Onapsis Control for Transports
DownloadComplete transport security testing for SAP with the ability to check development objects, system settings, application configuration, and data within transports. Step-by-step remediation instructions and integrations with development and change management tools identify flawed transport requests. This prevents system downtime and damage to systems (including associated costs) from error imports into production.
Building security into development cycles for business-critical SAP applications is increasingly important. Organizations continue to ‘shift left’ and insert security earlier into the application development process. Since SAP applications are top attack targets for threat actors, the mechanisms for importing changes into their production systems – SAP transports – must be evaluated for risk. However, many organizations struggle with this due to the large number of objects, settings, and tables that transports contain and the lack of effective and targeted security tools. Many organizations subsequently revert to less-than-practical manual testing which introduces new challenges due to the time-consuming and error- prone nature of manual review.
Additionally, accelerated timelines for digital transformation projects,
such as SAP S/4HANA migrations and RISE with SAP, put increased pressure on all teams involved in the application development cycle. But speed must be balanced with security. Preventing critical issues from getting into production systems is imperative since there is no way to roll back a chance made once an SAP transport is delivered into production – you can only build a new transport. Production errors can lead to significant impact to the business, if left uncorrected. Even if errors are identified, building a new transport to repair the damage is time-consuming and unnecessarily repetitive, leading to project delays and cost overruns.
Onapsis Control for Transports directly addresses these challenges, giving you control over your transports by analyzing them for harmful objects and preventing import errors that can result in system downtime. Automatic blocking of bad transports and actionable remediation enable development teams to fix issues before there’s an impact on a production system’s performance, security, and compliance.
“Onapsis helps us address two of the biggest trouble areas—custom code and transports. A third-party solution for analyzing these that integrates into SAP ChaRM allows us to get things right the first time and avoid costly rework and manual analyses.”
– Security Architecture Manager | Fortune 100 Chemical Company
How Control for Transports Works
Onapsis Control for Transports works with transport management systems, the mechanisms for importing new code and data changes to SAP production systems. Because it can be difficult to determine if a modification could adversely affect a system until it is in production, Control for Transports can check transport requests for changes prior to import, including checks for changes in development objects, system settings, application configuration, and application data. Control for Transports leverages extensive test cases based on threat research from the Onapsis Research Labs. Transports and third-party updates are inspected prior to import and detailed remediation guidance is provided. Transports can also be blocked prior to import to prevent system risk.
Security and Compliance
Onapsis’ highest priority is the security of our software and the confidentiality, integrity, and availability of customer information as it flows through that software. We embed the strongest possible security measures into our software development life cycle (SDLC) and into the operating system, database, web security, and logging layers of our products. Onapsis contracts with accredited, third-party, auditing companies who have audited our SDLC
process and we have the following certifications: ISO 9001, ISO 20243:2018, ISO 27001:2013, SOC 1 Type 1/2, SOC 2 Type 1/2, and Veracode Verified Program. Our product design and development requirements follow the OWASP ASVA v4 framework or other industry standard guidelines.
Licensing
Onapsis Control for Transports is licensed as an annual subscription based on the number of target systems. Subscription includes access to all updates available for the respective software license, technical support, and a dedicated account manager.
The Onapsis Platform
Onapsis Control for Transports is part of the Onapsis Platform.
The Platform focuses on four pillars of business-critical application security that directly target interconnected risk – vulnerability management, threat monitoring, compliance automation, and application security testing.
Onapsis Professional Services
Achieve your business objectives at every stage of your journey. Onapsis’ comprehensive professional services offerings target:
Implementation: A paired delivery approach to accelerate time-to-value
Education: Knowledge for teams to successfully operate our platform
Optimization: Enable continuous improvement and alignment to business needs
Administration: Alleviate resource constraints
Onapsis Research Labs
The award-winning Onapsis Research Labs is a team of cybersecurity experts who combine in-depth knowledge and experience to deliver security insights and threat intel affecting mission critical applications from SAP, Oracle, and SaaS providers. They have discovered over 1,000 zero-day vulnerabilities and multiple critical global CERT alerts have been based on their novel research. Onapsis automatically updates its products with the latest threat intelligence and other security guidance from the Onapsis Research Labs. This provides customers with advanced notification on critical issues, comprehensive coverage, improved configurations and pre-patch protection ahead of scheduled vendor updates.
Table 1: Onapsis Control for Transports Features And Benefits
| Description | Benefits |
| Comprehensive Transport Scan Engine | Scan transports in seconds to validate them for completeness, security, consistency, and changes to critical data prior to importing into production. Scan development objects, system settings, application configuration, and data. |
| Flexible Deployment Options | Can be deployed to inspect transport requests individually or with centralized bulk security evaluations of full transport directories |
| Broad Library of Transport Test Cases | Hundreds of test cases are available out-of-the-box and incorporate the latest threat intelligence from the Onapsis Research Labs. Test case domains include but are not limited to security, compliance, data loss prevention, robustness, and maintainability. |
| Full Transport Risk Analysis | Pair with Control for Code to scan both the code and the transport construction itself for errors, threats, and vulnerabilities prior to release into production. Simulate the effect of transports prior to import. Block bad transports from entering production, preventing critical system downtime and production issues. |
| Transport Threat Detection | Continuously monitor released transports in the transport directory and automatically receive notification if they contain suspicious content |
| SAP Workflow Integrations | Seamless integration with SAP ChaRM (Change Request System) and SAP TMS (Transport Management System) |
| Leading Third-Party Vendor Integrations | Seamless integrations with workflow management tools from Rev-Trac and Basis Technologies enable transport inspection for SAP application development. |
Table 2: Onapsis Control Technology Components and Description
| Technology Component & Description | Details |
| Central System: Collects communication event and transport data from all systems. The Cockpit is used to run transport scans, and Finding Manager is used to view results. | Can be a separate SAP system or part of an existing SAP system |
| Source Systems: Development and QA Systems that send the transport request to be checked by the Central System. The transport request is also checked prior to import into production. | Existing SAP system environment |
| SAP Systems Supported | SAP S4/HANA 1709, 1809, 1909, 2020, 2021, 2022 (and further releases)SAP S/4HANA Cloud Extended Edition (EX)SAP NetWeaver 7.00 or higher |