLC) and into the operating system, database, web security, and logging layers of our products. Onapsis contracts with accredited, third-party, auditing companies who have audited our SDLC process and we have the following certifications: ISO 9001, ISO 20243:2018, ISO 27001:2013, SOC 1 Type 1/2, SOC 2 Type 1/2, and Veracode Verified Program. Our product design and development requirements follow the OWASP ASVA v4 framework or other industry standard guidelines.
Onapsis Professional Services Achieve your business objectives at every stage of your journey. Onapsis’ comprehensive professional services offerings target:
Implementation: A paired delivery approach to accelerate time-to-value Education: Knowledge for teams to successfully operate our platform Optimization: Enable continuous improvement and alignment to business needs Administration: Alleviate resource constraints
Onapsis Research Labs The award-winning Onapsis Research Labs is a team of cybersecurity experts who combine in-depth knowledge and experience to deliver security insights and threat intel affecting mission critical applications from SAP, Oracle, and SaaS providers. They have discovered over 1,000 zero-day vulnerabilities and multiple critical global CERT alerts have been based on their novel research. Onapsis automatically updates its products with the latest threat intelligence and other security guidance from the Onapsis Research Labs. This provides customers with advanced notification on critical issues, comprehensive coverage, improved configurations and pre-patch protection ahead of scheduled vendor updates.
Licensing
Onapsis Defend is licensed as an annual subscription based on the number of target systems. Subscription includes access to all updates available for the respective software license, including Onapsis Research Labs threat insights, technical support, and a dedicated account manager.
Additional premium licenses for Onapsis Defend are available to extend its capabilities:
Network Detection Rule Pack: This subscription license grants access to regular updates of Snort®* rules for the most critical and network-detectable threats. These vendor-agnostic rules can be imported across an enterprise security stack into existing network security products to provide organizations with an additional layer of defense.
Threat Intel Center: This subscription license grants access to a centralized repository of new and ongoing threat research, directly from the Onapsis Research Labs, within the Onapsis Platform. The Threat Intel Center provides a detailed, high-impact view of the evolving SAP threat landscape with one-click access to a comprehensive research library within the Onapsis Platform.
The Onapsis Platform Onapsis Control is one-third of the Onapsis Platform. The Platform provides complete attack surface management for ERP landscapes, focused on business-critical application security that directly target interconnected risk – vulnerability management, threat monitoring, compliance automation, and application security testing.
Onapsis is proud to be an Oracle partner and the only application security and compliance platform invited to the SAP Endorsed Apps Program.
Table 1: Onapsis Defend Features And Benefits
Description
Benefits
Detection Rules
2,000+ detection rules across a wide range of SAP assets (e.g., ABAP, JAVA, HANA, SAProuter) identify notable security events, including inappropriate privilege escalation, system misconfigurations, indicators of compromise or known exploits, dangerous RFC or program executions, user access misuse or abuse, and more.
Zero-Day Detection Capabilities
Detection rules triggered by the potential exploitation of vulnerabilities for which SAP has not yet released a security note (‘patch”), and which have not been publicly disclosed. This gives users protection from attacks against critical vulnerabilities as early as possible.
Predefined Incident Profiles
Used to specify which events or activities users want to be alerted to, that may require immediate action or further investigation. Defend includes several predefined incident profiles to help users get started with monitoring SAP systems. These profiles will create an incident to notify users when the actions specified in the profile have occurred on the targeted assets (e.g., an intrusion attempt or other negative behavior).
Customizable Incident Profiles
Define the criteria used to trigger incident notifications, so users are only alerted to activity that they have deemed significant enough to require notification, immediate action, or further investigation. This includes customization to mitigate threats related to user actions such as key operations, authorization assignments, and sensitive data access.
Root Cause Identification and Recommended Actions
Incident context, severity, root cause, and recommended mitigation actions are provided for each event and incident to support and accelerate investigation and response efforts.
AI-based Anomaly Detection
Each recorded activity includes an anomaly score (0-100) based on machine learning models developed by the Onapsis Research Labs, with higher scores denoting larger threats and business impact. These scores can also be used to further customize and create incident profiles unique to your organization.This helps users better direct mitigation and remediation efforts to the most suspicious or anomalous threats facing their organization.
Onapsis Research Labs Threat Intelligence
Detection rules automatically incorporate the deep research from the Onapsis Research Labs. Updates with the latest threat intelligence and other security guidance from the Onapsis Research Labs are included at no cost. This provides advanced notifications on critical issues, configurations and pre-patch protection, ahead of scheduled vendor updates.
SIEM Integrations
Import Defend issues and incidents into existing SIEMs and workflows used by the SOC. The integration allows system incidents within SAP to be incorporated into the wider security management and incident response process.
Includes regular updates of Snort* rules defined by the Onapsis Research Labs. These rules extend Onapsis threat intelligence to network security applications, augmenting their ability to detect (and potentially stop) the most critical, Onapsis-researched threats to ERP applications. Snort rules are open source and vendor agnostic, allowing broader distribution across multiple layers of an organization’s defense-in-depth security stack.
Premium Add-on License: Threat Intel Center
Delivers a regularly-updated and curated library of new and ongoing threat research directly from the Onapsis Research Labs. The Threat Intel Center provides one-click access to comprehensive research designed for both the education of cybersecurity team members and providing organization-specific business impact for cybersecurity leaders.
Table 2: Onapsis Defend Components and Description
Technology Component and Description
Details
Supported Business-Critical Systems
All SAP applications that run: SAP NetWeaver ABAPSAP NetWeaver JAVASAP HANA Database SAProuter
Console – Provides the management and reporting interface for the Onapsis Platform. Deployable on-premises or in the cloud.
Sensors – Virtual devices that find and analyze systems. Deployable on-premises or in the cloud. Each installation requires at least one sensor. The number of sensors needed is based on landscape size, complexity, and network segmentation. The sensor receives updates from the console.
Virtualization Technology: The console and sensor(s) are delivered in a pre-built virtual appliance in Open Virtualization Appliance (OVA) format. The OVA is self-contained and includes a Linux-based OS and the Onapsis solution.
Supported virtualization platforms: VMware KVM Microsoft Hyper-V
Supported cloud platforms: Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP)
ABAP and Java Add-Ons (SAP-Certified) – Discovers ABAP and Java systems and extracts technical information for analysis in the Onapsis Platform.
The add-on runs as a component on top of your SAP systems and, therefore, does not interact with any functional (business-related) SAP modules.
Browser Compatibility
Supported browsers:Google Chrome*Microsoft Edge Mozilla Firefox Apple Safari *recommended
SIEM and Syslog Integration – Integration profiles can be created to import incident data to Security Information and Event Management (SIEM) and Syslog tools for correlation, reporting and investigations
Supported integrations with:SplunkMicrosoft Sentinel IBM QRadarArcSight Enterprise Security ManagerElasticsearch Kibana Other integrations possible if SIEM can listen for incoming syslog traffic and ingest LEEF, CEF, JSON formats.
Network Detection Rule Pack^
Vendor-agnostic, open-source rules formatted to support Snort* 2.0+
^ Requires purchase of premium add-on Network Detection Rule Pack license * Snort is a registered trademark of Cisco. All rights reserved.
Organizations are facing increasing pressure to optimize business-critical SAP applications by balancing strategic transformation initiatives, application performance, regulatory compliance and cybersecurity requirements. The Onapsis Platform automates testing, change, audit and security processes so cross-functional teams can focus on improving SAP availability and performance, accelerating cloud migrations and S/4HANA implementations, streamlining audit processes and hardening security on-premises and in the cloud.
Automated Governance Ensure IT controls are continually tested and validated to meet compliance requirements and enforce policies to reduce audit burdens and maintain continuous compliance.
Continuous Monitoring Control and mitigate operational risks associated with routine code, application and system maintenance, transports, patching and modernization initiatives.
Change Assurance Reduce the operational risk associated with ERP maintenance and modernization, ensuring the reliability and performance of business-critical applications.
Automate the Audit Establish an automated and repeatable compliance reporting and audit process providing efficiencies and freeing up valuable resources.
Actionable Insights Discover, assess and remediate application-layer vulnerabilities, system-level misconfigurations, custom code issues and bad transports to ensure ERP systems are protected and available.
Continuous Monitoring Receive real-time visibility and threat alerts to respond quickly to unauthorized changes, misuse, or cyberattacks targeting SAP systems and business-critical applications.
Secure the Core Secure the core of your business by providing code, application and ERP system-level visibility and protection against internal and external attacks.
Cloud with Confidence Accelerate cloud migration and digital transformation by ensuring your ERP applications are secure and ready for the cloud.
Provides actionable insight to quickly discover your SAP footprint, assess and eliminate application vulnerabilities, prioritize remediation and improve SAP code and transport quality.
Evaluation: Understand the SAP footprint with system and interface analysis to generate asset inventories and topology—Assess configurations and code to identify risk
Remediation: Streamline and accelerate remediation of system and code vulnerabilities and misconfigurations with ticketing system integration
Prioritization: Proactively identify misconfigurations and vulnerabilities to measure business impact to help prioritize fixing and patching ERP systems to reduce risk
CONTROL Eliminates operational risks associated with SAP maintenance and modernization by proactively improving and hardening code, assessing transports and enforcing configuration policies.
Strength: Continually assess code, transports and configurations to maintain a desired state through regular changes, upgrades and optimization
Integrity: Enforce approval of code, transports and system configurations to ensure stability, security and robustness of SAP
Prevention: Automatically block poor code, transport error and critical configuration changes to adhere to corporate policies
COMPLY Enables automated governance with compliance policy enforcement and reporting capabilities to significantly reduce the burden of proving compliance.
Define: Simplify audit processes to record, log and audit activity for regulatory compliance reporting such as SOX, GDPR and others
Test: Automate continuous compliance assessments of SAP systems to proactively measure risk, understand compliance impact and stay ahead of the audit cycle
Report: Get started with 14 out-of-the-box compliance policies and customize policies to meet specific IT controls and compliance requirements
DEFEND Delivers continuous monitoring for complete, real-time visibility into SAP systems so you can quickly respond to internal and external threats.
Detection: Continuous monitoring and visibility of threats against SAP systems to detect cyberattacks and privilege misuse
Response: Accelerate risk mitigation and remediation with automated alarm notifications and SIEM integration
Alerting: Immediate identification and notification of unauthorized use, improper transactions and contextual attack based on likelihood of success
SAP Applications
The Onapsis Platform delivers a near real-time preventive, detective and corrective approach for securing SAP systems, whether deployed on-premises, or in a private, public or hybrid cloud environment. The Onapsis Platform provides unmatched coverage and protection across SAP NetWeaver®, ABAP®, J2EE, SAP HANA® and S/4HANA® platforms. The platform integrates with network security, GRC solutions, SIEM solutions and workflows as well as leading cloud providers.
Powered by Onapsis Research Labs Onapsis Research Labs is the world’s leading team of security experts who combine their deep knowledge of critical ERP applications and decades of threat research experience to deliver impactful security insights and threat intelligence focused on the business-critical applications from SAP, Oracle, and SaaS providers. Onapsis Research Labs is, far and away, the most prolific and most celebrated contributor of vulnerability research by the SAP Product Security Response Team.
The Chief Information Officer (CIO) holds responsibility for all IT decisions affecting the company, a task that has increased in complexity in recent years. This e-book reviews five challenges CIOs face when dealing with SAP security, including recommendations for overcoming these challenges.
The Chief Information Officer (CIO) holds responsibility for all IT decisions affecting the company, a task that has increased in complexity in recent years. This e-book reviews five challenges CIOs face when dealing with SAP security, including recommendations for overcoming these challenges.
Changes to SAP production systems through SAP transports pose a high security risk. These potential “Trojan horses” sneak in malicious content or changes, providing a gateway for espionage, data theft and data manipulation. The damage to an affected company can be considerable, ranging from financial and reputation loss to substantial penalties associated with violations of legal data protection regulations.
Nevertheless, many companies are still unaware of the potential dangers of transports for SAP security. In addition, conventional analysis tools are unable to identify the Trojans hidden in SAP transport files. Transport analysis from Onapsis closes this gap with minimal effort.
Download the Battling Trojan Horses in Your SAP® Transports e-book now to learn more.
Industry – Federal Government Company Size – 700,000 (civ) 1.4M
Background
The Theater Enterprise-Wide Logistics System (TEWLS) is an SAP software-based application the U.S. Department of Defense (DOD) Health Agency uses to coordinate medical logistics through a single shared data environment to support all armed forces. It was developed by the U.S. Army and adopted by the DOD.
Challenge
Prove SAP® ABAP code was secure and compliant with DOD standards.
Solution
Onapsis code analysis scans ABAP code across all phases of the development process, reporting any vulnerabilities and providing actionable guidance on how to fix. Low instances of false positives, automated scans, and automatic remediation options significantly reduce the burden on developers to maintain code and prove compliance with DOD standards.
Knowing that vulnerable code could cause an application failure or result in compromising an entire system – which could cost lives – the DOD requires stringent security testing for all software program code before they will grant Authority to Operate (ATO). Because of this, all custom SAP ABAP® applications developed for TEWLS are subject to intense scrutiny.
Unfortunately, TEWLS couldn’t pass the static code scanning and other tests the DOD requires to gain ATO.TEWLS developers needed to be able to prove the security and compliance of their ABAP code, but available tools were insufficient and had many limitations, including false findings, inconsistent results, limited test scope, no integration with SAP, and no remediation instructions for developers.
TEWLS teams wasted valuable resources working through false results and were ultimately unable to prove that their code was secure and compliant to finalize DOD ATO.
Scanned and remediated vulnerabilities quickly
Decreased number of code corrections required
Improved developer skills
Reduced effort and time spent on code reviews
Ensured all code meets security and compliance requirements
“Onapsis code analysis enables us to prove that our code is secure and compliant … it is accurate, comprehensive and consistent and ensures that all ABAP code meets our high standards.”
CHRISTINE WARRING Tewls Sustainment Project Manager, Joint Medical Logistics Functional Development Center (JMLFDC)
Solution
Realizing how much valuable time and resources were being wasted on manual analysis and insufficient tools, which couldn’t help them reach ATO, the DOD started researching automated code scanning options and found their ideal solution with The Onapsis Platform. With Onapsis, the DOD received accurate results, which allowed the TEWLS teams to pass the testing needed to prove their code is safe and secure. Onapsis code assessment is comprehensive and tightly integrated with SAP, and provides detailed remediation instructions when any issues are found. Using data and control flow analysis, modules and content accessed beyond the code selected are also checked for vulnerabilities. This makes the classification of problems more reliable and reduces the number of false-positive reports.
Code analysis from Onapsis can be integrated seamlessly into the various phases of the development process. A freely configurable workflow guarantees that company-specific compliance policies, for the purposes of verification and correction, can be modeled and logged. Integration into the SAP transport system ensures that the defective code doesn’t end up in the production system.
While they are programming new code, developers receive constant, interactive feedback and vulnerabilities are flagged immediately. Onapsis code analysis identifies the problematic statement and immediately classifies the corresponding risk. To provide developers with optimum support for rectifying the problem, proposed corrections are displayed for the specific vulnerability. This direct feedback, plus extensive documentation, works to accelerate the developers’ learning curve.
COMPLY
