Defending ERP

Two decades ago, an uneven hacker book emerged with an anonymous author and a collage of contributing authors. Maximum Security was, in fact, filled with links to crude hacking tools and read (at least to me) like many 2600-magazines stapled together into an encyclopedia-sized tome. That said, I thought it was a fun book, and I’m sure I paid for at least a couple of editions. The book certainly had its place – and was quite popular, perhaps even inspiring to some.

One teenager in Argentina agreed with that assessment, and found the book helpful with his early forays into computer hacking. Soon presenting at hacker conferences, young Mariano Nunez would later forge his position in our industry by pioneering vulnerability assessments of ERP systems. In fact, by 2007, he was wowing audiences at Black Hat, showing them creative cyber attacks on important enterprise tools such as SAP – and this was new.

And so, it was great fun for me this past week reminiscing early hacking exploits with Nunez, who now serves as head of an ERP security firm called Onapsis. It had been suggested to me by my friends at Evolution Equity and .406 Ventures that I simply had to spend some time chatting with the young CEO. I can tell you that they were right: Mariano Nunez is a delightful technologist with a firm that focuses on an area that remains poorly attended by many firms.

“When I first started looking at security in ERP systems,” Nunez told me, “literally no one was considering security vulnerabilities in these types of systems. And it was surprisingly easy to find critical vulnerabilities in these systems, including SAP, so I knew I was onto something. But back in 2006, too many people in our community didn’t take this as seriously as they should. That has certainly changed today.”

Onapsis focuses its flagship platform on cyber security support for SAP users, offering a range of tools for continuous monitoring, security vulnerability management, and compliance support. The platform works by integrating several modern, advanced protection technologies such as the use of behavioral analytics and context-aware processing. Mediation is provided through an active-lock down feature that ensures an optimal security configuration.

The growing company has expanded its protection support into Oracle’s E-Business Suite, offering customers assurance that security-related patches, administration, parameters, and risks are properly attended to. Such expansion establishes Onapsis, in my mind, as a more general ERP and critical business application security solution provider, as opposed to a niche vulnerability tool.

More recently, the need to focus on ERP vulnerabilities has been validated by a flurry of activity around nation-state interest in exploiting this critical area of business application support. A typical recent Reuters article describes the growing threat in the context of various firms reporting security challenges in this area. And yes – we’ve all been warned: DHS had issued an alert in this area, way back in 2016.

I spent some time in my discussion with Nunez discussing how this area might evolve from a platform supporting one, and then another, and then another ERP systems – into a more general layer of protection for critical business applications. We even played with a new term we coined during our discussion called Application Access Security Broker (AASB), but when we pronounced it out loud, it didn’t sound all that good. Stay tuned – we’ll keep trying.

If SAP or Oracle eBusiness Suite are part of your critical application arsenal, and if you agree that security issues in these important ERP platforms need considerably more attention, then I suggest you be in touch with Nunez and his fine Onapsis team. One thing I can promise is that the discussion will be considerably more streamlined and coherent than that weird Maximum Security book that still sits on my shelf today.

As always, let us know what you learned.