Backdrop: Cyber threats have taken yet another twisted turn with the police and the Cyber Security Agency of Singapore (CSA)'s recent warning of a ransomware attack, Magniber, masquerading as a Windows update.
At a media briefing, newly appointed vice president for Asia-Pacific, Simon Naylor and David D' Aprile, vice president for global marketing, gave their views on how Onapsis is racing to secure SAP business applications in the cloud. Joining the discussion was Chew Peng Healey, regional marketing director for Onapsis.
How do you differentiate against more established brands like Synopsys, Micro Focus, Rapid7, WhiteHat Security?
David D' Aprile: Many of those companies have a very broad set of applications. So, you think about Micro Focus with application security testing, and they're looking at many different applications, they're going into several different larger environments to help them with regards to their security testing.
We are very primarily focused on these ERP applications and a lot of the custom code involved in that, so primarily SAP and Oracle with regards to that piece of it. We're very hyper-focused on that piece of it. The Gartner Magic Quadrant (for Application Security Testing) has a nice write-up on that.
And then what do you think about Rapid7, or Tenable or Qualis, (these are) great vulnerability management programs, very broad, right, we're covering a large number of applications.
The challenge is that when you're extremely broad, you can't be extremely deep into many things. And frequently, you'll see that, especially when you think about larger ERP systems and the complexity there.
And it takes a large amount of time, and a large investment of resources to truly understand those complex systems and get into those sorts of vulnerabilities. We (Onapsis) have been doing this for well over 10 years. We're able to go very, very deep.
Many of these vulnerability management programs might have like five to 10 checks, many of them community-sourced. People are contributing to that community. We have well over like 2000 checks on many of the different things through an ERP system.
"We're able to go deep, and it goes beyond just patches as well. Authorisations, privilege levels, behaviour, things along those lines, all these things are things that we're able to detect and help people understand where they're most vulnerable in these large critical systems."
David D' Aprile
Is "application security testing" a standalone tool?
David D' Aprile: Generally, what we found with regards to our clientele, is that their SAP developers are focused on just developing SAP.
So having the application security testing tool that we have very specifically just for their SAP dev environments.
We fit into a number of those different Dev environments. We don't get into the larger sort of things like Micro Focus would write where there, they fit into a larger number of different application development platforms.
We're very focused on the SAP side, and our clients are perfectly content with that how it is our products, internally, with regards to analysis, are all unified to a certain extent. The threat intelligence that we provide is communicated throughout the entire platform.
Customers who are using control, gain the advantage of our analysis, research labs, understanding of new code vulnerabilities, and then putting that into the actual product to help identify vulnerabilities or things that we're seeing before they become a larger problem or a headache in production itself.
How is Onapsis marketed, and are customers supported in Asia?
Simon Naylor: We're very new here. We primarily concentrated in North America and Europe. But we have very many global customers. And we want to bring our level of knowledge and support out into the Asia Pacific region.
We recently opened the Singapore office. I'm looking after business for Onapsis in the region. Chew Peng joined to help elevate the knowledge of what Onapsis does, how we can assist large ERP infrastructure users in this part of the world and bring our solutions that will enable them to better protect their mission-critical applications here in the region.
We've also hired our first person in Australia. We are opening an office in Sydney to address the Australian market. And we're currently in the process of recruiting some tech support staff in the region. So that we have tech support in this part of the world.
"We are extending our relationship with our partners like IBM Security, Accenture, PwC, KPMG, and Deloitte, in this part of the world to be able to support them as well as the end-users in the deployment of Onapsis critical application security solution into the customers."
Simon Naylor
We are very new here. And hopefully, we will grow quickly and increase our whole support infrastructure. For customers in this part of the world, we do already have five or six customers in Asia-Pacific. We can't name them specifically.
But we have a large the largest electricity utility in Malaysia, we have a Singapore government department. We have a Singapore higher education facility. We have a very large mining and oil and gas organisation in Australia. And we have a very large IT and technology partner and end-user in India.
Chew Peng Healey: The business model is we only sell through partners. From a marketing perspective, we will do a lot of brand awareness-type activities by speaking engagements, and events to get people to learn a bit more about what we do.
To what extent is application testing automated (using ML/AI) today? In your experience to what extent do you think users are willing to trust the recommendations of these testing tools?
David D' Aprile: When you think about cybersecurity in general, we've always wanted to have a human in the middle of that decision-making process. An over-dependence on certain aspects or algorithms can sometimes go awry.
There are things that we can automate. But we do not automate everything. And anytime there's some element of automation, highlighting several common vulnerabilities that we know about that could account for 50 to 60% of the challenges you'll frequently find in code, we have a high certainty that this is the case and occurring as we run these things.
But there is a person in the middle to essentially, you know, click through on that. So, there's an acceptance piece with that there's no blanket automation, where something is just instantly cleared and fixed. There's always a human in the middle to make that decision at the final part of it.
What are the skillsets needed for security pros to be effective in application testing?
David D' Aprile: The skillset required to be good in application testing, that's interesting. I think there must be an element of knowledge of SAP code.
Number one, I think there also must be some sort of knowledge of where I say this. Common Mistakes are common things that you would incorporate as a shortcut, but that you know, you're doing just because you're taking a shortcut, right like that, that kind of knowledge of, of the development piece of it, is generally extraordinarily helpful.
And that's why really control is generally helpful in that regard. Because we have that SAP knowledge, which is very useful for the CSO, the CIO, who may not have that level of experience, but understands that introducing new vulnerabilities into the landscape can be very, very challenging.
For example, sometimes people bypass a level of authorisation in their code, identifying these things are very common things but you'd have to know to look for it because you'd have to understand that SAP code side of it. So, I would say probably knowledge of SAP and application development are probably useful.
