CONTACT US
Search
CONTACT US
Onapsis Webinar

SAP Transport Security: Transformation with Less Risk and More Efficiency

/in /by

Learn how to reduce the risk introduced through ongoing changes in your Software Development Life Cycle

ON DEMAND

There’s a good chance you are either planning or in the midst of a significant digital change project (or several?). Any change to your SAP Landscape might introduce security vulnerabilities, putting your entire IT infrastructure at risk.
 
In this session, we’ll look at the common types of changes happening in your SAP landscape and how those might introduce security vulnerabilities that can roadblock productivity. We will also highlight reasons why this threat vector is a growing target for attackers.
 
We’ll also explain the cost it creates for organizations to address those potential security issues manually today and see how Onapsis can help to automate many of the manual change review steps to speed up release cycles, reduce cost and reduce the risk of an impact from a critical security vulnerability.

How a Canadian Media Giant Passed Its PCI DSS Audit with Automated Code Analysis

/in /by
Industry – Media Production
Company Size – 1000+ employees

Customer Profile

As one of Canada’s largest multimedia organizations, handling high volumes of credit card data is a daily part of business, making PCI DSS compliance a critical requirement. To meet this standard, the company needed a way to achieve automated compliance
for a massive volume of custom ABAP code within its SAP systems. They partnered with Onapsis to automate SAP code analysis, which was essential for passing their external audit and accelerating application delivery.

The Challenge: Proving PCI DSS Compliance for Custom ABAP Code

After consolidating all credit card data into their SAP systems, the company’s applications became subject to the rigorous Payment Card Industry Data Security Standard (PCI DSS). With a large volume of custom code developed over many years, much of it by external partners, they faced several key challenges:

  • Lacking a fast or reliable way to scan all their custom ABAP code for vulnerabilities that would violate PCI DSS requirements.
  • Needing to produce clear, actionable reports for developers to fix any compliance issues found in the code.
  • Facing a time-consuming and resource-intensive external audit process to prove their SAP systems were compliant.

The Solution: Automated Code Scanning and Compliance Reporting

The media corporation chose the Onapsis Platform as its solution to automate the entire process of analyzing code and proving compliance.

Automated PCI DSS Code Analysis

Using the platform’s code analysis capabilities, the company was able to automatically scan all of its custom ABAP code specifically against PCI DSS requirements. The platform identified the exact issues that needed to be fixed and provided actionable remediation guidance, allowing developers to quickly bring the code into compliance.

Streamlined Audit Reporting

Onapsis enabled the team to easily produce detailed reports and documentation on the state of their code. These reports were shared directly with external auditors, significantly reducing the time and resources needed for the audit process and providing definitive proof of compliance.

The Results: A Successful Audit and Accelerated Development

By building Onapsis into their development process, the company not only passed its PCI DSS audit but also made its entire development lifecycle more efficient and secure.

Results at a Glance:

  • Passed the PCI DSS audit by proving custom ABAP code was secure and compliant.
  • Automated the identification of security and compliance risks in custom code.
  • Significantly reduced the time and resources required for audit preparation.
  • Accelerated application delivery by building compliance checks directly into the development process.

A Blueprint for SAP Compliance and Audits

This media company’s success provides a clear model for meeting high-stakes compliance mandates like PCI DSS. Their key to success was automating code analysis and reporting. Key takeaways for your organization include:

  • Automate code scanning against specific compliance frameworks (like PCI DSS, SOX, or GDPR) to find issues fast.
  • Provide developers with actionable guidance to accelerate remediation and reduce rework.
  • Generate comprehensive reports to streamline external audits and prove compliance.

A Blueprint for SAP Compliance and Audits

This media company’s success provides a clear model for meeting high-stakes compliance mandates like PCI DSS. Their key to success was automating code analysis and reporting. Key takeaways for your organization include:

  • Automate code scanning against specific compliance frameworks (like PCI DSS, SOX, or GDPR) to find issues fast.
  • Provide developers with actionable guidance to accelerate remediation and reduce rework.
  • Generate comprehensive reports to streamline external audits and prove compliance.

Fortune 250 Biotech Case Study

/in /by
Industry – Biotechnology
Company Size – 20k+ employees, >$20B revenue

Fortune 250 Biotech Challenge

No visibility into vulnerabilities or suspicious activities that put critical supply chain and manufacturing applications – and patient safety – at risk

One of the world’s leading independent biotechnology companies depends on SAP for their supply chain, manufacturing, international trade, and other business-critical operations. Knowing that a “threat to SAP is a threat to the patients that rely on their products,” they knew they needed to harden their applications against internal and external threats. But, their already under-resourced teams didn’t know where to start. With a growing backlog of patches and no easy way to prioritize them, the organization tried to leverage their existing vulnerability management technology, but realized it didn’t sufficiently support SAP.

The team also wanted to bring SAP events into their SIEM so they could be incorporated into their incident response processes, but they lacked the threat intelligence and monitoring technology to do so. Unhappy with the SAP gaps in their existing security solutions, processes, and internal knowledge, they sought a third party technology that would give them the visibility and context they needed to help them better understand and manage their SAP attack surface.

“A threat to our SAP applications is a threat to the patients that rely on our products. With Onapsis we can be proactive with our SAP security and keep our critical applications – and patients – safe. Their vulnerability assessments allow us to understand and act on the risk within our landscape, while their continuous threat monitoring ensures we have pre-patch protection and compensating controls in place until we can apply the appropriate patch or fix.”

Global Lead of SAP Operations, F250 Biotechnology Company

Fortune 250 Biotech Solution

Onapsis automated vulnerability scans provide actionable visibility into risk within critical SAP applications, while its powerful threat monitoring acts as an early warning system for potential cyberattacks

The biotech company found their ideal solution with Onapsis, whose security technologies are designed specifically for ERP systems like SAP. The automated scans, rich research-backed results, and remediation guidance provided by Onapsis Assess offsets the organization’s lack of internal SAP security expertise. It has also enabled them to finally build a strong vulnerability management program for SAP. Now, they can quickly understand the true risk to their critical applications with the context they need to prioritize and act on it. 

With Onapsis Defend, the organization has enabled continuous threat monitoring for SAP, leveraging over 2,000 detection rules, anomaly scoring, and mitigation guidance from the industry-leading Onapsis Research Labs. Defend acts as an early warning system, alerting the chemical company of unauthorized changes, misuse, or cyberattacks targeting their SAP applications. With Defend, the company has also gained compensating controls and pre-patch protection. The unique, proactive threat intel that powers Defend allows them to monitor for potential exploit activity before patches are released (zero-day vulnerabilities) or have been applied (known, unpatched vulnerabilities). Given the growing backlog of patches and lengthy patching processes, having protection before fixes can be applied has been a key benefit.

“With Onapsis, we can now quickly identify and act on risk to our critical SAP systems. Integrating with our existing IBM QRadar solution has further accelerated our response times and given our SOC teams much-needed visibility into threats affecting our critical applications.”

Global Lead of SAP Operations, F250 Biotechnology Company

Results

Using Onapsis Assess and Defend, the Biotechnology company has experienced:

  • 83% Reduction in Mean Time to Remediation (MTTR)
  • 96% Reduction in remediation time for emergencies
  • 75% Improved incident response times

75% improved incident response times and 83% reduction in remediation time thanks to Onapsis automation and intelligence

With Onapsis Assess, the organization is able to automate their vulnerability checks and measure the security risk of each vulnerability so they can prioritize fixes. Step-by-step technical solutions and an integration with ServiceNow ensures the SAP teams handling resolution receive timely assignments and the instructions they need to effectively mitigate the vulnerability. This has helped them reduce their remediation time from more than six months to less than one (less than a week for emergencies). Integrating Onapsis Defend with their existing IBM QRadar instance means their SOC teams receive immediate notifications of suspicious or malicious activity targeting their SAP applications, including insight into root cause and remediation recommendations. Bringing SAP security events into existing incident response workflows and the rich context included with each alert has significantly reduced forensic investigation time and resulted in seventy-five percent improvement in incident response times.

Large utility company builds SAP vulnerability management program, reduces remediation time by 80%

/in /by
Industry – Utilities, Gas and Electic 
Company Size – 2k+ employees, >$2B revenue

Challenge

Unaddressed risk in critical SAP applications due to complex patching process and no visibility into other vulnerabilities

A large American utility company relies on SAP applications for many of their business-critical processes. Despite their critical nature, however, the company lacked visibility into the security posture of these applications- what vulnerabilities existed and what risk they posed to the business. Their patching process was complicated and time-consuming, and their existing vulnerability management tools didn’t sufficiently support SAP. The organization realized they had unaddressed risk within their critical systems, but they had no way to measure, understand, and act on it. With a major SAP S/4HANA migration project planned, they knew they needed a solution that could address this risk in the short-term and be used throughout the transformation.

“Onapsis removes the mystery around SAP security by increasing visibility. We can see issues — misconfigurations,missing patches or overly privileged users — what risk they pose and how to fix them.”

Enterprise Security Manager, Utility Company

Solution

Onapsis time-saving vulnerability scans provide deep visibility, detailed solutions, and business impact to identify risk and accelerate response

The utility company found their ideal solution with Onapsis Assess, which uniquely provides focused and comprehensive vulnerability management designed for SAP applications. Automated assessments, detailed solutions, and descriptions of business impact enable the organization to easily identify the true risk to their critical application landscape and understand how to respond. Onapsis Assess also significantly improved their patching processes, eliminating much of the manual work that was previously required. The included context from the Onapsis Research Labs helps them quickly determine which SAP Security Notes to prioritize, the best way to implement, and if they are missing any critical patches.

“With Onapsis, we were able to establish and maintain SAP security baselines and can now build them into transformation projects from the start. Onapsis enables us to keep SAP secure without impacting system performance or interfering with Basis teams.”

Enterprise Security Manager, Utility Company

Results

60% less time spent investigating issues and 80% reduction in mean time to remediate (MTTR) thanks to research-driven analysis provided by Onapsis
  • 80% Reduction in Mean Time to Remediation (MTTR)
  • 90% Less time spent on patching
  • 60% Reduction in investigation time

The deep visibility and research-driven results provided by Onapsis Assess give the utility company an accurate understanding of risk within their critical systems and the context they need to quickly act on it. The detailed explanations and business impact provided by Onapsis mean the company’s security teams don’t have to be SAP experts themselves; they can make informed decisions on how to respond without having to spend a lot of time investigating each issue. Integrating Onapsis Assess with their ServiceNow further facilitates remediation efforts by aligning their security teams using Onapsis with their Basis teams responsible for fixing the issues. Leveraging this workflow and arming the Basis teams with Onapsis-provided step-by-step fixes has helped reduce the company’s mean time to remediate (MTTR) by eighty percent. 

The utility company has also leveraged the customizability of Onapsis Assess to establish their own security baseline. By creating a custom scan catered to their business priorities and risk profile, they can regularly assess against it to ensure their systems continue to meet their security standards. They will use this baseline throughout their upcoming SAP S/4HANA migration to ensure their new systems are being configured securely.

Multinational Food Manufacturing Company Case Study

/in /by
Industry – Food Production
Company Size – 160k+ employees, >$115B revenue

Challenge

As one of the world’s largest food production and shipping companies, with involvement in agriculture, animal nutrition and protein, food and financial and industrial processes, this 150-year-old multinational organization with locations in 70 countries operates at a scale and reach unlike many others. This operational footprint presents them with significant challenges and opportunities from an SAP perspective. They have 400 SAP applications spanning 40 products and 25,000 users, and undertake nearly 400 active projects per month. Given this magnitude and the critical nature of these systems, the organization needed a solution that would help them identify, understand and mitigate security risks across their entire landscape. With security baselines established, they needed a way to measure and operationalize them across new and existing application use cases, including new business ventures, partnerships and growth projects from the start. 

As well as SAP security and meeting internal baselines, the organization needed support in terms of regulatory compliance, responding to and demonstrating adherence with legislation such as GDPR and CCPA. Maintaining both their security and compliance posture, despite the significant volume of change involved with managing an SAP system of this scale, was essential for achieving their ultimate goal of cyber resiliency for their business-critical applications.

  1. Understand business risk due to system vulnerabilities
  2. Streamline the SAP patching process
  3. Prevented unauthorized changes and misuse, supporting application stability
  4. Integrated directly with SIEM to monitor for SAP threats 
  5. Ensured compliance with internal and industry policies

“Most security professionals can’t spell SAP, yet 77% of global GDP passes through SAP systems. This establishes them as critical systems, but the lack of knowledge around the systems means they are often overlooked. The further up the stack you go, the more specialized this knowledge becomes. There are very few SAP security specialists that look at specific applications and how they pose a threat this is what makes Onapsis such a valuable partner for us.”

Solution

Onapsis’s pedigree in both security and compliance for SAP positioned them as the perfect solution for the food production company. The success comes from a relationship based on a partnership, instead one between customer and provider, with each side understanding the role they play. Onapsis provides the actionable insight and continuous monitoring the organization needs to understand security and compliance risk within their SAP environments, but it is ultimately up to the organization to prioritize and respond to these risks given their risk posture and tolerance. Likewise, if the organization needs additional information or support, Onapsis provides the expertise they need to act and protect their applications. By partnering with Onapsis, the organization keeps their global SAP stable, protected and compliant with security baselines. They are able to: 

  • Gain visibility to make informed decisions about levels of acceptable residual risk 
  • Discover and understand business risk due to system vulnerabilities, missing patches and misconfigurations, which helps to frame conversations around risk with internal business partners 
  • Simplify compliance and demonstrate they are in line with internal security baselines and industry regulations 
  • Streamline the patching process and understand how to prioritize missing SAP notes 
  • Continuously monitor their system health, which helps to maintain application availability and stability, and identify and prevent unauthorized changes, misuse or cyberattacks 
  • Integrate directly with their SIEM with custom alarms to inform SOC of potential exploits or threats to SAP systems &  applications 
  • In the future, manage change via code and transport analysis to accelerate development, avoid downtime or errors and minimize manual reviews

SAPinsider S/4HANA in the Cloud

/in /by

In Q4 2019, SAPinsider surveyed 182 members of their audience from 112 customer companies to understand their current ERP landscape, whether that landscape involves SAP S/4HANA and if they have plans to use a hyperscale environment. Download the survey report to see the results, including what percentage are moving to cloud environments, outcomes organizations have experienced and the actions they can take to ensure a successful ERP cloud strategy going forward, with a focus on SAP S/4HANA deployments in the cloud.

Automobile Manufacturer increases visibility to proactively manage business risks

/in /by
Industry – Automobile Manufacturer
Company Size – Top 25 fortune 500

Challenge

Expand a comprehensive cybersecurity program to include business-critical application optimization and security to strengthen resiliency of SAP systems.

Solution

The Onapsis Platform assesses SAP for vulnerabilities and misconfigurations to understand potential business impact, define remediation strategies and set baselines. With Onapsis, the company was able to build security into projects from the start, continually monitor their entire landscape and prevent configuration drift, ensuring their business-critical applications stay secure and online.

The automobile manufacturer is a longtime SAP partner and relies on the business-application software provider solutions for its global finance and purchasing processes, customer care and after-sales applications. The company is widely considered an early adopter of cybersecurity solutions and recognized as an innovator among fellow Fortune 500 companies and manufacturing organizations. In 2015, the company expanded its comprehensive cybersecurity program to include business-critical application optimization and security technologies with the goal of further strengthening the resiliency of core business applications including SAP. 

The first step for the company’s cybersecurity team was to audit and inventory its SAP applications within the network to ensure the highest possible level of visibility and monitoring in support of stringent SLAs with application owners. The second objective was to develop a continuous SAP application security management process that would accelerate and prioritize risk management and drive shared, intelligence-driven remediation processes among its SAP and application owners.

To accelerate its SAP cybersecurity objectives, the automobile manufacturer partnered with Onapsis to augment and multiply the value of application management and GRC tooling provided by SAP and other vulnerability management solutions. 

It implemented the SAP-certified Onapsis Platform, which combines a preventative, behavioral-based and context aware approach for detecting, identifying and mitigating risks to business operations, compliance with regulatory mandates and overall cybersecurity posture. 

  • Scanned and remediated vulnerabilities quickly
  • Reduced effort and time spent on QA
  • Ensured all applications meet security and compliance requirements

“The main goal of our partnership with Onapsis was to automate SAP application monitoring and vulnerability management in a way that would allow our cross-functional teams to build, deploy and manage better, more resilient SAP applications faster at a lower cost,” said the Director, SAP Center of Excellence at the company. “We knew The Onapsis Platform would enable the SAP security team to show the application teams and business owners where configuration and code imprecisions were inhibiting optimal application performance, while also prioritizing vulnerabilities and SAP Security Notes. We knew this would also provide us the compensating controls necessary to exceed baseline Sarbanes-Oxley (SOX) compliance standards.”

Results

The Onapsis Platform for SAP provided immediate value for the automobile manufacturer. 


“Before Onapsis, we had baseline operational and security controls for our SAP applications,” said Director, SAP Center of Excellence at the manufacturer. “Now after implementing The Onapsis Platform, we have an enhanced level of visibility that allows us to proactively manage potential risks to the stability, integrity and performance of the applications we rely on to run our core business operations. It is truly a case where cybersecurity has enhanced the resiliency and stability of our business operations.” 

“Onapsis is a true partner to us,” continued the Director. “We count on the Onapsis Research Labs to alert us to the latest critical vulnerabilities and rely on The Onapsis Platform to automate SAP risk management practices. Our teams now communicate more effectively and Onapsis has become an integral part of our overall cybersecurity strategy.”

Global advertising company saves time and money migrating to SAP HANA with Onapsis

/in /by
Speak to Us
Industry – Advertising 
Company Size – 54k+ employees, >$9B revenue

Background

Like many large companies, this multi-national global advertising company relies on SAP as a key component of its business. Their SAP implementation processes $6.0 billion dollars a year, has 30,000+ users across 20 countries and is used for almost every function including finance, operations, reporting and analytics. 

Challenge

Migrate SAP ECC to HANA while ensuring security and compliance.

Solution

The Onapsis Platform enabled the firm to complete migration one year ahead of schedule due to stable, tested applications, while strengthening security and compliance.

As a company that appeals to marketing and advertising professionals, this company wanted to be ahead of the curve, so they launched a business digital transformation project with a goal of creating shared service centers on a global instance of SAP HANA. 

The champion for this project was the Vice President of Global SAP who is responsible for the uptime, performance and security of the key data and processes that are part of the SAP implementation. He was faced with the problem of moving critical data into SAP HANA and not being able to address key SAP security risks with the generic security products that the organization currently used, as none of these looked at SAP specifically. 

In 2017, the vice president turned to Onapsis to address this challenge after researching organizations that are experts in business-critical application security. With The Onapsis Platform the company was able to migrate and upgrade applications in a phased approach, ensuring each phase was secure and stable before moving on to the next. This saved them significant resource time and budget as the program was able to move forward quickly after each new application or environment was tested and proven stable by Onapsis.

  • Scanned and remediated vulnerabilities quickly
  • Improved developer skills
  • Accelerated development
  • Ensured all code meets security and compliance requirements

“We could have waited to implement security after the migration, but it would have been too expensive. We were better off doing it as part of our ‘build’. As a result of our investment in the Onapsis Platform, we were able to decrease the project timeline and significantly reduce our estimated budget. A project that was originally scoped to be completed in 2020 finished a year early.

VICE PRESIDENT OF GLOBAL SAP, MULTI-NATIONAL ADVERTISING FIRM

Results

Additionally, many SAP BASIS and security teams face an overwhelming amount of security notes from SAP, making it difficult to prioritize and configure their landscapes to ensure security. SAP BASIS and security professionals are challenged with the balance of system uptime and security and could not address this with built-in tools available from SAP. With Onapsis, both teams were able to understand each of their organization’s missing security notes as well as the business impact, helping them prioritize implementation. 

As a result of working with Onapsis, the firm was able to see immediate success with the product and significant cost savings in their transformation project. If companies are not addressing SAP security they are running a big risk to their business, especially when considering the sizeable investment they’ve already made in SAP.

Speak to Us

Sitemap  | Terms of Use | Privacy Policy   |  Quality Policy  |  Disclosure PolicySecurity Vulnerability Reporting Guidelines |  ©2025 Onapsis  |  All rights reserved