Covering all the SAP bases
Covering all the SAP bases

X1 is an agentless SAP auditing tool that is able to map out entire SAP landscapes, display any insecure configurations on the individual elements of the landscape, as well as show the insecure communication channels between the elements of the system. In short, it is a one-stop auditing solution to the SAP security problem.

And what is that security problem? SAP runs most of today's big organizations. It is, by some accounts, the quintessential ERP system. That makes it a juicy target for attackers and that is the SAP problem. When you have a target painted on your back, you'd better take measures to make sure that you are secure. The partnership between SAP and Onapsis helps ensure that. The result is a very secure environment and a methodology for continuous security audit and remediation to make sure that it stays that way.

The first thing we noticed about X1 was that it looked a lot like our old friend Core Impact. That is coincidence, we have been assured, but the point is that the important feature of Impact – its ease of use – appears in X1 as well. It is very hard to develop a user interface (UI) for an audit/vulnerability testing tool that is not so busy that it is hard to read. Both of these fine products have mastered that. We were very impressed with X1's UI, especially, though, because SAP environments can become very complicated multi-tiered beasts, and that's a lot of complexity to visualize during testing.

Like all good vulnerability testing tools, X1 can begin by discovering SAP assets. Once it does that the testing can begin. You can perform manual tests or you can run a pre-scripted set of tests. Once you find the vulnerabilities present in your system, you can drill down for specifics and you will even get concise remediation directions. There are numerous types of canned reports – from the simple executive summaries through compliance reports to the far more complicated technical details for the IT folks.

One report that we really liked was the mitigation plan. This is a plan of action that can be output to a spreadsheet and can feed a ticketing system such as Remedy. Policies are included, but you can create your own as well, and the process is simple and straightforward.

Another excellent capability of X1 is what Onapsis calls the RFC Topology Map. This is sort of like a communications map of VPNs between SAP elements. It shows how each is communicating with the others and helps point out rogue communications. A worthwhile feature of the maps is that they can be run and understood by IT network folks who do not have a deep knowledge of SAP. This is secure networking – pure and simple. But rogue communications can be, as we know from recent breaches, a very real danger. SAP and X1 work together to ensure that these rogue paths are identified for remediation.

Once the system faults have been remediated, a second report – a sort of before and after report – can be generated giving a closed loop remediation plan. Overall, we found this to be a very advanced example of what a large-scale ERP security auditing system should be. If you are running SAP in your shop, you need to take a close look at X1.


At a glance

Product: X1

Company: Onapsis

Price: $2,700 per SAP instance to be tested.

What it does: SAP vulnerability and penetration testing tool.

What we liked: This is a unique product and it has everything necessary to test SAP implementations for security flaws.

What we didn't like: Nothing. This tool covers all the bases and does it well.