BOSTON – June 5, 2019 – Onapsis, the leader in business-application cyber resilience, today announced the industry’s first Business Risk Illustration assessment for business-critical applications. Onapsis’s Business Risk Illustration provides valuable insights into the existing risk posture of an organization's SAP applications, custom code and systems. The assessment measures the severity of misconfigurations and vulnerabilities and the risk they pose to the business, providing compliance, IT and security leaders quantitative data that allows them to more effectively communicate business and cyber risk to the executive team and the board of directors.
As the core business information systems of many Fortune 2000 companies and entities worldwide, SAP® platforms are one of the most profitable targets for cybercriminals and intruders. On May 2, 2019, the Department of Homeland Security issued a US-CERT alert on 10KBLAZE, its third communication in less than three years, regarding the growing threat to enterprise resource planning applications and systems. Onapsis issued a threat report on the 10KBLAZE exploits, which can lead to full compromise of an organization’s SAP application infrastructure and deletion of all business data, including the modification or extraction of material, highly-sensitive and regulated information.
According to Gartner, “As financially motivated attackers turn their attention 'up the stack' to the application layer, business applications such as ERP, CRM and human resources are attractive targets.”*
The Business Risk Illustration program offers a customer organization access to Onapsis’s team of dedicated research experts. Using a software-backed services engagement approach, where no credentials are provided by the customer, the Onapsis team mimics the behavior of an attacker, identifying the target systems within the organization’s network and detecting existing vulnerabilities, weaknesses in custom code and misconfigurations. The customer’s SAP applications and systems are rated against the Onapsis’s Business Application Risk Maturity Model, which scores an organization’s risk maturity on a six-stage scale ranging from healthy to high risk. The corresponding output provides information technology and security leaders with a quantitative, actionable framework to inform SAP cybersecurity, compliance and cloud migration initiatives.
“There is a disconnect between security leaders, the executive team and the board, caused by an inability to quantify security risk reduction in a way that is meaningful to the business,” said Shane MacDonald, Vice President of Solution Engineering at Onapsis. “Our Business Risk Illustration assessment arms IT, Information Security and Internal Audit leaders with quantitative data that will facilitate meaningful conversations around how to prioritize security, compliance and cloud investments to better protect business-critical applications.”
The Onapsis Business Risk Illustration evaluates and collects information about risks affecting SAP applications. Some examples of the most common vulnerabilities that an Onapsis assessment will identify include:
- 10KBLAZE related vulnerabilities, as highlighted by the US-CERT AA19-122A, which involves the SAP Message Server and allows a remote attacker to compromise the entire SAP application
- Invoker Servlet vulnerability, as highlighted by the US-CERT Alert TA16-132A, which could be abused through a web browser to compromise the SAP application
- SAP Gateway configuration issues, which would allow an attacker to perform sensitive operations, ultimately accessing all information stored in SAP systems
- Vulnerabilities in the custom code that organizations create to adapt SAP to match their business processes
- Other vulnerabilities and misconfigurations in diverse SAP components that can be both detected and exploited by unauthorized and unauthenticated threat actors
To learn more about the Onapsis Business Risk Illustration assessment program, please visit https://www.onapsis.com/bri.
*Gartner, “Hype Cycle for Application Security, 2018,” Analyst: Ayal Tirosh, Published: 27 July 2018, ID: G00340359.
Onapsis helps organizations to be cyber resilient by protecting their business-critical applications, keeping them compliant and safe from insider and outsider threats. Our patented solutions are used to accelerate digital transformation initiatives – including transitioning to the cloud – by providing actionable intelligence, continuous monitoring and automated governance for ERP, CRM, PLM, HCM, SCM, BI and Cloud-based business-critical applications.
As the proven market leader, global enterprises trust Onapsis to help modernize and strengthen their SAP applications, and to make sure security, IT, DevOps and compliance teams are best prepared for the business needs of the future.
Headquartered in Boston, MA, and with global operations, Onapsis proudly serves more than 300 of the world’s leading brands and organizations, including many of the Global 2000. Through our unique strategic alliances with leading consulting and audit firms such as Accenture, Deloitte, IBM, Infosys, PwC and Verizon, Onapsis solutions have become the de-facto standard in helping organizations protect what really matters.
Onapsis and Onapsis Research Labs are registered trademarks of Onapsis, Inc. All other company or product names may be the registered trademarks of their respective owners.