HomeCompanyMedia Room

Onapsis Latest Publications

SAP Security In-Depth Vol.4

Read Case Study

Westinghouse Electric

Media Room

Press Releases

16 October | 2013

Onapsis becomes the first SAP-certified solution to enable SAP customers to audit and secure their HANA implementations.

Computer World

IDG News Service - A new tool from security vendor Onapsis aims to secure SAP's in-memory database HANA, the German company's fastest-growing data processing product.

Onapsis, a Boston-based company that specializes in SAP security, will incorporate the tool into its X1 suite, which scans for vulnerabilities and configuration problems in SAP deployments.

Read more.

10 October | 2013

Onapsis named one of the top SAP GRC Partners to Watch in 2014

businesswire logo
Cambridge, MA – Onapsis Inc., the leading provider of proven solutions to audit and mitigate threats targeting ERP platforms, today announces it has been selected for inclusion in the Top SAP-GRC Vendors to Watch Report compiled by SAPinsider. Read more.

21 September | 2013

Onapsis Helps SAP Customers Secure Solution Manager with new In-Depth Publication

Onapsis Logo

Cambridge, MA - Onapsis Inc., the leading provider of solutions to assess and protect ERP systems from cyber-attacks, today announces the release of the latest SAP Security In-Depth publication featuring the SAP Solution Manager. With this novel information, SAP customers will have a further understanding of the complexities of SAP Solution Manager and how to better secure it within their organizations.

08 September | 2010


Sicherheitscheck für SAP-ERP.

Wie sicher ist meine ERP-Anwendung? Diese Frage will der Sicherheitsanbieter Onapsis mit einer neuen Software beantworten. Zunächst für SAP, später sollen weitere Suiten folgen. Read more.

03 September | 2010


Onapsis, a provider of enterprise resource planning (ERP) security software has released a product to assess security risks on production SAP systems.

Mariano Nuñez Di Croce, director of research and development at Onapsis, said, "For several years, the auditing and IT security industries have considered that the deployment of segregation-of-duties controls was enough to enforce the security of SAP systems. Read more.

02 September | 2010


Onapsis to Release ERP Vulnerability Testing Suite.

Read more.

02 September | 2010

Onapsis Unveils Security Assessment Tool For SAP.

Onapsis releases X1, the first solution for Vulnerability Management, Penetration Testing and Compliance for SAP platforms.

Onapsis, the leading provider of solutions for the security of ERP systems and business-critical applications, today announced the release of a new solution to address the continuously increasing threats to SAP systems: Onapsis X1.Read more.

18 July | 2011

Onapsis X1 Enterprise 2 Achieves Integration Certification With SAP.

NetWeaver Onapsis X1 Enterprise 2 now provides a unified access point to SAP NetWeaver-based systems.

Onapsis, the leading provider of cybersecurity, compliance and continuous monitoring solutions for ERP systems and business-critical infrastructure, today announced that Onapsis X1 Enterprise 2 has achieved certified integration with the SAP NetWeaver' technology platform. Read more.

14 May| 2013

Onapsis X1 Provides Cost-Effective SAP Cyber-Risk Management for Fortune 50 Company

Onapsis Inc., the leading provider of solutions to protect ERP systems from cyber-attacks, today announced that Siemens, one of the largest electronics and engineering firms in the world, has chosen Onapsis to protect its SAP platforms from cyber-attacks. Faced with the problem of quickly and cost-effectively detecting real-world security risks in its SAP systems, Siemens turned to the widely recognized expertise of Onapsis. Using Onapsis X1, Siemens is now able to automatically access the security of their SAP systems and act upon remediation information to mitigate existing SAP application-layer vulnerabilities that could lead to espionage, sabotage and financial fraud attacks. Read more.

11 April| 2013

Onapsis Inc. and PwC Establish Alliance to Provide Onapsis X1 Capabilities to PwC's Customers

businesswire logo
Onapsis Inc. the leading provider of solutions to protect ERP systems from cyber-attacks, and PwC, global audit and assurance, tax, and consulting services firm, announced an alliance based on the only product certified by SAP AG for SAP application security assessments to PwC's global SAP customers. Read more.

In the News

24 May | 2012

Security Researcher Urges IT Managers to Keep up With SAP Patches.

More than 95 percent of over 600 SAP systems tested by security firm Onapsis were vulnerable to espionage, sabotage and fraud, mainly because patches had not been applied, according to a researcher.

Attackers targeting SAP platforms don't need access credentials to perform these attacks, said Juan Perez-Etchegoyen, CTO of Onapsis, a Buenos Aires consulting firm focused on ERP systems and business-critical infrastructure. Perez-Etchegoyen made his remarks at the Hack in the Box conference in Amsterdam on Thursday. Read more.

16 May | 2012

SAP security must be holistic.

ICT Management
SAP security in terms of enterprise resource planning (ERP) systems needs to go beyond the segregation of duties controls, as, while necessary, these are not enough.

This is according to Juan Perez-Etchegoyen, CTO at ERP security company Onapsis. Speaking at ITWeb's 7th annual Security Summit yesterday, he said ERP systems store the most critical business information in the organisation, and so security must be looked at holistically.

He added that if the SAP platform is breached, an intruder can perform different attacks. These include espionage, where private information is accessed; sabotage, by shutting down the system or deleting critical information; and fraud, where information is modified and tampered with. Read more.

23 February | 2012

New Oracle ERP Vulnerabilities Unmasked.

Design flaws could allow attackers to access, alter, or take over ERP systems -- but will enterprises do anything about the vulnerabilities?

Researchers today issued security advisories for eight vulnerabilities, some of them critical, in a popular Oracle enterprise resource planning (ERP) application -- but they don't expect many users to actually apply the patches for them.

The flaws discovered by researchers at security firm Onapsis range from holes that could allow an attacker to access all business information and files, query for passwords, and alter business information processed by the ERP, basically taking complete control of the system. Patches for the vulnerabilities were included in Oracle's latest Critical Patch Update release, and these are the first public details of the flaws. Read more.

22 September | 2011

SAP NetWeaver gives Onapsis certification.

HTTP Request with Modified Header Makes SAP Login Screen Disappear, Researcher Says

SAP environments are often home to an organization's most important business data, making protecting them paramount for enterprise security.

Oftentimes however, securing these environments is considered synonymous with segregation of duties controls, creating for some a false sense of security - one that Onapsis CEO Mariano Nuñez Di Croce is hoping to change. To illustrate his point, the CEO will lay bare details of an authentication bypass vulnerability at the Ekoparty conference today in Buenos Aires.

The vulnerability is the result of a combination of two problems, he explained. First, there is an insecure authentication scheme by design, where the SAP system trusts that connections always come from legitimate authentication proxies. Second, customers failing to properly implement best-practices security settings detailed by SAP, by applying proper network filtering and trust relationships. Read more.

19 July | 2011

Authentication Vulnerability Enables Attackers to Access SAP Systems, Says Expert.

SAP AG has given certified integration status to the Onapsis X1 Enterprise 2 software. It can now be used successfully with the SAP NetWeaver technology platform, enabling users to automatically check the current security levels of their existing SAP solutions.

Onapsis is a leading provider of cyber security and offer compliance and monitoring solutions for enterprise resource planning systems. Read more.

02 May | 2011

ERP Apps Often Left Exposed.

Information Week.
Vulnerabilities in Oracle JD Edwards ERP applications all exploitable by unauthenticated attacker.

Among Oracle's latest round of patches last month were eight flaws in its JD Edwards enterprise resource planning (ERP) applications -- underscoring how ERP apps are often forgotten when it comes to security, overshadowed by database flaws and other worries. Read more.

13 Jan | 2011

SAP Acquires Security As Black Hats Take Aim.

As SAP buys into ID management, an event at Black Hat DC will put Web-enabled SAP apps in the line of fire.

SAP announced it will acquire a chunk of Secude's security business in order to bolster its identity management capabilities. The deal, made for an undisclosed sum, brings security software, identity and access management software and other related assets into the SAP portfolio. In particular, the deal is focused on Secude's Secure Login and Enterprise Single Sign-On products.

Read more.

12 jan | 2011

SAP Application Security Spotlighted at Black Hat DC.

At the upcoming Black Hat DC conference, a security researcher is putting Web-enabled SAP applications in the line of fire.

With more and more SAP systems getting connected to the Web, the security landscape for many organizations is changing. Just how much—and what those changes mean—will be highlighted at the upcoming Black Hat DC conference by Mariano Nuñez Di Croce, director of research and development for Onapsis. Read more.

11 Jan | 2011

Exploits Target SAP Application.

A researcher at next week's Black Hat DC will show how attackers can target an enterprise's Web-enabled SAP applications by exploiting the way enterprises have misconfigured them, as well as some inherent design issues in the enterprise resource management (ERP) apps.

Mariano Nunez Di Croce, director of research and development for Onapsis, will demonstrate bypassing authentication in SAP Enterprise Portal, injecting a backdoor into a compromised SAP Enterprise Portal, internal port-scanning via SAP Web services, and exploiting vulnerable SAP Web services. Read more.

23 November | 2010

Is SAP afraid of a Stuxnet-style attack?

SAP is stepping up its security stance as once-isolated systems become increasingly connected to the Internet and attackers diversify their targets.

Enterprise software provider SAP is stepping up its security stance as its once-isolated systems become increasingly connected to the Internet, posing new risks as hackers diversify their targets. Read more.

12 August | 2010

Ensuring SAP security on mobile devices means tough encryption, planning.

The biggest security threat when mobilizing SAP applications is the risk of an employee losing the device and exposing the organization to possible customer data breaches, according to interviews with analysts.

The good news is that, currently, mobile applications present fewer SAP security concerns than PCs do. Because there are so many different operating systems out there, targeting a huge base of users with a virus is difficult. Read more.

29 July | 2010

Researcher Warns SAP Prone to Back Door Exploits.

LAS VEGAS — For many enterprises, SAP's (NYSE: SAP) software is mission-critical. But according to Mariano Nunez Di Croce, a security researcher from Argentinean research vendor Onapsis, SAP software is at risk even when users properly follow all of the company's security guidelines.

In a talk here at the Black Hat security conference, Di Croce argued that SAP deployments could be at risk from back doors, a technique used by hackers to secure future access to a system while remaining undetected. Read more.

14 April | 2010

SAP, Other ERP Applications At Risk Of Targeted Attacks

Black Hat Europe researcher demonstrates techniques for inserting 'backdoors' into popular enterprise resource planning apps that aren't properly secured.

Backdoor Trojans and rootkits that let attackers gain a foothold and remain entrenched in a compromised system aren't just for Windows PCs anymore -- SAP and other enterprise resource planning (ERP) applications are also susceptible to this form of attack. Read more.

09 April | 2010

Hacker conference to address emerging Web threats.

The Black Hat security conference will kick off next week in Barcelona, with training sessions and briefings from some of the most talented security researchers in the industry.

Facebook's chief security officer, Max Kelly, is scheduled for a keynote presentation on Wednesday morning following two days of training sessions. The last two days of the conference will focus on briefings featuring research into a variety of threats on the Internet and application vulnerabilities. Read more.

07 April | 2010

SAP vulnerability could expose systems to hacking.

* Could leave companies open to sabotage, espionage, fraud.

* Vulnerability lets hackers make stealth attacks.

* SAP says only vulnerable if customers ignore advice.

* Research to be presented at Black Hat Europe conference.

Companies using SAP AG's (SAPG.DE) business management software could be vulnerable to stealth attacks by hackers if their systems are not properly configured, according to a computer security expert. Read more.