New Onapsis service assesses SAP applications to identify critical risks
Onapsis, the leader in business-application cyber resilience, announced the industry’s first Business Risk Illustration assessment for business-critical applications. Onapsis’s Business Risk Illustration provides valuable insights into the existing risk posture of an organization’s SAP applications, custom code and systems.
The assessment measures the severity of misconfigurations and vulnerabilities and the risk they pose to the business, providing compliance, IT and security leaders quantitative data that allows them to more effectively communicate business and cyber risk to the executive team and the board of directors.
As the core business information systems of many Fortune 2000 companies and entities worldwide, SAP platforms are one of the most profitable targets for cybercriminals and intruders. On May 2, 2019, the Department of Homeland Security issued a US-CERT alert on 10KBLAZE, its third communication in less than three years, regarding the growing threat to enterprise resource planning applications and systems.
Onapsis issued a threat report on the 10KBLAZE exploits, which can lead to full compromise of an organization’s SAP application infrastructure and deletion of all business data, including the modification or extraction of material, highly-sensitive and regulated information.
According to Gartner, “As financially motivated attackers turn their attention ‘up the stack’ to the application layer, business applications such as ERP, CRM and human resources are attractive targets.”
The Business Risk Illustration program offers a customer organization access to Onapsis’s team of dedicated research experts. Using a software-backed services engagement approach, where no credentials are provided by the customer, the Onapsis team mimics the behavior of an attacker, identifying the target systems within the organization’s network and detecting existing vulnerabilities, weaknesses in custom code and misconfigurations.
The customer’s SAP applications and systems are rated against the Onapsis’s Business Application Risk Maturity Model, which scores an organization’s risk maturity on a six-stage scale ranging from healthy to high risk. The corresponding output provides information technology and security leaders with a quantitative, actionable framework to inform SAP cybersecurity, compliance and cloud migration initiatives.
“There is a disconnect between security leaders, the executive team and the board, caused by an inability to quantify security risk reduction in a way that is meaningful to the business,” said Shane MacDonald, Vice President of Solution Engineering at Onapsis. “Our Business Risk Illustration assessment arms IT, Information Security and Internal Audit leaders with quantitative data that will facilitate meaningful conversations around how to prioritize security, compliance and cloud investments to better protect business-critical applications.”
The Onapsis Business Risk Illustration evaluates and collects information about risks affecting SAP applications. Some examples of the most common vulnerabilities that an Onapsis assessment will identify include:
- 10KBLAZE related vulnerabilities, as highlighted by the US-CERT AA19-122A, which involves the SAP Message Server and allows a remote attacker to compromise the entire SAP application
- Invoker Servlet vulnerability, as highlighted by the US-CERT Alert TA16-132A, which could be abused through a web browser to compromise the SAP application
- SAP Gateway configuration issues, which would allow an attacker to perform sensitive operations, ultimately accessing all information stored in SAP systems
- Vulnerabilities in the custom code that organizations create to adapt SAP to match their business processes
- Other vulnerabilities and misconfigurations in diverse SAP components that can be both detected and exploited by unauthorized and unauthenticated threat actors.