Application Security: Expert Tips from Onapsis CTO JP Perez-Etchegoyen
This article was originally published in Safety Detectives.
Nowadays applications are increasingly becoming available in the cloud and start facing the additional security risks that are associated with always-on available-from-anywhere cloud applications, which is why application security testing has become crucial for companies of all sizes that want to avoid data breaches and at least the most common cyber threats.
Nowadays applications are increasingly becoming available in the cloud and start facing the additional security risks that are associated with always-on available-from-anywhere cloud applications, which is why application security testing has become crucial for companies of all sizes that want to avoid data breaches and at least the most common cyber threats.
This is particularly important for business-critical applications that must keep working continuously to make sure that all business operations keep running without interruptions.
In this interview, you will find tips for application security by JP Perez-Etchegoyen, CTO and Cofounder of Onapsis, a firm providing cybersecurity solutions to 20% of Fortune 100 companies around the world.
Read on to learn how to better protect your business-critical data, and how The Onapsis Platform and Onapsis Research Labs can help you with application security.
Describe the story behind Onapsis: How did it all start, and how has it evolved so far?
Onapsis’ founder and CEO, Mariano Nunez, began his career as a professional ethical hacker for a well-known security researcher in Argentina. A customer had hired him to break into their applications and discover security vulnerabilities before threat actors could. Mariano was testing the applications when he noticed it was running on SAP, one of the most critical business applications that power the global economy, and identified highly critical vulnerabilities. Mariano soon realized that the security community had neglected SAP vulnerabilities and he had been the first person to discover and research them. Mariano identified a great market opportunity to secure the world’s most mission-critical applications and thus, he founded Onapsis.
Since Onapsis was brought to fruition in 2009, enterprises around the globe have been significantly expanding the use of the platform to gain visibility, threat intelligence, and efficiencies to secure cloud, hybrid, and on-premises business-critical applications. Onapsis is now protecting critical data for more than 300 global businesses, including 20% of the Fortune 100, and has grown 187% over the past three years.
Can you tell us a little bit about The Onapsis Platform? What are its key features?
Onapsis is the only vulnerability management and application security product on the market that caters directly to business-critical applications running on SAP, Oracle, and Salesforce. The Onapsis Platform includes five products: Assess, Defend, Comply, Control for Code, and Control for Transports.
These products have the ability to manage vulnerabilities, detect and respond to threats, test application security, and automate compliance. With the features that our platform provides, businesses leveraging critical applications are able to identify and mitigate threats and tend to vulnerabilities in little time and with little effort due to the seamless automation of these routine tasks.
We are constantly updating and enhancing The Onapsis Platform as the industry evolves. A few months ago, we expanded the platform with two new additions: In May, we announced a new offering, called Onapsis Assess Baseline, that accelerates enterprises’ abilities to kickstart their SAP vulnerability management programs. In June, we announced enhanced information security solutions for our Defend and Assess products, including a new Network Detection Rule Pack for Onapsis Defend and increased support for the Onapsis SaaS platform and SAP SuccessFactors, a cloud-based human capital management (HCM) solution.
And what’s the role of The Onapsis Research Labs?
Onapsis Research Labs is constantly tracking, identifying, and defending against cyber threats that are emerging by the hour. The research team, composed of cybersecurity experts, shares advisories, publications, and threat reports to help customers secure their business-critical applications against emerging threats, all while making improvements to The Onapsis Platform to increase product quality. Onapsis Research Labs has discovered over 800 zero-day vulnerabilities, and many of the critical findings led to global CERT alerts. In February of this year, the efforts of Onapsis Research Labs led to the discovery of three critical network exploitable vulnerabilities within Internet Communication Manager, a core component of SAP business applications, which have since been patched by SAP. Onapsis customers were protected through updates directly in The Onapsis Platform. Additionally, Onapsis released a free scanning tool for customers to leverage to determine if their SAP applications are vulnerable to the newly discovered vulnerabilities.
What is your process for application security testing?
Onapsis provides automated security testing that is developed specifically for SAP applications. Organizations can incorporate our solution into their SAP development processes to quickly identify errors before they reach production or have the ability to impact application security, compliance, availability, or performance. The Onapsis Platform enables them to examine third-party or internal custom code and transports throughout their application development lifecycle to make sure additional risks aren’t introduced to their mission-critical systems.
Can you share your application security best practices?
When it comes to business-critical application security, there are a couple of best practices IT teams should follow to ensure their crown jewels are protected from sophisticated threat actors:
Patch management: Although vulnerabilities are often prime targets for cybercriminals, organizations significantly fall behind in keeping up with patch management. In fact, research conducted by Onapsis, SAP, and CISA revealed that the patch gap from the time a vulnerability is discovered to the time a patch is applied, tested, and fully implemented is 97 days. However, the same research showed that critical SAP flaws have been weaponized within 72 hours or less of a patch release. It’s essential that security teams have a comprehensive record of all vulnerabilities within their IT ecosystem and deploy patches immediately upon release to minimize their attack surface as best as they can.
Vulnerabilities in custom code: Enterprises leverage custom code to conform their current business process and capabilities to their mission-critical applications. However, custom code statements are highly susceptible to vulnerabilities. Enterprises can solve for custom code bugs by leveraging automated solutions to quickly scan and examine countless lines of code, identify any hidden vulnerabilities, and fix them immediately.
What cybersecurity trends do you think will be crucial in the near future?
We have witnessed enough disruptive attacks in the past couple of years (such as the Colonial Pipeline, Log4j, and Kaseya ransomware attacks) to know that even with strong security mitigations in place, threat actors still have the tools and sophistication to strike against business-critical systems. Organizations will begin realizing the importance of creating thorough incident response playbooks that outline potential cyberattack scenarios with highly detailed remediation plans. By proactively determining a set plan for various types of cyber incidents, enterprises will have a clear understanding of how to respond and their business processes will continue without as much disruption.
Organizations that want to bring cybersecurity down to earth with clear tactics can leverage cybersecurity frameworks such as the NIST Cybersecurity Framework, which can help organizations put structure on what steps are necessary to implement cybersecurity in an organization
Lastly, what are the plans for the future of Onapsis?
Through continuous research and actionable Threat Intelligence, Onapsis will keep driving security for organizations that depend on business-critical applications to operate their business. Additionally, by partnering with SAP and Oracle on the research for critical vulnerabilities and threats, Onapsis continues to help organizations address some of the most critical vulnerabilities. All of this knowledge is mapped into The Onapsis Platform to automate the security of business applications.
Further Reading
- SAP Patch Day: Onapsis Research Labs regularly contributes to SAP Security Notes and releases our analysis every Patch Tuesday.
- Whitepaper: Mitigating the Threat of Ransomware to Business-Critical SAP Applications
- Whitepaper: 5 Reasons Why You Need Vulnerability Management for Business-Critical Applications