Press Release

Onapsis Launches Private Beta of Virtual SAP Security Patching Functionality

New capabilities for Onapsis Security Platform (OSP) to provide immediate protection against exploitable vulnerabilities found in SAP applications both on premise and in the cloud

Boston, MA – May 5, 2016 – Onapsis, the global experts in business-critical application security, today announced the official launch of its new virtual patching functionality to provide organizations with immediate protection from exploitable SAP-specific vulnerabilities. The new functionality is currently in private beta for select customers and development partners and will be made generally available in the Onapsis Security Platform (OSP) later in 2016.

Organizations rely on SAP to run critical business processes and to provide vital services to partners, suppliers and customers. If these systems are not properly managed and secured, an attacker could exploit a vulnerability or misconfiguration within SAP to gain access to mission-critical information including customer data, product pricing, financial statements, employee information, supply chains, business intelligence, budgeting, planning and forecasting.

“While SAP applications have always been a high value target for cybercriminals, Information Security teams have not been able to dedicate the time to understand the intricacies of SAP. Conversely, SAP BASIS teams are not provided the time to properly review and plan for implementing the SAP security patches that are released every month; meaning they have to ignore security updates and focus on business functionality changes to SAP applications. This results in many SAP implementations being exposed to both known vulnerabilities and insider threats,” said Alex Horan, Director of Product Management at Onapsis.

According to the Onapsis Research Labs study titled “Top Three Cyber Attack Vectors for SAP Systems,” it was detected that companies have protracted patching windows averaging 18 months or more. In 2015 alone, over 200 security patches were released by SAP, many of which were ranked “high priority.”

With Onapsis’ new capabilities, virtual SAP security patches can be applied to systems as soon as the Onapsis Security Platform identifies new cybersecurity risks and compliance violations. Further, customers subscribing to the OSP Advanced Threat Protection (ATP) service will be protected from SAP zero-day vulnerabilities discovered by the Onapsis Research Labs, gaining exclusive protection against advanced threats.

Onapsis is partnering with several leading Next Generation Intrusion Prevention System providers. Those providers are able to protect the underlying operating systems and databases running and supporting SAP applications, but are unable to provide protection for customized applications such as SAP. “What is really important to stress is that SAP applications themselves are highly customized by every enterprise to ensure that they provide the interoperability that precisely fits that enterprise. As a result of this customization, there is no standard ruleset that could be applied to SAP when monitoring for, and ultimately protecting against. attacks on existing misconfigurations within systems,” continued Horan. “Using our patented, SAP-Certified solution and partnering with best in breed IPS vendors, only Onapsis has the specialized knowledge necessary to provide this next step in protection for SAP applications.

Onapsis Virtual Patching provides the ability to:

  • Immediately apply virtual security patches when critical risks are found

  • Apply virtual security patches in a staggered manner, only applying the patches against connections from untrusted networks
  • Increase ROI on existing IT and security investments
  • Protect business critical applications and processes
  • Save time and reduce costs when compared to manual patching
  • Minimize exposure window to new risks and zero-day vulnerabilities
  • Minimize the risk of service disruption from failed manual patches
  • Streamline SAP Cloud providers security operations

On Thursday, May 26th, Onapsis will host a webcast to further discuss this functionality. For more information or to register please visit:

About Onapsis

Onapsis provides the most comprehensive solutions for securing SAP and Oracle business-critical applications. As the leading experts in SAP and Oracle cybersecurity, Onapsis enables security and audit teams to have visibility, confidence and control of advanced threats, cyber risks and compliance gaps affecting their enterprise applications.

Headquartered in Boston, Onapsis serves over 200 global customers including many of the Global 2000. Onapsis’ solutions are also the de-facto standard for leading consulting and audit firms such as Accenture, IBM, Deloitte, E&Y, KPMG and PwC.

Onapsis solutions include the Onapsis Security Platform (OSP), which is the most widely used SAP-certified cybersecurity solution in the market. Unlike generic security products, Onapsis’ context-aware solutions deliver preventative vulnerability and compliance controls, as well as real-time detection and incident response capabilities to reduce risks affecting critical business processes and data. Through open interfaces, the platform can be integrated with leading SIEM, GRC and network security products, seamlessly incorporating enterprise applications into existing vulnerability, risk and incident response management programs.

These solutions are powered by the Onapsis Research Labs™, which continuously provide leading intelligence on security threats affecting SAP and Oracle enterprise applications. Experts of the Onapsis Research Labs were the first to lecture on SAP cyberattacks and have uncovered and helped fix hundreds of security vulnerabilities to date affecting SAP Business Suite, SAP HANA, SAP Cloud and SAP Mobile applications, as well as Oracle JD Edwards and Oracle E-Business Suite platforms.

For more information, please visit, or connect with us on Twitter, Google+, or LinkedIn.

Onapsis and Onapsis Research Labs are registered trademarks of Onapsis, Inc. All other company or product names may be the registered trademarks of their respective owners.