TMCnet News

Onapsis Releases SAP Security In-Depth Publication for SAP HANA
[August 24, 2016]

Onapsis Releases SAP Security In-Depth Publication for SAP HANA


Onapsis, the global experts in business-critical application security, today released SAP (News - Alert) HANA System Security Review Part 2. This publication analyzes SAP HANA Internal Communication Channels, details associated risk, and identifies how to properly audit an SAP HANA system. As the 13th edition in the SAP Security In-Depth series, SAP HANA System Security Review Part 2 describes how to update the SAP HANA platform, noting new improvements in each Support Package.

SAP HANA is regarded by SAP as the absolute in-memory database for its products and, more recently, as a standalone platform. The vast majority of companies who have already adopted SAP HANA are leveraging its capabilities to support business-critical applications. Due to its nature, SAP HANA stores an organization's most important assets, including customer data, product pricing, financial statements, employee information, supply chains, business intelligence, budgeting, planning and forecasting.

"Improperly configuring SAP HANA has a huge impact on security, as there are many aspects of this product that by default, in certain versions, do not have the most effective security measures in place. For example, Internal Communication Interfaces were not designed to be used by the end user and, therefore, do not include security measures such as encryption or authentication in versions prior to SPS10. If left unsecured, an attacker could access any communication ports to perform espionage, sabotage, and fraud attacks," said Nahuel D. Sánchez, Author and SAP Security Researcher, Onapsis.

Within SAP HANA are Internal Communication Channels that allow communication between different processes that comprise the SAP HANA platform as well as between hosts and systems. The specific purpose of each internal communication channel depends on the quantity of host deployments, as well as system replication scenarios.

Onapsis SAP Security In-Depth (SSID) publications detail innovative security aspects of business-critical applications as identified by the Onapsis Research Labs. Each release analyzes the unique risks introduced to these applications and the different mitigation strategies that allow organizations to protect their SAP implementations. Following SAP HANA System Security Review Part 1, which focuses on understanding the HANA layout, this new edition takes a deep-dive into technical concepts to fully explain how to properly confgure critical aspects of SAP HANA.



SAP HANA System Security Review Part 2 is available for download at: https://www.onapsis.com/research/publications/volume-xii-sap-hana-system-security-review-part-2.

About Onapsis Research Labs™


SAP and Oracle (News - Alert) Security Threat Intelligence is produced by Onapsis Research Labs, a team of leading security experts who combine in-depth knowledge and experience to deliver technical analysis with business context, and provide sound security judgment to the market. The team works closely with SAP and Oracle product security teams to responsibly deliver the information to customers and has released over 150 advisories to date, with over 35 affecting SAP HANA; has consulted on impact with over 180 Onapsis enterprise customers; and regularly presents at leading security and SAP conferences around the world. Onapsis was the first to deliver "SAP Security In-Depth" publications that provide detailed analysis on security risks impacting SAP and SAP HANA.

About Onapsis

Onapsis provides the most comprehensive solutions for securing SAP and Oracle enterprise applications. As the leading experts in SAP and Oracle cyber-security, Onapsis' patented solutions enable security and audit teams to have visibility, confidence and control of advanced threats, cyber-risks and compliance gaps affecting their enterprise applications.

Headquartered in Boston, MA, Onapsis serves over 200 customers, including many of the Global 2000. Onapsis' solutions are also the de-facto standard for leading consulting and audit firms such as Accenture, Deloitte, E&Y, IBM (News - Alert), KPMG and PwC. Onapsis solutions include the Onapsis Security Platform, which is the most widely-used SAP-certified cyber-security solution in the market. Unlike generic security products, Onapsis' context-aware solutions deliver both preventative vulnerability and compliance controls, as well as real-time detection and incident response capabilities to reduce risks affecting critical business processes and data. Through open interfaces, the platform can be integrated with leading SIEM, GRC and network security products, seamlessly incorporating enterprise applications into existing vulnerability, risk and incident response management programs. These solutions are powered by the Onapsis Research Labs, which continuously provide leading intelligence on security threats affecting SAP and Oracle enterprise applications. Experts of the Onapsis Research Labs were the first to lecture on SAP cyber-attacks and have uncovered and helped fix hundreds of security vulnerabilities to-date affecting SAP Business Suite, SAP HANA, SAP Cloud and SAP Mobile applications, as well as Oracle JD Edwards and Oracle E-Business Suite platforms.

Onapsis has been issued U.S. Patent No. 9,009,837 entitled "Automated Security Assessment of Business-Critical Systems and Applications," which describes certain algorithms and capabilities behind the technology powering the Onapsis Security Platform™ and Onapsis X1™ software platforms. This patented technology is recognized industry wide and has gained Onapsis the recognition as a 2015 SINET 16 Innovator.

For more information, please visit www.onapsis.com, or connect with us on Twitter, Google+, or LinkedIn.

Onapsis and Onapsis Research Labs are registered trademarks of Onapsis, Inc. All other company or product names may be the registered trademarks of their respective owners.


[ Back To TMCnet.com's Homepage ]