2015 Onapsis Roadshow – Coming to a City Near You!

Today is an important day in Onapsis history. We’re officially kicking off the first annual Onapsis Roadshow series in North America. We have seen rapid growth in customers engaging Onapsis for our expertise in SAP cyber-security solutions. With a growing amount of customers leveraging our solutions, now is the time for us to bring our customers together in order to share best practices and build out their networks to make the most out of their investment with  Onapsis.

To execute these roadshows, we’re collaborating with customers and partners who will host each one of our stops across the country. The following destinations are currently scheduled:

The Onapsis Roadshow series are events that we have specifically designed for security practitioners to foster collaboration with InfoSec and SAP security industry professionals. Attendees will have the opportunity to hear directly from their peers about security challenges that have effected their organization’s business-critical application security, and will gain insight to how those issues were overcome, and what can be expected for the future.

These events are tailored to all professionals that have a direct impact on their organization’s security infrastructure including Directors and Vice Presidents of Security, CISO’s, and members of Internal Audit and SAP Security teams.

All attendees will learn how SAP is becoming a critical component of all security and internal audit best practices, hear presentations on SAP Security implementation strategies and key lessons learned, network with other security professionals, and establish contacts for future collaboration.

A vibrant community is the only way to make each other successful. We are looking forward to seeing all of our customers and partners as two way conversations will allow us to continue creating innovative products for our customers, and with the input of our customers.

We look forward to seeing you in a city near you!

Share Button

2014 – The Year of Milestones

As we enter the New Year, there is a lot to look back on that has gotten Onapsis to where it is today.

Mariano Nunez, CEO and co-Founder of OnapsisThe security industry has never been more complex, and as the need for reliable business-critical application security solutions increases, Fortune 500 companies are looking for a reliable solution they can trust to protect their processes and data running on SAP. In 2014, Onapsis established itself as the defacto solution to solve the most pressing SAP security and compliance challenges. After receiving funding in June from .406 Ventures and Endeavor, we have been able to double-down our  investment in R&D to enhance our product offerings and launch the Onapsis Security Platform. We were also able to expand our global sales and marketing efforts to drive rapid growth. Fast forward 6 months later and we are well positioned and ready to see what 2015 has in store for the Onapsis team and the market we serve!

Continue reading

Share Button

Welcome to the New Onapsis

I’m pleased to announce that today we’ve launched both a new product, a re-design of our website and ultimately – a new brand. This is a very exciting day for Onapsis!

Detection Dashboard

Detection Dashboard

After having great success with the Onapsis X1 product, we worked closely with our customers and partners over the last several years to produce this next-generation platform. Combining the unique knowledge and outstanding dedication of our researchers and engineers with the expertise of our product management team, we are confident that we’re delivering not only exactly what our customers and partners require, but the most advanced business-critical application security solution on the market.

Our new product, Onapsis Security Platform, is the first SAP-certified solution that combines a preventative, behavioral-based and context-aware detective approach for identifying and mitigating security risks, compliance gaps and cyber-attacks on business-critical applications. These applications include ERP, CRM, HCM, SCM, SRM and BI solutions.

Our new Platform is able to deliver continuous monitoring, real-time visibility and protection for SAP applications, providing coverage across SAP NetWeaver ABAP, J2EE, HANA, Mobile and BusinessObjects platforms. It also provides compliance gap analysis, automates the security audit process for SAP applications and is able to generate alarms to close windows of vulnerability, as detection and response actions are automatically triggered, including both alerting and real-time mitigation capabilities.

One thing we’ve heard from our customers was to integrate our capabilities with their existing network security, security management and SIEM solutions and workflows. And we always listened. The new platform is not intended to have CISOs, Compliance and SAP teams worry about “yet another platform to manage”, but to serve as the vehicle to seamlessly incorporate business-critical applications security running on SAP into their existing Risk Management, Audit and Incident Response initiatives.

We are so happy to see the launch of this product and look forward to continue developing solutions to ensure our customer’s success, solving their existing and upcoming challenges.

I welcome you to read more about our new platform and look forward to hearing from all of you with continued feedback that will help guide our technology roadmap:

Best regards,


Share Button

Securing SAP Mobile Platforms: Beyond the Device

Mobile security is definitely a hot topic in our industry. However, it’s quite hard to find people talking about mobile security beyond managing/securing the device itself. Most industry solutions are focused in deploying a secure BYOD strategy and ensuring the devices cannot be exploited with malware.

While this approach is highly important, I have found it difficult to find solutions that actually look at the security of the backend servers that are used by such mobile devices. These servers vary from simple Apache, IIS or Tomcat application servers with Web mobile apps to highly proprietary components.

If your company is using SAP mobile applications in you employees’ tablets or smartphones, then you have SAP servers exposed to the Internet to serve such devices, which already puts them in a more risky situation (Internal threats mentioned on previous blog). With 6000+ customers already using them and being one of the fastest growing product line for SAP AG, it’s highly likely that you are or soon will be empowering your users with SAP-branded apps.

In this scenario, an attacker only needs to perform an external scan to discover such components, and – be sure about it – he is not limited to the functionality that the SAP mobile app is providing your users. He can interface with such SAP servers with a variety of attack tools and try to exploit vulnerabilities in them. The result? He may be able to compromise your entire SAP infrastructure, remotely over the Internet.

This was a growing concern in many of our leading customers, and I’m glad to announce that we responded quickly: Onapsis X1 is now the first-and-only product in the market equipped to detect & assess vulnerabilities affecting SAP Mobile Platforms (Sybase Unwired Platforms), SAP NetWeaver Gateway and SAP Fiori apps.

We are going to be showcasing this new version at booth #231 during the Black Hat Conference this month in Las Vegas as well as hosting a 2 day SAP Security In-Depth training.

Remember that your mobile apps are probably connecting to a backend system in your network. If it’s SAP, we got you covered.


Share Button

External vs Insider Threats: Why there are no “internal” SAP systems

I would like to reflect on a common situation that I have repeatedly heard over the past few years when talking and training on the topic of SAP security:

When I ask the question:

  • “How are you dealing with the cyber-threats affecting your SAP platform?”

Most commonly I get the answer:

  • “Oh, our SAP system is internal, so we are fine.”

I humbly believe that many people have a misconception about this statement, and it is about time that we clarify that the old paradigm of “external vs. internal” has not applied in information security for a long time. It doesn’t apply when we talk about networks, and therefore, it does not apply when we talk about threats. And specifically, it does not apply to SAP environments.

Let’s analyze why:

  1. Who’s on your “local” network? Several decades ago your local network would only be hosting very few and trustworthy employees. Today, the local network must be considered as harmful as any other untrusted network. Surprisingly, many large organizations still have the SAP platform deployed in networks which are directly reachable from the end-user network (no internal DMZ), significantly increasing the attack surface.

Furthermore, because most large organizations are outsourcing the management of their SAP platforms to 3rd party contractors, less controls can be enforced. Just in the last training we held at Black Hat USA, three students commented privately that they had suffered a breach in their SAP systems, having a disgruntled outsourced contractor as the perpetrator.  

  1. That one application. It’s not rare to hear from Information Security peers that they were not aware (most of the time, were not informed) of that one application that actually exposes SAP components to suppliers, partners or customers. Because of modern business requirements, many SAP systems are effectively used to provide online access to business processes, usually through Web applications (could be running on top of SAP itself) or Mobile platforms.
  1. Your internal users have email access. Even if there is no SAP Web application to exploit directly, malicious attackers would of course not give up. For several years now, they would just use client-side exploits in spear phishing attacks: sending malware through a malicious PDF or MS Office document to any internal employee. Upon opening it, your internal user would surrender the entire “local” network to an attacker who may be sitting thousands of miles away. From there, the attacker has effectively established a presence inside your network and can just fire at will at the SAP systems (back to point 1!).
  1. Your SAP system is online. I’m sorry for the bad news, but don’t kill the messenger. SAP AG provides support services (such as EarlyWatch) remotely from specific locations. In order for them to do so, you need to deploy a component called SAProuter that will proxy the remote support connections to your “internal” SAP systems.

Ideally, it should be set up through a VPN connection with SAP AG only, but more often than not it’s possible to find them directly exposed to the Internet. An unsecured SAProuter could be completely exposing your SAP platform to the world. Read this SAP Security In-Depth publication for more information regarding the SAProuter.

In order to mitigate the risks that affect our SAP platform, we first need to understand the threats we are facing. We need to accept that our SAP systems are in fact connected to rouge and untrusted networks. With that mindset change, we can then analyze how to holistically protect it from cyber-attacks.



Share Button

The Onapsis ERP Security Blog

Welcome to the Onapsis ERP Security Blog!

While leading organizations are already taking measures to protect their ERP systems from the increased threat of cyber-attacks, at Onapsis we feel that “leading” is not enough. We realize that still a significant number of organizations are not able to answer a very important question: “Is my ERP implementation secure?” At Onapsis, we know this uncertainty only empowers the bad guys and we feel it’s our duty to level the battlefield. That’s why we created this Blog.

Traditional measures like Segregation of Duties controls are one necessary step, but no longer enough to protect against advanced ERP application-layer attacks. Through this channel, our thought-leaders will share their best-practices, knowledge, war stories and latest research to help you better understand the risks that your company faces as these systems continue to become an increasing target to cyber-attacks. More importantly, we will provide you with actionable guidelines for you to increase the security of your ERP platform – effectively safeguarding your business crown jewels.

Stay tuned for the upcoming posts. We sincerely hope you enjoy them!

The Onapsis Team

Share Button