Security company to release testing tool for SAP mobile access

Boston-based Onapsis will release a tool next month that tests if SAP systems have been correctly configured for mobile device use

As SAP invests heavily in mobile, a security testing company will release a tool next month to ensure mobile-accessible SAP systems are not vulnerable to hackers.

Boston-based Onapsis will release a new module for its X1 security suite, a product that performs automated security assessments, penetration testing and compliance audits for SAP's ERP (enterprise resource planning) software, said Mariano Nunez, Onapsis' CEO.

The module will focus in part on the SAP Mobile Platform, formerly known as the Sybase Unwired Platform Developer Center, which helps developers build SAP mobile applications for different devices and platforms. It also looks at the NetWeaver Gateway, an SAP server that links devices to back-end systems, Nunez said.

Exposing those back-end systems is complicated, and companies can face a risk of hacking if the systems are misconfigured or do not have up-to-date patches.

"We see that companies may not be paying enough attention to that and forgetting the devices," Nunez said. "Our empirical experience shows those systems are usually left insecure because of people not applying the latest patches or not following SAP's best security practices."

SAP is focused on mobile access, device management and security as more companies embrace bring-your-own-device policies. SAP supports iPhone, Android and Blackberry devices.

Sanjay Poonen, head of SAP's mobile division, said at the Sapphire Now conference in May that the company has more than 1,000 people working on mobile-related projects in areas such as retail, banking and consumer package goods.

Last year, SAP reported more than €222 million (US$293 million) in license revenue from its mobile-related business, a revenue stream that didn't exist two and half years prior, Poonen said.

"We think this market is really poised for an even bigger opportunity if you go even beyond devices," Poonen said. "This world is going to require us to think of mobile security in a whole new way."

Nunez said companies faces risks if, for example, a CRM (customer relationship management) system is incorrectly configured for access by mobile devices, opening a door for hackers using attack tools for Web services.

X1's mobile security module looks at what functions and processes are exposed in the back-end systems and not on the mobile application itself, Nunez said. It alerts users to security vulnerabilities and tells users how to fix the issues. The module is scheduled to be released next month, and will be free to X1 subscribers.

Onapsis is also scheduled to present two SAP security workshops at the Black Hat security conference in Las Vegas, which kicks off on July 27. The workshops, which are not product focused, will look at SAP security from an academic perspective, Nunez said.

Send news tips and comments to Follow me on Twitter: @jeremy_kirk

Join the CSO newsletter!

Error: Please check your email address.

Tags mobile applicationsintrusionOnapsissecuritydata breachmobilefraud

More about GatewayGatewaySAP AustraliaSapphireSybase AustraliaUnwired Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts