(Source – Shutterstock)

Empowering security for mission-critical applications

Cyber threat warnings have increased in research times. In fact, most businesses receive countless alerts, be it from their threat intelligence solutions or enforcement agencies. Yet, threats keep evolving and continue to go undetected, causing problems to businesses everywhere.

In Southeast Asia, cyberthreats continue to be rampant in all countries. Be it Vietnam, Malaysia, Singapore, or Indonesia, malware and ransomware attacks are being reported almost daily. In Singapore, the Cyber Security Agency of Singapore recently warned of a ransomware attack masquerading as a Windows update while CyberSecurity Malaysia also highlighted the importance of threat intelligence in detecting cyber threats.

For Onapsis, a cybersecurity provider that protects the mission-critical applications that run the global economy, businesses need to ensure they have the right tools in place when it comes to dealing with threats, especially for its mission-critical applications. The Onapsis Platform, one of the services offered, uniquely delivers vulnerability management, threat detection, response, change assurance, and continuous compliance for mission-critical applications from leading vendors such as SAP, Oracle, Salesforce, and other SaaS platforms.

While Onapsis has been around for some time, the company recently expanded its operations into Southeast Asia. In a recent media briefing, Simon Naylor, VP for APJ at Onapsis highlighted how the company hopes to make a difference in cybersecurity in Southeast Asia, especially with the region already home to multiple vendors as well.

In Southeast Asia, Onsapsis currently works with the largest electricity utility in Malaysia as well as a Singaporean government department and higher education facility. They also offer services to a large oil and gas organization in Australia plus a presence in India through a very large IT and technology partner.


Simon Naylor, VP for APJ at Onapsis

According to Naylor, most cybersecurity vendors in the region have a very broad set of applications and are looking at larger environments. On the other hand, Onapsis is primarily focused on ERP applications and the custom codes its involve with, primarily with SAP and Oracle.

“The challenge is that when you’re extremely broad, you can’t really be extremely deep into many things. And frequently, you’ll see that, especially when you think about larger ERP systems and the complexity there. And it takes a large amount of time, and a large investment of resources to truly understand those complex systems and really get into those sorts of vulnerabilities. We’ve been doing this for well over 10 years. So we’re able to go very, very deep,” explained Naylor.

He added that when it comes to vulnerability management programs, many have only about five to ten checks that are community sourced while Onapsis has about 2000 checks on different things through an ERP system. Hence, he feels that because of this, Onapsis can go really deep and beyond patches. They’re able to detect and help businesses understand where they’re most vulnerable in these critical systems.

When asked to what extent is application testing automated using machine learning and AI, Naylor said that they always wanted to have a human in the middle of that sort of decision-making process for a reason because an over-dependence on certain aspects or algorithms can sometimes go awry.

“But we do not automate everything. And anytime there’s some element of automation, highlighting a number of very common vulnerabilities that we know about that could account for, you know, let’s say 50 to 60% of the challenges you’ll frequently find in code, we have a very high certainty that this is the case and occurring as we run these things,” he added.

Securing mission-critical applications 

As such, Naylor pointed out that Onapsis is kind of at the actual critical application itself. And that’s really what businesses are focusing on especially when their critical systems are now exposed to the internet, and it’s very easy for someone to gain access to their critical systems in ways that they never were able to before.

“I think people are recognizing the fact that this mission-critical layer is really important to protect. And I think one other factor that we’ve seen is that over the past two to three years, we’re starting to see the SAP or the Oracle landscape, starting to move under the purview of the CISO, which didn’t really happen before.

So now that it’s coming underneath the CISO, he realizes he doesn’t have visibility into all of this. And that’s where we see a lot of people reaching out to us now saying, I have a vulnerability management program, I need help getting into SAP because I don’t understand what my risk profile is here. And we’re able to give them that visibility, which gives them the let’s just say the comfort level to better and more accurate approach risk conversations with their board and with the C-suite,” commented Naylor.

Interestingly, Naylor also mentioned that most of their clients’ developers are really focused on just developing SAP. Hence, having an application security testing tool just for SAP dev environments, fit into a number of different dev environments. The threat intelligence that is provided is communicated throughout the entire platform. Customers who are using control, gain the advantage of the analysis, research labs, understanding of new code vulnerabilities, and then putting that into the actual product to help identify vulnerabilities before they become a larger problem.