Press release

Onapsis Launches Business Risk Illustration Assessment Designed to Discover and Prioritize High Impact Threats Targeting Business-Critical Applications and Systems

Sponsored by Businesswire

the leader in business-application cyber resilience, today announced the
industry’s first Business Risk Illustration assessment for
business-critical applications. Onapsis’s Business Risk Illustration
provides valuable insights into the existing risk posture of an
organization’s SAP applications, custom code and systems. The assessment
measures the severity of misconfigurations and vulnerabilities and the
risk they pose to the business, providing compliance, IT and security
leaders quantitative data that allows them to more effectively
communicate business and cyber risk to the executive team and the board
of directors.

As the core business information systems of many Fortune 2000 companies
and entities worldwide, SAP® platforms are one of the most profitable
targets for cybercriminals and intruders. On May 2, 2019, the Department
of Homeland Security issued a US-CERT alert on 10KBLAZE, its third
communication in less than three years, regarding the growing threat to
enterprise resource planning applications and systems. Onapsis
issued a threat report on the 10KBLAZE exploits
, which can lead to
full compromise of an organization’s SAP application infrastructure and
deletion of all business data, including the modification or extraction
of material, highly-sensitive and regulated information.

According to Gartner, “As financially motivated attackers turn their
attention ‘up the stack’ to the application layer, business applications
such as ERP, CRM and human resources are attractive targets.”*

The Business Risk Illustration program offers a customer organization
access to Onapsis’s team of dedicated research experts. Using a
software-backed services engagement approach, where no credentials are
provided by the customer, the Onapsis team mimics the behavior of an
attacker, identifying the target systems within the organization’s
network and detecting existing vulnerabilities, weaknesses in custom
code and misconfigurations. The customer’s SAP applications and systems
are rated against the Onapsis’s Business Application Risk Maturity
Model, which scores an organization’s risk maturity on a six-stage scale
ranging from healthy to high risk. The corresponding output provides
information technology and security leaders with a quantitative,
actionable framework to inform SAP cybersecurity, compliance and cloud
migration initiatives.

“There is a disconnect between security leaders, the executive team and
the board, caused by an inability to quantify security risk reduction in
a way that is meaningful to the business,” said Shane MacDonald, Vice
President of Solution Engineering at Onapsis. “Our Business Risk
Illustration assessment arms IT, Information Security and Internal Audit
leaders with quantitative data that will facilitate meaningful
conversations around how to prioritize security, compliance and cloud
investments to better protect business-critical applications.”

The Onapsis Business Risk Illustration evaluates and collects
information about risks affecting SAP applications. Some examples of the
most common vulnerabilities that an Onapsis assessment will identify

  • 10KBLAZE related vulnerabilities, as highlighted by the US-CERT
    , which involves the SAP Message Server and allows a
    remote attacker to compromise the entire SAP application
  • Invoker Servlet vulnerability, as highlighted by the US-CERT
    Alert TA16-132A
    , which could be abused through a web browser to
    compromise the SAP application
  • SAP Gateway configuration issues, which would allow an attacker to
    perform sensitive operations, ultimately accessing all information
    stored in SAP systems
  • Vulnerabilities in the custom code that organizations create to adapt
    SAP to match their business processes
  • Other vulnerabilities and misconfigurations in diverse SAP components
    that can be both detected and exploited by unauthorized and
    unauthenticated threat actors

To learn more about the Onapsis Business Risk Illustration assessment
program, please visit

*Gartner, “Hype Cycle for Application Security, 2018,” Analyst: Ayal
Tirosh, Published: 27 July 2018, ID: G00340359.

About Onapsis™
Onapsis helps organizations to be cyber
resilient by protecting their business-critical applications, keeping
them compliant and safe from insider and outsider threats. Our patented
solutions are used to accelerate digital transformation initiatives –
including transitioning to the cloud – by providing actionable
intelligence, continuous monitoring and automated governance for ERP,
CRM, PLM, HCM, SCM, BI and Cloud-based business-critical applications.

As the proven market leader, global enterprises trust Onapsis to help
modernize and strengthen their SAP applications, and to make sure
security, IT, DevOps and compliance teams are best prepared for the
business needs of the future.

Headquartered in Boston, MA, and with global operations, Onapsis proudly
serves more than 300 of the world’s leading brands and organizations,
including many of the Global 2000. Through our unique strategic
alliances with leading consulting and audit firms such as Accenture,
Deloitte, IBM, Infosys, PwC and Verizon, Onapsis solutions have become
the de-facto standard in helping organizations protect what really

For more information, connect with us on Twitter
or LinkedIn.

Onapsis and Onapsis Research Labs are registered trademarks of
Onapsis, Inc. All other company or product names may be the registered
trademarks of their respective owners.