Onapsis Assess for SAP SuccessFactors

Onapsis Assess for SAP SuccessFactors

SAP SuccessFactors contains some of an organization’s most sensitive and regulated data, including employee PII and bank account details to support payroll. Protecting this data – ensuring only authorized users can access and modify it, minimizing risk of breach – is essential for avoiding fraud and costly compliance violations.

Global Chemical Manufacturing Company Case Study

Industry: Manufacturing, Chemicals
Company Size: 100k+ employees >60B revenue

Challenge

Costly, unexpected project delays due to manual code reviews and lack of transport visibility

A global chemical company relies on SAP for their business critical applications and leverages custom code development to support their organization. However, the organization struggled to keep up their development cycles at a pace that aligned with the speed of their business. A manual code review process with no way to check transports for errors, led to long, error prone, development cycles for SAP applications. Additionally, it was difficult to implement changes without impacting existing system performance, or introducing security or compliance issues. This resulted not only in missed project deadlines but also unexpected costs, due to remediation efforts and rework when errors in code were brought into production.

“Onapsis helps us address two of the biggest trouble areas in our change management processes—custom code and transports. A third-party solution for analyzing these that integrates into SAP ChaRM allows us to get things right the first time and avoid costly rework and manual analyses.” 

Security Architecture Manager, Global Chemical Company

Solution

Onapsis Control automates code scans, checks transports, and reduces development cost and time

The company found the ideal solution in Onapsis Control. They were able to eliminate their manual code review processes and automatically scan hundreds of lines of codes in minutes for errors. Onapsis Control’s detailed explanations and step-by-step remediation guidance shortened their time to resolution and accelerated their development cycle. Deep visibility into their transport errors prior to production enabled the resolution of problematic transports prior to import. This eliminated the need to remediate production errors and also enabled projects to be delivered on time and within budget. The company was able to use Onapsis Control’s ability to check code and transports for quality issues that can negatively impact system performance, compliance, and security. They were also able to ensure that system changes enabled by transports did not impact system performance,. Because they received timely, critical threat intelligence from the Onapsis Research Labs, the company had confidence they could stay ahead of the latest potential threats to their SAP landscape.

“With Onapsis, we can be more confident that the changes we’re making aren’t going to cause disruptions or performance issues while addressing security and compliance at the same time. It’s a win for everyone.”

Security Architecture Manager, Global Chemical Company

Results

  • 25% less time spent on code reviews
  • 65% less costs on remediation activities
  • 75% reduction in security and quality errors imported into production

Implementing Onapsis Control has enabled the company to incorporate security earlier into their application development cycle, thereby reducing costly errors in production that affect manufacturing and delivery processes. Deep scanning of transports ensures that configuration or authorization changes that violate company policy or manufacturing process guidelines are blocked and, ultimately, rewritten prior to being deployed in the production environment.

This resulted in a 75% reduction in the number of security and quality errors imported into production. As a result, their development process is more secure and efficient, and they have eliminated time-consuming rework and costly system disruption or downtime. The development team also replaced their time-consuming manual code review process with the automatic code scans of Onapsis Control, reducing their code review cycle time by 25%.

Volume XV: SAP® Security In-Depth: Preventing Cyberattacks Against SAP Solution Manager

Highlighted in a recent IDC survey of 430 IT decision makers, 64% of organizations have experienced a breach of their ERP systems, either SAP or Oracle E-Business Suite. Why?

  • Attackers are specifically targeting the crown jewels of the organization, supported by their ERP systems
  • More ERP systems are exposed to the internet than ever before 
  • Traditional perimeter-focused security approaches are not effective at protecting business-critical applications
  • Software vulnerabilities, if left unpatched, create risk and opportunities for attackers 

With this in mind, the Onapsis Research Labs works very closely with both SAP and Oracle to help identify and fix vulnerabilities. When we find a vulnerability, it is our mission to help keep organizations protected. We provide a solution, The Onapsis Platform, and best practices and advice.

Dating back to 2019, SAP has issued three HotNews Security Notes for Solution Manager (SolMan). The most recent in March 2020 addresses a critical vulnerability. An exploit of this vulnerability can be unauthenticated, needing no user credentials, leading to access of any SAP system to potentially cause fraud, theft and disruption. 

As a result, the Onapsis Research Labs, who found this SolMan vulnerability, has issued an updated SAP Security In-Depth (SSID) report providing best practices for preventing cyberattacks against SAP SolMan. We highly encourage you to apply this latest SAP patch and also follow our guide for keeping SolMan and your SAP landscape secure.

For more information, check out our blog post analysis of the March 2020 SAP Patch Day 

Onapsis Webinar

Critical SAP RECON Vulnerability: Who Is At Risk & How to Protect Your Business

Protecting SAP from the Latest RECON Vulnerability 

ON DEMAND

SAP’s July Security Notes include a fix for a critical vulnerability – CVSS score of 10 out of 10 – named RECON. Successfully exploiting RECON could give an unauthenticated attacker full access to the affected SAP system, including the ability to modify financial records, view personal identifiable information (PII), corrupt data, delete or modify logs and traces, and other actions that put essential business operations and regulatory compliance at risk. 

The Onapsis Research Labs first identified this vulnerability in May 2020 and has worked closely with the SAP Security Response Team on a mitigation strategy. More than 40,000 SAP customers may be vulnerable to RECON, with upwards of 2,500 Internet-facing systems facing even greater risk. 

Attend this session to learn:

  • Details on the RECON vulnerability
  • The business impact
  • Why patching is so important
  • Recommendations for keeping SAP protected