Onapsis Control for Code
DownloadExtend DevSecOps to SAP applications with the ability to perform dynamic, static, and interactive analysis to detect more security issues earlier in the development cycle with Onapsis Control for Code. Step-by-step remediation instructions and integrations with developer tools accelerate time to vulnerability identification and remediation.
Business-critical SAP applications are top attack targets for threat actors and an increasing area of concern for enterprises. However, many organizations struggle to build successful SAP testing programs due to inadequate tools that don’t sufficiently support components, languages, and frameworks unique to SAP. Further, these tools frequently don’t integrate with SAP development and change management environments. Consequently, most organizations revert to manual security testing. However, this can’t be the practical answer, as manual reviews take too much time and are prone to human error. Consider that the average SAP application contains over 2 million lines of custom code.¹
The accelerated pace of digital transformation projects, such as SAP S/4HANA migrations and RISE with SAP, puts increased pressure on all teams involved in the application development cycle. It forces teams to attempt balancing speed and security…with security frequently tabled in order to meet abbreviated project timelines. Tight development cycles lead to the use of third-party code libraries and developers. However, with little visibility here as well, organizations are forced into doing a greater number of manual reviews (if any at all, sadly) to stop the introduction of new security issues. Preventing critical issues from getting into production systems is imperative. This is why the ability to perform multiple types of testing across the development lifecycle for your SAP custom applications is important. It is critical to test for and discover errors earlier in development when they’re easier and cheaper to fix.
Onapsis Control for Code directly addresses these challenges, providing application security testing through automated review of custom SAP code and one-click fix remediation for common code errors. Recognized in the Gartner Magic Quadrant for Application Security Testing three years in a row, our automated assessments, integrations with SAP development environments and change management, and step-by-step remediation instructions all empower teams to help them rapidly identify and fix issues before they negatively impact critical production environments and business continuity.
“Onapsis helps us address security code and compliance issues and avoid costly rework and manual analysis.”
– Security Architecture Manager, Fortune 100 Chemical Company
How Onapsis Control for Code Works
Onapsis Control for Code works by scanning systems and inspecting code directly within development environments or code repositories. With a large focus on vulnerable and insecure code, Control for Code leverages extensive test cases across multiple domains based on the best practices and in-depth security analysis and research of SAP applications from the Onapsis Research Labs. Millions of lines of code can be automatically scanned in minutes, and remediation guidance is provided to keep pace with accelerated development cycles. Control for Code identifies vulnerabilities including incomplete or erroneous code, and the testing also enables continuous progress checks during code development. One-click fix functionality enables bulk code scans that identify and automate remediation for the most common code errors with a single click.
Security And Compliance
Onapsis’ highest priority is the security of our software and the confidentiality, integrity, and availability of customer information as it flows through that software. We embed the strongest possible security measures into our software development life cycle (SDLC) and into the operating system, database, web security, and logging layers of our products. Onapsis contracts with accredited, third-party auditing companies who have audited our SDLC process, and we have the following certifications: ISO 9001, ISO 20243:2018, ISO 27001:2013, SOC 1 Type 1/2, SOC 2 Type 1/2, and Veracode Verified Program. Our product design and development requirements follow the OWASP ASVA v4 framework or other industry standard guidelines.
Onapsis Professional Services
Achieve your business objectives at every stage of your journey. Onapsis’ comprehensive professional services offerings target:
Implementation: A paired delivery approach to accelerate time-to-value
Education: Knowledge for teams to successfully operate our platform
Optimization: Enable continuous improvement and alignment to business needs
Administration: Alleviate resource constraints
Onapsis Research Labs
The award-winning Onapsis Research Labs is a team of cybersecurity experts who combine in-depth knowledge and experience to deliver security insights and threat intel affecting mission critical applications from SAP, Oracle, and SaaS providers. They have discovered over 1,000 zero-day vulnerabilities and multiple critical global CERT alerts have been based on their novel research. Onapsis automatically updates its products with the latest threat intelligence and other security guidance from the Onapsis Research Labs. This provides customers with advanced notification on critical issues, comprehensive coverage, improved configurations and pre-patch protection ahead of scheduled vendor updates.
Licensing
Onapsis Control for Code is licensed as an annual subscription based on the number of target systems. Subscription includes access to all updates available for the respective software license, technical support, and a dedicated account manager.
Expand and enhance your Control for Code deployment with additional premium capabilities:
- On Change Control: Licensed as an annual subscription based on the number of target systems, it provides a detailed security scanning and approval framework for change management that integrates with SAP CHaRM. It offers a single view of detailed security scans, approvals, and notes related to system changes in addition to enabling automatic notifications to improve workflows.
- Control for Transports: Licensed as an annual subscription based on the number of target systems, it provides the ability to check development objects, system settings, application configuration, and data within SAP transports for vulnerabilities. Step-by-step remediation instructions identify flawed transport requests and help prevent costly production errors as well as reduce the risk of system downtime.
- One-Click Fix Premium: Licensed as an annual subscription based on the number of target systems, it upgrades the included One-Click Fix feature to provide automated correction for up to 80% of the most common code errors for ABAP applications. Drastically reduce manual code review cycles by automatically replacing incorrect code with corrected lines of code. Run simulations prior to import to better understand the potential impact of newly written code on production systems.
The Onapsis Platform
Onapsis Control is one-third of the Onapsis Platform. The Platform provides complete attack surface management for ERP landscapes, focused on business-critical application security that directly target interconnected risk – vulnerability management, threat monitoring, compliance automation, and application security testing.
Onapsis is proud to be an Oracle partner and the only application security and compliance platform invited to the SAP Endorsed Apps Program.
Table 1: Onapsis Control for Code Features and Benefits
| Description | Benefits |
| Out-of-the-Box Custom Code Scans | Save time by scanning millions of lines of code in minutes for ABAP, Fiori, and HANA Native applications Scans performed for HANA Native include code languages such as SAPUI5, SQLScript, CDS, XSJS, and Node.js. Scans performed for Fiori include code languages such as ABAP and SAPUI5. New ABAP syntax is supported as well as older objects such as SAP LSMW. |
| Multi-layered Scan Engine | Multiple scanners run in parallel with hundreds of automated, predefined test cases across a wide swath of use cases. Prioritize code issues based on probability and impact to accelerate your time-to-resolution. |
| SAST (Static Analysis) | Based on patented global data and control flow analysis |
| DAST (Dynamic Analysis) | Identifies vulnerabilities that are not part of the expected result set including incomplete/erroneous code |
| IAST (Interactive Analysis) | Continuous process custom-built to check code in SAP development environments against analysis engine for processing in a runtime environment |
| Broad Set of Predefined Test Cases Across Multiple Domains | Hundreds of test cases are available out of the box and maintained by the SAP security experts at Onapsis. Test case domains include but are not limited to security, compliance, data loss prevention, code performance, robustness, and maintainability. |
| Onapsis Global Data and Control Flow Analysis | Onapsis’ patented analysis capabilities deliver more accurate detection and significantly lower rates of false positives for code issues, saving valuable time and resources for application development teams. |
| Deep, Broad Support for SAP Integrated Development Environments (IDEs) | Use Control wherever you currently develop applications, including support for SAP ABAP Development Workbench, Eclipse, HANA Studio, SAP WebIDE, Visual Studio Code, and Business Application Studio development platforms. |
| CI/CD Tool Support for Automated Development | Develop where you want with plugins available for CI/CD tools such as Microsoft Azure Pipelines and Jenkins. An Onapsis API is available for additional extensibility. |
| One-Click Fix Bulk Code Correction | Scans millions of lines of code in minutes to provide automatic corrections for the most common errors seen by Onapsis experts in SAP application development, providing significant time savings. |
| Quick Scan Error Check | Alerts developer to code errors while typing for immediate correction. |
| SAP Application Workflow Integrations | Seamless integration with SAP ATC Cockpit, SAP CHaRM (Change Request System), and SAP TMS (Transport Management System) for increased productivity. |
| Leading Third-Party Vendor Integrations | Seamless integrations with workflow management tools from Rev-Trac and Basis Technologies enable DevSecOps for SAP application development. |
| Premium Add-on License: Control for Transports | Enables the scanning of SAP transports for objects and data vulnerabilities to identify, block, and mitigate bad transports prior to production import |
| Premium Add-on License: On Change Control | Empowers teams by integrating automated workflows, gates, communication, and detailed code and transport scans into SAP CHaRM |
| Premium Add-on License: One Click Fix Premium | Automatically corrects up to 80% of the most common code development errors with a single click |
Table 2: Onapsis Control for Code Components and Description
| Technology Component and Description | Details |
| Central System: Collects communication event data from all systems. The Cockpit is used to run scans, and Finding Manager is used to view results. | Can be a separate SAP system or part of an existing SAP system |
| Scanning System: The system is where the actual code scanning is performed by the Onapsis multilayered scan engine. | Hardware Requirements: CPU: Quad-Core or 2x Dual-CoreHD: 7 GB RAM: 4 GB Supported Operating Systems:Linux: 64-bit SUSE Linux Enterprise Server 11, 12, 15; 64-bit Red Hat Enterprise Linux 5, 6, 7, 8Windows: Windows Server R2 x64: 2003, 2008, 2012, 2016 Additional Requirements: .NET Framework 4.0 and higher |
| SAP Systems Supported | ABAP Foundation on HANA (any version)SAP S/4HANA Foundation (any version)SAP S/4HANA 1709,1809,1909, 2020, 2021, 2022SAP/BW for HANA (any version)SAP NetWeaver 7.00 SP27 or higher, 7.01 SP12 or higher, 7.02 SP12 or higher, 7.31 SP05 or higher, 7.40, 7.50, 7.51, 7.52 |
| Central System: Collects communication event data from all systems. The Cockpit is used to run scans, and Finding Manager is used to view results. | Can be a separate SAP system or part of an existing SAP system |
¹ SAP® ABAP Code Quality Benchmark E-book