CONTACT AN SAP EXPERT
Search
CONTACT AN SAP EXPERT

MercadoLibre

/in /by
Industry – Large enterprise, E-Commerce Marketplace
Company Size – 40k+ employees >$13B revenue

Challenge

MercadoLibre’s top executive management had always had a highly proactive approach to protecting their sensitive information from cyberattacks. In light of the increased threats to SAP® environments, Diego Cabrera Canay, Director of Financial Planning, Analysis & Control at Mercadolibre, was faced with the challenge of securing the Company’s business-critical SAP platform. 

Diego evaluated the situation together with two colleagues: Jorge O’Higgins, Sr. Manager Information Security, and Sebastian Monaco, Sr. SAP security analyst. “We realized we needed to know where we were standing regarding SAP application security risks, beyond user access controls,” explained Sebastian. 

They soon came to the conclusion that they needed to define a process to manage the implementation of SAP Security Notes and protect their systems against known vulnerabilities. “SAP Security Notes are applied by our BASIS teams. However, we did not have the capabilities to understand which ones we were missing and the ones we needed to implement quickly,” mentioned Diego. “We could also not easily verify if they had actually been implemented.”

“While we had processes and products in place to assess the security of our Web applications, operating systems, and databases, none of them could help us review our SAP applications in depth. Onapsis filled this gap perfectly.”

Solution

MercadoLibre selected Onapsis, the first and only SAP-certified solution for automated application security assessments of SAP platforms. “Onapsis was the only product in the market that could provide us with these capabilities,” highlighted Jorge.

Onapsis  empowers Compliance, Information Security and SAP professionals to go beyond Segregation of Duties controls. The product closely inspects the SAP application layer (NetWeaver/BASIS) for vulnerabilities and unsafe configurations of technical parameters, missing SAP security patches, insecure interfaces between SAP components and users with risky technical authorizations (for both ABAP and Java-based SAP systems.) The product, which provides continuous monitoring capabilities, eliminates the SAP security gap many organizations suffer from by reporting precisely about existing threats affecting their SAP platform and providing actionable remediation information.

“As a publicly-traded company, we have to be SOX compliant. We knew we needed to stay current regarding modern requirements affecting our SAP environment, and Onapsis was the only product that was able to help us to detect and mitigate gaps in the SAP application security layer.”

Results

As a publicly-traded company, we have to be SOX compliant. We knew we needed to stay current regarding modern requirements affecting our SAP environment, and Onapsis  was the only product that was able to help us to detect and mitigate gaps in the SAP application security layer.  Onapsis helped us to streamline the process of implementing SAP Security Notes. We can now automatically identify which ones really affect our platform in a prioritized way, also helping us verify their correct implementation. 

Before Onapsis  MercadoLibre was only prepared to perform ad-hoc reviews in the case of incidents. Today, its security posture is much more robust: “We have a proactive and efficient solution to run our SAP systems securely, minimizing the probability of successful attacks to our business-critical systems,” commented Diego. 

Volume XIII: SAP HANA System Security Review - Part 2

/in /by

SAP HANA is being pushed by SAP as the absolute in-memory database for its products and more recently, as a standalone platform. The vast majority of companies who have already adopted it are leveraging its capabilities to support business-critical applications. Due to its nature, SAP HANA stores an organization’s most important assets, thus requiring large efforts to secure that data.

This publication is the second in our SAP HANA Security In-Depth publications, and follows SAP HANA System Security Review Part 1.

SAP HANA System Security Review Part 2 analyzes SAP HANA Internal Communication Channels detailing associated risk, and identifies how to properly audit an SAP HANA System. In addition, this publication describes how to update the platform, noting new improvements in the Support Package.

Blueprint for CIS Control Application: Securing the SAP Landscape

/in /by

A SANS Whitepaper | Written by Barbara Filkins

Any data breach can be expensive, but the potential cost rises with the value orexploitability of the data targeted in an attack.

Serious attacks aimed directly at large-scale ERP systems rather than more peripheral systems may generate extraordinary costs, whether they are simple denial-of-service attacks or sophisticated efforts to compromise data that is confidential or strategically important. A 2014 IDC study on the cost of system downtime among the Fortune 1,000 found that the average cost for the failure of a critical application is between $500,000 and $1 million per hour.

Direct attacks on ERP systems have been relatively rare, or at least very rarely disclosed publicly. Since 2012, groups including hacktivist collective Anonymous have claimed to have successfully attacked government organizations using zero-day exploits affecting SAP systems.2 The only clear and public example of compromise, however, was in May 2015, when Nextgov.com, a site that focuses on news about federal IT, broke the story that an SAP installation may have been the initial attack vector in a breach that netted files containing tens of millions of highly detailed and personal data points.3 The attack in question was the notorious U.S. Office of Personnel Management (OPM) breach.

According to Nextgov.com, an internal investigation had uncovered evidence that attackers had broken into United States Investigations Services Inc. (USIS), a contractor that conducts background checks for most federal agencies, by exploiting a flaw in an SAP system.

Volume XII: SAP HANA System Security Review - Part 1

/in /by

SAP HANA is being pushed by SAP as the absolute in-memory database for its products and more recently as a standalone platform. The vast majority of companies who have already adopted it are leveraging its capabilities to support business-critical applications. Due to its nature, SAP HANA stores an organization’s most important assets, thus requiring large efforts to secure that data.

This publication will help security officers understand the SAP HANA layout, the security risks faced and most important, how to mitigate them. SAP HANA System Security Review explores various usage scenarios, reviewing a secure configuration for each one, as well as technical aspects, default users, privileges and roles. In addition this publication analyzes different published vulnerabilities, their impact to the business, and what has to be done to fix them.

Volume XI: SAP End-User Tools: The Weakest Link to Sensitive Data

/in /by

When thinking of SAP security we tend to always think of SAP servers and pay little attention to the tools used by end-users that connect to most of our SAP Systems, as well as the way those tools are used. Outside the SAP security world it is well accepted that attackers are no longer targeting servers directly, but rather are focusing on client-side attacks which could potentially allow escalation to the servers. During the last year, several malware attacks targeting SAP systems were discovered but received little attention in the moment of discovery.

SAP End-User Tools: The Weakest Link to Sensitive Data analyzes multiple weaknesses that could affect end-user applications related to SAP such as the SAPGUI client, and other tools that are commonly used by SAP end-users. Additionally this publication specifies which sensitive data and credentials could be stolen, and outlines the context in which these weaknesses could be exploited. Each weakness is explored in detail with advice on workarounds and fixes.

Volume X: Pivoting Through SAP Systems

/in /by

Every organization running SAP to support its business-critical processes has typically implemented several systems in complex scenarios. Depending on the sizeof the company, the number of SAP Systems, Instances and Products used can be quite large.

All of these systems are interconnected and there are different components involved in regards to the connections such as specific features and restrictions. As a result, every SAP implementation has a certain number of configurations related to how the systems are connected. If these are not properly set, the systems could be abused in order to connect from one system to another, and could bypass authentication mechanisms or network restrictions, potentially rendering the entire landscape vulnerable.

Pivoting through SAP Systems explains current methods used by attackers to move, or “pivot” between SAP systems, and how these techniques are used in order to expand an initial compromise to the entire SAP landscape.

Download

Sitemap  | Terms of Use | Privacy Policy   |  Quality Policy  |  Disclosure PolicySecurity Vulnerability Reporting Guidelines |  ©2025 Onapsis  |  All rights reserved