Onapsis Reviews

SAP intrusion detection on the entire landscape is the product’s most valuable feature.

It has hardened our SAP system by providing details of vulnerabilities in our SAP landscape. Before installing and configuring the Onapsis software, it would have taken an indefinable amount of time to search and monitor the system for potential threats or holes. Once Onapsis is installed and configured, it checks for vulnerabilities on all SAP systems at the OS, DB and SAP levels. Vulnerabilities are provided in various reports, along with solutions and OSS note numbers were appropriate.

I really love how Onapsis X1 is able to check SAP for threats; the reporting was something I felt could be improved. It could be a little easier to use and to publish for consumption with a larger audience. Currently, it takes some background jobs and additional work to get them published. It was difficult to get interactive reports to the different levels of the business. I would have to download them and send them out, or save them on my SharePoint site and send out a weekly link.

In the version of the product I was usingת I had to log into the X1 system directly to get to the reports. Reporting would be used by several different areas of the organizationת many of whom would be at the director and executive levels. It would not make sense to have them log directly into the tool to look at these reports. Add to this that there was only one ID that could be used to log in and view the reports.

To solve this problemת I had to run all of the different reports; executive summary down to detailed analysis and then export them out to my security team SharePoint site. To automate this processת a batch script was created to run after the X1 analyzed the systems. The script would pull the reports and place them in the SharePoint site automatically, but it was a bit of a hassle to get set up.

I have used it for one year.

The product was stable and easy to patch and update when needed.

In my implementation of over 200 CPUs, I did not run into any scalability issues.

The support was very good. Onapsis had onsite technical training in which an experienced engineer provided a week of training helping to configure and run X1 on our system. He even explained how to make custom checks in the tool using their native programing language.

The pervious solution was SAP’s own monitoring tools. These did not provide the level of checks our organization was looking for. Also, in the past, we would have a penetration test performed by an outside firm that showed us flaws and vulnerabilities in our system, which allowed them to enter our landscape and SAP systems.

It is relatively easy to install and implementation was straightforward; it is wizard based. When problems are found, fixes are referenced in the log which explains how to fix the issue. There are also SAP OSS notes referenced where applicable.

However, it did take some work getting the pointers installed into every SAP system in the landscape; ECC, BW, GTS, GRC, and so on. This is to be expected, though. It just required transports to enable configuration for monitoring.

Really get an understanding on how many CPUs and nodes are in the landscape and make sure to prepare a good estimate of system server growth. For example, new servers might be needed in the SAP landscape in the future for additional processing or for new SAP products.

Before choosing this product, we also evaluated ERPScan and SAP’s Solution Manager.

Make sure to do a PoC and make sure the infrastructure team understands and is on board with all the work that will come their way after the reports are run, because lots of vulnerability problems can show up in the reports.