“Cybercriminals Are Constantly Looking Out for Vulnerabilities”

Q&A Interview: Onapsis’ CTO details application security best practices and trends


Businesses today face a broader and more dangerous array of cybersecurity threats than ever before. In the UK, there were more than 400 000 reports of fraud and cybercrime in 2021 alone. Those crimes come with significant costs too. In addition to the reputational damage that comes with cybersecurity incidents, data breaches cost UK companies an average of US$4.35 million

That makes it critical that organisations have the best possible cyber defences in place, not just for the threats they face today but also for those of tomorrow. This is especially true for business-critical applications that must be run continuously for the organisation to keep operating smoothly and servicing its customers.   

One person with extensive experience in helping secure those applications is Onapsis CTO Juan Perez-Etchegoyen. The firm, which has existed since 2009, provides cybersecurity solutions to 20% of Fortune 100 companies worldwide and has grown 187% over the past three years. 

In the below Q&A, he details the company’s growth story, how it approaches vulnerability management and application security, the practices organisations should adopt to stay safe and what he thinks the future of cybersecurity might look like.

Juan Perez-Etchegoyen (Full Interview)

Q: Can you tell us a little bit about the Onapsis story?   

A: Onapsis’ founding dates back to the 2000s. Back then, all three founders were ethical hackers, working for a well-known security consulting organisation in Argentina, servicing customers all over the world. When a customer hired them to try and hack into its applications to uncover vulnerabilities, Onapsis CEO, Mariano Nunez noticed that it was running on SAP (one of the world’s largest enterprise software platforms) and uncovered several major vulnerabilities. 

He realised that the security community had neglected SAP and realised there was an opportunity for a company that could detect vulnerabilities and build defences for companies running its software. Today, the company has more than 300 clients around the globe, including 20% of Fortune 500 companies. 

Q: What makes the Onapsis platform different? What are some of its key features 

A: The biggest differentiator for Onapsis is that we’re the only vulnerability management and application security provider that deals specifically with business-critical applications running on SAP, Oracle, and Salesforce. Our five products — Assess, Defend, Comply, Control for Code, and Control for Transports — are able to manage vulnerabilities, detect and respond to threats, test application security, and automate compliance. The combined features of these products make it easier to identify and quickly shut down threats. 

We’re also aware, however, of the constant need to evolve and have introduced several new offerings over the past few months. These include Onapsis Assess Baseline, which accelerates enterprises’ abilities to kickstart their SAP vulnerability management programs, and enhanced information security solutions for our Defend and Assess products. We have also recently announced the release of our Threat Intel Center which connects the Onapsis Threat Intelligence Cloud, a global network of sensors and applications instrumented to capture the activity of attackers exploiting mission-critical applications, and deep research conducted by the ORL into a unified, detailed threat intelligence repository. 

Q: What role does Onapsis Research Labs play? 

A: The primary role of Onapsis Research Labs is to track,  identify, and defend against a constant stream of emerging cyber threats. The labs team of cybersecurity experts not only uses their knowledge to improve the Onapsis platform but also to share advisories, publications, and threat reports to customers. To date, Onapsis Research labs has uncovered more than  800 zero-day vulnerabilities, and many of the critical findings led to global CERT alerts. 

The strength of this division is perhaps illustrated by its most recent discovery of three critical vulnerabilities within Internet Communication Manager, a core component of SAP business applications. These vulnerabilities have since been patched by SAP but Onapsis customers were protected right away, thanks to updates delivered directly through the Onapsis platform. 

Q: What does your application security testing process look like?

A: Our automated security testing is designed specifically for SAP applications. By using our solution, organisations can identify errors before they enter the production phase and before they have a chance to impact application security, compliance, availability, or performance. The platform also allows organisations to inspect third-party or internal custom code throughout the application development cycle to ensure that vulnerabilities aren’t introduced at any point. This is completely integrated into the development process so developers can fix the issues earlier and with minimal cost, as opposed to having to fix them in production with extremely high cost and impact. 

Q: What are some of your top tips for keeping applications safe? 

A: For business-critical applications in particular there are two things that IT teams should focus on: patch management and vulnerabilities in custom code. 

Focusing on patch management should be a given for any IT team. After all, if cybercriminals are constantly looking out for vulnerabilities, you should aim to close them up as quickly as possible. Unfortunately, it’s something that a lot of organisations aren’t very good at. In fact, research shows that it can take up to 97 days for an organisation to go from discovering a vulnerability to applying, testing, and fully implementing a patch. If you figured out an easy way to break into your house, you wouldn’t fail to properly address it for more than three months, so why treat an organisational vulnerability any differently? The case for rapidly implementing patches becomes even stronger when critical SAP flaws have been weaponized within 72 hours or less of a patch release. 

Most organisations also, to some degree at least, use custom code to ensure that their business-critical applications match their needs. The trouble is, custom code can be highly susceptible to vulnerabilities. Automated solutions that can quickly scan thousands of lines of code and identify potential vulnerabilities can help ensure that custom code is much less of a threat. 

Q: What are some of the most significant emerging cybersecurity trends?

A: Perhaps the biggest and most important emerging trend is the realisation that, even with the best defences in place, breaches can and do still occur. There have been enough major incidents over the past few years (including the Colonial Pipeline, Log4j, and Kaseya ransomware attacks) that this should be obvious. It’s therefore critical that organisations have incident response playbooks. These playbooks should outline potential cyberattack scenarios with highly detailed remediation plans. With the right incident response plans in place, organisations can resume business faster and restore customer confidence. 

In doing so, it’s critical that they have the buy-in of the entire organisation. One of the best ways of achieving this is to make cybersecurity feel as accessible as possible. Here, cybersecurity frameworks such as the NIST Cybersecurity Framework can be incredibly helpful. 

Q: How do you see Onapsis evolving going forward? 

A: While it’s hard to predict exactly how the business and cybersecurity environment will change going forward, one thing that’s certain is that we’ll keep driving security for organisations that are dependent on business-critical applications to keep running. We’ll also keep partnering with SAP and Oracle on the research for critical vulnerabilities and threats, helping ensure a safer global enterprise environment.