Business-critical applications like SAP, Oracle, and Salesforce are at the center of the global economy, used by 92% of the Global 2000 and touching 77% of the world’s revenue. But, despite their importance, these applications fall outside the scope of most traditional and holistic security solutions. The Onapsis Research Labs is dedicated to researching these security challenges, discovering over 800 zero-day vulnerabilities in business-critical applications and supporting six U.S. Department of Homeland Security alerts to date.
Meet one of the minds behind our threat research. Get to know Ignacio Favro, a vulnerability security researcher in Onapsis Research Labs.
How did you get started in offensive security?
Offensive security is basically deep understanding about how things do what they do and then trying to modify the default or expected behavior. Growing up, I was always curious about how things work. As a kid, I always took my toys apart, just to see the mechanism that made them work - especially electronic ones. Before joining Onapsis, I was involved in some academic research projects related to cybersecurity, specifically network and infrastructure security. During my free time, I would try to understand more about application security; this gave me a lot of background knowledge that helps me in my daily work and has allowed me to get involved with people from different security communities. Getting into offensive security was based on my natural curiosity to understand how things work.
What brought you to Onapsis?
I found Onapsis through Pablo Artuso, my current teammate. Three years ago, he was speaking about the broad methodologies and techniques that the Onapsis Research Labs were applying to research and it sounded really interesting. At that time, I was doing research part time, and I knew that’s what I wanted to do. Onapsis seemed like the perfect place to start my research career.
What does a typical day/week look like?
The research process begins with trying to understand what a piece of software should do in a normal situation, reading manuals or documentation, and interacting with the target. Next, I plan some tasks and ideas to explore, going deep with communication protocol code analysis, trying to figure out what could go wrong if something was missing. Usually we need to create our own unique tools to help us during the process, like scripts to create complex payloads or network packet dissectors, to name a few. It’s imperative to write down all of our explored paths and findings that could lead to new ideas or hypotheses. Every day is a little different; there is always a new path to discover, learn or analyze, working alongside great people.
Tell us the process of how Onapsis Research Labs finds and reports vulnerabilities.
Finding a vulnerability requires perseverance. Nothing is perfect; everything has a flaw. Finding vulnerabilities is a step-by-step and well-documented process. Our objective is to understand the internal process of a piece of software and increase the knowledge base. Reporting vulnerabilities is an interesting process that requires you to be able to pack and recap all of the information that led you to the security flaw, so that the vendor can reproduce your findings. Sometimes, this isn’t an easy task, because some steps can be non-deterministic or require a highly specific scenario.
How does the research team partner with SAP, Oracle and government entities?
Onapsis Research Labs is continuously evaluating the security of a variety of different products, always trying to identify critical threats and vulnerabilities that could affect organizations. When the team finds a potential issue, we follow our responsible disclosure process where the issue is reported to the vendor and in a collaborative and iterative approach. Onapsis helps with any additional information that is needed by the vendor, while creating the security patch and addressing the security risk.
Onapsis has also worked with global entities such as CERTs (Computer Emergency Response Team) from different regions of the world to help raise awareness about how important it is to secure business-critical systems. Our research shows that threat actors have the capabilities and knowledge to attack business-critical applications and are doing so faster than ever. Through global alerts, Onapsis has been able to alert organizations by releasing multiple threat reports addressing activity seen in the wild.
Why does this type of research matter?
Onapsis was founded over a decade ago when we realized that the world’s most critical enterprise resources were being overlooked. These applications are at the center of the global economy, used by 92% of the Global 2000 and touching 77% of the world’s revenue but have been neglected by most of the security community. The findings from Onapsis Research Labs are the foundation of The Onapsis Platform. Onapsis is the only business-critical application security company that automatically updates our products with the latest threat intelligence and security guidance from a dedicated security research team. In addition, we also provide on-site trainings like on pentesting and securing SAP, work alongside organizations with professional services, and publish advisories and tools for critical talks.
What findings have surprised you the most?
I’ve participated in a lot of interesting research projects with all kinds of findings. Over the years, the overall quality of the software we audit has greatly improved, making our work every year a bit more challenging and interesting. But, from time to time, I’m able to find a very simple or well-known bug. These types of unexpected findings surprise me the most.
Who should care about the research you do and why?
Every company with a business-critical application. We work on really heterogeneous applications and apply a lot of different techniques and methodologies. As a result, our work improves the security of many widely used software products - not only helping organizations fix vulnerabilities or misconfigurations but also sharing our knowledge and threat intelligence.
Was there any research project at Onapsis that was especially interesting or meaningful to you?
Cluster Manager P2P communication was the most interesting one for me and also led to the release of SAP Security Note #2974774, rated as a Hot News Note by SAP. That research project required me to learn a lot about different technologies and combine several procedures like reverse engineering, network traffic analysis, and develop scaffolding tools. It was a long project, but it was a great team effort by Onapsis Research Labs. My team was a great support during the research.
Cyber Tech Talk Features: The Onapsis Research Labs
Watch this webinar to learn more about the latest threat intelligence and receive security guidance from the Onapsis Research Labs, which will keep you ahead of ever-evolving cybersecurity threats. We will cover:
Recent research on vulnerability findings such as ICMAD and HTTP Smuggling
An overview on how to keep your SAP business-critical applications secure
Threat intelligence on the cybersecurity attack trends observed in the wild
Security guidance and best practices from the leading team of researchers