October 14, 2025 • 52 mins
A curiosity-fueled career moves from Atari and BBS days to leading research on a live SAP zero-day, with candid lessons on people skills, breaking into security, and holding the line when pressure spikes. We unpack how a benign SAP endpoint became an RCE chain and what it takes to defend complex systems at scale.
• early path from Commodore 64 and BBS to IT and security
• contrast between the Wild West era and today’s tool-rich learning
• help desk as a foundation for people skills and pressure
• practical advice for students on coding, protocols, Wireshark
• hiring by attitude, approach and aptitude over tool checklists
• navigating WAF pushback and risk acceptance with dev teams
• Onapsis research labs and SAP’s threat landscape
• deep-dive on the SAP 31324 Java gadget chain RCE
• attacker interest, attribution signals, and factory impact
• offensive research versus traditional pen testing
• building culture that rewards questions and learning
Find us: onapsis.com → Research Labs. Search “Onapsis 2025 31324” for our zero-day article. SAP thanked us in their patch notes. Connect with Paul on LinkedIn to talk SAP security, offensive work, or careers.
Follow the Podcast on Social Media!
Tesla Referral Code: https://ts.la/joseph675128
YouTube: https://www.youtube.com/@securityunfilteredpodcast
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
SPEAKER_01 (00:00):
How's it going, Paul?
It's it's great to get you onthe podcast.
I don't know how long we've beenplanning this thing, but like
I'm glad to get you on nowbecause I I just looked at the
rest of like my year's recordingschedule and already like yeah,
I'm I'm done recording for likeJanuary and February.
(00:21):
I'm not like touching thosemonths.
SPEAKER_00 (00:25):
Well, thanks for having me, Joe, with you here so
that we can have a chat.
I'm looking forward to it.
SPEAKER_01 (00:31):
Yeah, yeah, absolutely.
So, Paul, you know, why don't westart with how you got into, you
know, IT or security overall,right?
Like what was the thing in yourpast when you were starting out
that kind of prompted you downthis path, right?
Because it's not necessarily anormal path, right?
(00:53):
I mean, you're you're aprofessional looking at how to
break things, you know, on adaily basis.
Not everyone, you know, likesthat, right?
Not everyone is built out forthat.
So what do you think were somekey points that kind of maybe
drove you towards it?
SPEAKER_00 (01:09):
Yeah, that's a good question.
So it was pretty much right as Istarted to become aware in life
back when I was just a littlekid.
And I first got my hands on someof the original gaming consoles,
like the Atari.
But I think the pivotal momentwas when I walked, when my
parents were at one of the stripmalls, and I noticed this Apple
(01:33):
logo and had to walk in there.
I just didn't know what it wasabout as a little kid.
And we walked into the store andI just saw all these original
Apple machines back at the time,and my child dropped, and I fell
in love with this thing, and Ihad no idea what it was about.
Eventually, I ended up with notan Apple, but a Commodore 64.
(01:56):
And I started to learn about ohwow, there's this thing called
BBS.
Wow, I can actually connect overthe phone.
So I ended up getting my firstmodem.
It was a 300-baud modem.
And I started to find phonenumbers to BBSs.
I connected, I found I can runmy own.
(02:17):
I got my first BBS on aCommodore 64, and you needed a
little dongle for the licensekey to plug it in.
And it just kind of took hold,it cemented, right?
When I was this, this like10-year-old.
And uh, and then from there, Ijust started to expand out.
You know, eventually I taughtmyself how to program in basic.
(02:38):
I started to go into Windows,and then I heard of this
application or this softwarecalled MacAfee.
Like that was brand new at thetime, and I was looking at files
through hex and and it just itjust took hold, right?
And and the first, the firstsoftware that was malicious at
the time were were very muchinterested in making sounds off
(03:02):
of your machine, right?
So you would run thisapplication, and then all of a
sudden there was a bug in thecode or or something that
someone had put in there thatcaused your machine to make
sounds or make music.
And and I thought that wasfascinating.
The fact that things can go bad.
And how does that happen?
Uh how do you figure out howthat happens and where do you
find it?
(03:22):
So that began, in essence, theseeds of the journey that led to
a lifelong fascination andpractice within information
technology that led tocybersecurity.
And I've been doingcybersecurity now in various
domains in cybersecurity for thebulk of my career.
(03:43):
Hmm.
SPEAKER_01 (03:45):
Yeah, it's like uh it's like that unquenchable
curiosity.
You know, I I feel like youprobably like stumbled into it,
you know, early on.
Like my my first experienceswith computers was like trying
to figure out how to get mycomputer to run like games on
it, right?
So I mean, me and my brother,real big into games.
(04:06):
Well, my parents could onlyafford, you know, one console,
right?
So he's on the console.
All right, now I gotta figureout how to play games with this
thing, you know, and startdiving into it like that.
It's an interesting time.
And I like I haven't thoughtabout that in you know forever,
right?
I never thought that that wouldlike make me more inclined
towards computers or anythinglike that.
(04:28):
Because after a while, Iactually kind of stepped away
from it, and mostly because Ihad to like focus on graduating
high school.
Because like I went through, Iwent from you know, being smart
enough to pass everythingwithout studying to taking like
college prep classes, and it waslike I have to, I have to study.
Well, I don't know how to study.
(04:50):
Like, I gotta, I gotta learn howto study now, you know, like all
that stuff.
So tinkering with computers kindof died off for me for a little
bit.
SPEAKER_00 (04:58):
Yeah, for me, I I would describe that period of
time as something like theMatrix or something like the
Wild West.
You know, it wasn't known, itwas unknown to pretty much the
whole world.
I mean, it was well before theinternet took off.
And and I mean, it was just itwas awesome.
It was great to be in a spacethat was brand new and
(05:19):
everything was a discovery.
SPEAKER_01 (05:22):
Yeah.
Yeah, it's a stark contrast totoday, where everything is kind
of readily available.
You know, like you you said thatyou were starting to read, you
know, applications in hex.
Well, you know, if someonewanted to do that today, right,
there's probably a YouTube, youknow, basics hex 101 video on
(05:43):
it, right?
Like, and back then, you'reprobably having to like go to
the library, find a book on hex,figure out what it is, go
translate it to what you'reseeing on the computer.
It's a different level of it's adifferent level of like interest
and enthusiasm you you you haveto have, you know.
SPEAKER_00 (06:02):
100%.
I think that that an example,one example of the difference
between back then when I wasgetting into it, versus having a
lot of different tools andtechnology and AI being able to
bootstrap people is like the thedefinition or the view of the
term hacker.
(06:22):
You know, the the term hackerback then was essentially what
you're describing, right?
It's that curiosity.
It's going in and just kind ofripping things apart, trying to
understand how things work.
And that's a very differentconnotation today.
SPEAKER_01 (06:34):
Yeah.
So when, you know, back then,when you started to like
actually get into security, whatdid that look like?
Because back then, you know,security wasn't a focus.
It was like an afterthought.
It was, you know, not reallythought about much at all.
So what did that look like foryou?
Did you kind of create your ownpath in security while being in
(06:56):
another, you know, IT domain,like sysadmin or networking or
something?
SPEAKER_00 (07:00):
Yeah, I mean, that's a good, that's a good point.
Back then, when I was runningBBSs, I certainly came across
hacked software, right?
That was a big thing back then.
But there was no focus from lawenforcement, there was no focus
from any from anybody, right?
It just was relatively unknown.
As I went into a a career, so tospeak, I came into it as a help
(07:27):
desk person, right?
Like that I would think like anaverage or traditional path for
people wanting to get into IT,you step into like a service
type role, right?
Where you're helping people withyour knowledge situations,
right?
They may have situations withtheir operating system, they may
have situations with theirusername, password.
So that was something that thatI got into.
(07:49):
And uh and I remember being inthat role as a client liaison, I
started to do other things,right?
So I saw opportunities toeducate.
And so I created internalwebsites, I created educational
material for my clients and madesure that they were empowered
with the information that I hador information that my
(08:10):
organization, Informatics, hadthat we can impart to our
customers and internal customersand make them more efficient.
But at that same time, Iremember we had like one of the
big worms hit and it justfascinated all of us.
It was like, what is this?
Right.
I remember printing it out.
I remember looking at it.
I think it was Melissa, I'd I'dhave to double check, but that
(08:33):
was back around 1998, 1999,somewhere around there.
Had a big worm go around.
And once that had happened, thatwas the pivotal moment for me,
knowing that that was thedirection I definitely wanted to
take.
Right.
(08:53):
Like I enjoyed being in IT, Ienjoy working with tech, and I
enjoy working with people aroundtech.
But when that worm hit, it was ajaw-dropping event.
And so, yes, I was familiar withall the other things before, but
I had not seen it impact in sucha way like that worm did.
(09:13):
And uh, and then all of asudden, the the junkie in me,
the adrenaline junkie, theambulance, I was an EMT.
So, you know, I I I hesitate tosay ambulance chaser when I used
to actually be on an ambulanceas an empty and a firefighter at
the same time.
But it it's that it's thatcuriosity, it's that fascination
(09:37):
of something was done with theintention to cause harm, right?
And I don't want that.
And I think that there'ssomething I can do to help
either prevent that or or helpto remediate against it, or help
to detect it.
And what does that look like?
And and so I just started tofocus on that.
(09:59):
And I it wasn't easy to kind ofget there because that was a
different time, right?
And we didn't necessarily havethose types of professions or or
paths at the time, but I knew Iwanted to focus on on malicious
applications, malicious use ofapplications, malicious use of
(10:21):
features that were designed andnot meant to be used in a way
that they were used to seek someulterior motive.
SPEAKER_01 (10:29):
Yeah, that's that's uh that's fascinating.
You know, if you were to givesomeone, you know, maybe that's
in college looking to graduate,right?
Give someone advice of how theyshould get started in
cybersecurity, what's the paththat you would recommend that
(10:49):
they start going down?
SPEAKER_00 (10:51):
I think the the biggest help for me has been
having knowledge and coding.
That's been huge.
And to your point, right, whenyou were talking about how do
you study, how do you do thosetypes of things, taking, taking,
going through challenges thatput you into that kind of space
that help you to think and tohelp you to think I hesitate to
(11:14):
say programmatically.
I have a math degree.
So math going through that mathprogram helped me to think in a
way that I didn't think before,right?
I had to do proofs, I had to dotheorems.
And so it forced me out of mycomfort zone into a place that I
had to work hard to try andunderstand.
But fundamentally, that wascritical, right?
(11:36):
Because when you step intocybersecurity, especially in
what we do, right, where wefocus on vulnerability research
and we focus on things like thezero day earlier this year that
targeted SAP, that reallyrequires out-of-the-box
thinking, right?
That requires you to be able tothink in ways that are out of
(12:00):
the box.
And so that's that's one, right,is to understand code, I think
is important.
And two is to is to get yourselfout of the comfort zone and to
ask questions, the ability toask questions and to understand
what types of questions to ask,right?
(12:21):
So that that's kind of like thethe conceptual level, right?
In terms of execution, I wouldsay certainly having classes or
or experience to coding, havingclasses or experience with
operating systems and networksprotocols is a big one because a
lot of this stuff happens overHTTP or RFC.
(12:44):
So understanding how to take alook at those protocols,
understanding how to usesomething like Wireshark to be
able to take a look at thePCAPs, to take a look at what's
actually happening on the wire.
Getting, if you're in college,signing up for those
internships, right?
Get into those internships whereyou have the opportunities.
If you don't have an opportunityto work in cybersecurity, try to
(13:06):
get something where you'reworking in I, right?
Because that's still getting youthat exposure.
And that's something that youcan quantify on your resume.
And that's something that youcan build upon that gets you
into those initial positions.
The other side, too, that Iencourage people is you may take
a look at an entry-levelposition, right?
(13:26):
And it may say, Oh, you needthis kind of experience or that.
I challenge you to apply for itanyway, especially if you have
that passion and curiosity.
Because I, for one, when I hirepeople, I look at I look at the
three A's.
I take a look at the attitude,approach, and the aptitude,
(13:48):
right?
So do you have so you may notnecessarily have the background,
you may not necessarily have theexperience, but if you show me
that your approach is there,that your attitude is there, and
that you have the aptitude tolearn this stuff, you're in,
right?
Because I want people who areengaged, I want people who are
(14:08):
passionate and who have thatcuriosity.
Because that's when you bringthat and you're part of a team
that has that, great creativethings can happen.
SPEAKER_01 (14:17):
Yeah.
Yeah, no, that that makes a lotof sense.
I I always, you know, I Irecommend that people start in
help desk.
And I think you kind of likedescribe that too, to a certain
extent, right?
And I I just feel like theexperience that you get on help
desk, you know, when someone'sangry calling you and you pick
(14:37):
up the phone and they're yellingat you because you know
something broke or whatever itmight be, right?
And every help desk is going tobe different.
But when you get thatexperience, you know, you're
you're starting to be in anuncomfortable situation.
You're getting used to being ina situation where maybe you
don't know everything, you know,and you have to find out and you
learn how to find out and allthat sort of stuff.
(14:59):
It pays dividends, you know,later on down the line in
security when you're talking toa developer and they're very
opposed to you deploying a WAFon their application, you know,
that's that's public, right?
Like they're very opposed to itbecause it breaks all all this
different functionality, and nowthey have to, you know, work
with you to build it into theWAF to allow it and everything
(15:21):
else like that.
I mean, you know, I I I I was Iwas deploying the AWS WAF at a
company, a large automotivemanufacturer, and uh you know, I
got on a call with like 150devs.
It was like the the only callbecause everyone was having you
know alleged issues with the WAFthat they didn't want to you
(15:43):
know deploy it a certain way orthey didn't want to like have a
certain functionality with it orwhatever it was.
And so I get on this call, it'san hour-long call with 150 devs
across the country, and they'rejust they're just yelling at me,
they're just berating me for anhour.
And it's literally me and oneother guy on the call that's a
friendly.
I mean, every everyone'sfriendly at the end of the day,
(16:04):
but I think you understand whatI'm saying.
Like, there's one other guy onthe call that's not even on my
team, but he's a security experton another team, and we're just
listening to everything, youknow, and and and they were like
trying to really like get aroundwhat they were asking for.
They wanted me to put in acertain rule, like all of them
(16:25):
were on the same page.
All of them wanted me to put ina certain rule into the WAF.
They didn't want to tell me whatthe w rule was doing, and I'm
like, guys, I'm a securityperson, right?
I'm the most curious person likeon this call.
I promise you, I am more curiousthan anyone.
I'm not putting in somethingthat I don't understand what it
(16:47):
is actually going to do 100% ofthe time, right?
Like, this is a WAF, and that'sa public application, you know.
Like we're taking personal datawith that, you know.
And literally after an hour, I Ifinally put it together and I
just said to him, I was like,Oh, so are you trying to just
bypass the WAF altogether withthis rule?
(17:08):
Because like that's what youwere describing to me that you
didn't want to point out or sayor anything, you know, and
they're like, Well, yeah, youknow, that's effectively what it
would do.
I was like, Okay, well, thatcould have been a five-minute
conversation or an email becauseI'm just gonna tell you no, and
now I'm kind of mad because youwasted my time.
It's like, come on, you know,what are we doing here?
SPEAKER_00 (17:32):
We all have those war stories, and I've come to
through time to time, right?
I sometimes I start meetingswhen now I'm anticipating
something like that and saying,hey, this is a blame-free
working group session.
Yeah, let's focus on walkingaway with action items.
SPEAKER_01 (17:50):
Yeah.
Yeah, I I I remember before thatcall, I actually, you know,
talked to my CISO and I said,Hey, look, I'm getting on a call
with all these devs.
They're probably gonna yell atme about something.
You know, I'm sure you will hearabout it during or after or
whatever.
But, you know, don't worry.
Not gonna put the organizationat risk.
(18:11):
I'm not gonna say anythingthat's against, you know, what
we're doing.
He's he's he said, okay.
And right after the call, hesaid he got a call from the the
lead dev asking, do we reallyhave to follow what Joe is
saying?
And my CISO, without evendropping a B, he goes, Whatever
Joe said, you can assume I saidit.
Now, don't waste my time anddon't waste Joe's time like that
(18:33):
again.
Like he didn't even ask what theconversation was about or
anything.
He's like, I don't care at thispoint.
Like, if Joe had to go throughthat, you're not dealing that to
me.
SPEAKER_00 (18:44):
You raise a great point.
Having that curiosity isfantastic.
I love working with people thatshare the same curiosity and the
same passion.
Yet, one of the pitfalls is whatyou're talking about, right?
High level, our fundamentally,our job comes with those
challenges, right?
(19:04):
Our job is not the most wellreceived by the business.
SPEAKER_01 (19:08):
It's like hated.
Because all that we do is costmoney and we slow things down
and we make it more difficult,you know?
It's like a natural adversary tosome extent, you know.
And I've been in environmentswhere man, I I've been in
environments where like thesecurity was so bad that I I I
(19:32):
wouldn't put my own personalinformation in their systems,
you know, like that's how bad itwas.
And I'm over here justrecommending like best
practices, just normal stuff.
And I'm getting shot down anddenied, and I'm like, all right,
well, either we're gonna getbreached, like, or I need to
like run for the hills before weget breached.
(19:55):
Like that sort of situationwhere it's just like, and then
it's refreshing when you comeacross an environment that you
know embraces security, thatactually includes you in things
and whatnot.
SPEAKER_00 (20:05):
I agree.
I I have some ideas that I'veexecuted in those types of
environments.
I'm curious as to what you'vedone in additional environments,
right?
That you've had to deal withthat.
What have you done that hashelped navigate that complexity?
SPEAKER_01 (20:23):
Yeah, so you know, typically what I'll do is I'll
I'll get on the call with theleads, you know, of whatever the
product might be or whatever itmight be, and I'll just explain,
I'll just explain to them, youknow, why it's important.
You know, like what, hey, youknow, I got the scan over here.
This is the vulnerability, thisis what it's telling me that
(20:44):
it's doing, right?
And maybe we'll even test it outright there on the call because
maybe I'm incorrect aboutsomething.
Maybe there's a control that Idon't know that that exists, you
know, that they've already builtin that handles it a different
way, but the scanner still picksit up for some reason.
If if that's not the case, youknow, then we start going down
(21:04):
the path of, okay, well, how dowe actually resolve it?
What does your time look like?
You know, like how does the nextsprint look like for you?
All that sort of stuff.
And really overcommunicating,right?
So I'll do that call, and then,you know, I I like to hold
people to what they're tellingme.
So I'm I'm sending a follow-upemail with potentially, you
(21:26):
know, their manager or mymanager on it.
Like, hey, we had this call, wediscussed this, we agreed on
this, moving forward, it shouldbe done by this date, right?
And if it's not, if there's morepushback, you know, then it goes
up, it goes up a level, right?
So it just continues to go upuntil someone either accepts the
risk officially or it gets takencare of.
(21:47):
And so that's what I have foundthat typically works.
It's worked, you know, nine outof ten times, but that one time
that it that it doesn't work,and that I don't want to say the
one time that this processdoesn't work, it was related to
a single environment, that itjust nothing worked because it
was just it was a cultureproblem.
Yeah, they were more focused ondelivering features rather than
(22:11):
sacrificing any sort offunctionality in any way.
SPEAKER_00 (22:14):
Yeah, I for me, I I was both an IT perspective when
dealing with the risks that werecalled out, as well as from the
engineering perspective.
So when I was the head of theSOC, we had to handle it from
the perspective of, okay, here'sthe C VSS score, right?
Here's how it's going to impactour systems, and and here's the
(22:35):
risk for us internally, right?
So we need to prioritize this.
We need to figure, we need tofigure things out.
And so to that end, it didinvolve a lot of what you're
saying, especially theovercommunication and the
transparency.
But that's hard, right?
It's hard to do from an ITperspective.
When I was in engineering, whenI was ahead of my engineering
team, it was a different story,right?
(22:56):
I didn't necessarily have toworry about it from that
perspective.
For me, it was more of a now Ican have the capacity to shift
left in in that wholeengineering process, right?
So shift it all the way left towhere we're talking about it
conceptually and working it intothe architecture and into the
designs so that we can startdealing with it right up front
before it ever gets to the backend where the feature or the
(23:19):
product is released, and thenwe're dealing with bugs, and
then we're dealing with handlingthat afterwards.
So, you know, it's interestingto deal with it from both
perspectives.
And I think it's good, to yourpoint, to have as much diversity
and perspective as possiblebecause then it gives you the
tool set to be able tocommunicate to various people
(23:40):
and to try and understand theirconcerns and to make sure that
you're voicing their concernsappropriately so that they
understand you understand andthat you're addressing it in a
way that is amenable to them andit's amenable to the customers
and it's amenable to thebusiness, right?
So sometimes in our position, wehave to kind of juggle that
(24:04):
relationship too.
SPEAKER_01 (24:05):
Yeah, I feel like that's a part that's often
missed, you know, in security,where we're more focused on
telling someone no rather thanhearing their reason behind it
and you know, understandingwhere they're coming from.
Sorry, I'm like still gettingover a cold that my kids gave me
last week is very veryfrustrating for me.
(24:27):
It's like and they're both homeat the same time, sick with the
exact same thing.
It's like, oh my gosh.
I've been lucky.
My kids have been sick, but I'vegotten nothing.
Man.
Yeah, well, my my kids, youknow, they're they're little,
right?
So two and a half and six monthsold.
And so my kids, when they getsick, all that they want to do
is sit on my lap.
(24:48):
So it's like inevitable that I'mgoing to get sick as well.
It's just come on.
SPEAKER_00 (24:54):
Yeah.
Definitely been down that road.
And and I was walking past oneof my kids the other day and he
coughed right into my eye.
Yeah.
unknown (25:02):
Jeez.
SPEAKER_01 (25:03):
Kids, man.
It's the joys of having kids,you know?
I love being dad.
Best job on the planet.
Yeah, for sure.
It's absolutely my my mostfavorite thing.
If I could stop everything elseand just be a dad, that'd be
amazing.
But I didn't marry a lawyer, soyou know, can't do that.
Well, you know, Paul, like I Iwish I would have met you
(25:26):
earlier on in my career when Iwas trying to get into, you
know, cybersecurity.
Because I'll tell you, it tookme two and a half years to
actually get into cybersecurity,and I was trying everything.
You know, I I was on the helpdesk and I was forcing my way
into doing vulnerabilitymanagement for the company that
I was at without having asecurity title.
(25:49):
And I was getting certificationsat the time, I was working on my
master's at the time.
I was applying to everythingthat said security analyst in
the title, like any low-leveltitle.
You know, I had hundreds ofapplications over two and a half
years.
And uh it took me that longbecause not many people were
(26:10):
willing to take a quote unquoterisk on me when I didn't have
experience with Splunk or Ididn't have experience, you
know, with Carbon Black orwhatever you know the tool was
in their environment.
I'm just sitting here like, youknow, I don't know how else I
can prove to you that I'm readyto learn when I literally like I
just I just don't have$10,000laying around to pay for a
(26:33):
Splunk license to deploy it inour environment for 30 days, you
know, to learn it, right?
Like, and how much am I reallygonna learn if I do that, right?
It just that was the mostfrustrating part for me.
And it, you know, I I eventuallyran into a manager that had your
(26:54):
same mentality where it waslike, hey, he doesn't have to
have all of the you knowhands-on skills and experience.
Like, we can teach that, but wecan't teach is the personality,
the drive, you know, all thoseother intangibles that people
need to actually be successful.
To like, you know, hey, when Iwhen I give you this project, I
(27:17):
need you to figure out how to doit.
You know, like that manager gaveme a project and I went and
learned PowerShell with it.
It was like, oh, this is theeasiest way to do it.
Yeah, I need to I need to learnPowerShell, you know, spent a
couple weeks doing it, right?
Like, but you know, I I stillfigured it out.
And that's not what a lot ofpeople that's not what a lot of
(27:38):
people would would do.
You know, they wouldn't learn awhole like scripting language
just to achieve some, you know,fairly low-level project, right?
But yeah, uh, I don't know whereI was going with that, but I I
feel like I feel like it wouldhave been really beneficial to
meet you early on.
SPEAKER_00 (27:54):
I feel like you've just given me a light bulb
moment for for the first timeconcerning this.
Because I I don't get a lot ofthat, right?
So with what you just told me,it kind of makes me go back to
what we were talking about withhow I started out, right?
And there was this, I knewnothing, right?
Anyone at that time knewnothing.
I mean, it was literally we'reall learning everything at the
(28:16):
same time.
And uh, and you had to becurious, you had to have that
drive.
And so I wonder if if that is aprerequisite as a hiring person,
right, that understands thataptitude is so important, right?
And your attitude and your thosethree A's.
They're so important to me.
I've hired interns.
I love having interns.
(28:37):
I love exposing them to what wedo.
I love hiring interns.
I don't look for unicornsbecause I know that uh that I
can bring people on who havethose three things and they grow
up their skills in theenvironment in which I hired
them into.
Right.
So they become part of the team,they understand that it's safe
(28:58):
to ask questions and there's no,there's no negativity.
We celebrate not only the wins,we celebrate the the quote
unquote failures.
I don't like using that wordfailure, but I'm gonna use that
here.
I I tend to refer to failures asopportunities, right?
It's it's the whole mentality ofproof of concepts, right?
(29:19):
So you have the theory, you goahead and test the theory.
It's like a scientist, it'sbeing a scientist, right?
You have a theory, you test yourtheory, it didn't work, great,
success.
Check, we've we've uh checkedthat theory, it doesn't work,
let's move on to the nexttheory, right?
So that that's to me thedefinition of a failure.
(29:40):
We went through, uh, tested outa theory.
Let's take a look at how wetested it, it didn't work,
great.
If if it did work, uh wecontinue on with it, right?
So I do believe in uh in givinganybody and everybody
opportunity so long as they havethe attitude that the The
aptitude and the approach.
(30:02):
You know, if their approach isthey're going to interrupt
people, right?
If their approach is they onlydon't like to repeat themselves.
I like to hire people and have ateam where it's okay to ask
questions.
It's okay to repeat yourself,right?
Because we we have very diverseteams.
Times, not everyone speaks thesame language.
(30:23):
And even when someone speaks thesame language, they interpret it
differently, right?
What you intend to say might notland the way that it was
intended.
So it's important to be in anenvironment where you can go
ahead and repeat yourself, whereyou can rephrase something so
that everyone has anunderstanding and you drive
(30:44):
alignment and calibration, andthat allows a team to be able to
drive towards its goals.
SPEAKER_01 (30:50):
Yeah.
I mean, what you're describingthere is like people skills.
You know, people skills really Isaid this maybe last episode or
a couple episodes ago, but it'sa pretty common theme where, you
know, it as the market becomesmore saturated with more and
more, you know, professionals onthe marketplace, right?
There's fewer roles in someinstances for for these
(31:14):
positions, right?
You have to find a way to standout.
And how do you best, you know,stand out when you may have the
same certification as someoneelse, you may have the same
experience, you may have thesame years of experience.
The thing that'll help you standout is the people skills at the
end of the day, right?
I mean, this podcast helps me inso many other ways, other than
(31:38):
any sort of money that it bringsin, which is basically nothing.
It it helps me, you know, talkto people, helps me show people
skills, helps me almostinterview without interviewing,
right?
Which is hugely beneficial andit is something that I never
ever expected when I started.
You know, like it's just like anadded benefit.
I just wanted to talk to coolpeople about interesting things,
(32:01):
and that was it, right?
But you know, people skills areprobably like the easiest way to
set yourself apart because Iwould rather take someone that
knows knows less or knows verylittle on a on a topic, you
know, let's say vulnerabilitymanagement, that can talk really
well, that can go and theninteract with, you know, the dev
(32:23):
team or the engineering team orthe infrastructure team and say,
like, hey, can we just get thisdone?
And before that call, I'mcoaching them up, like, hey,
this is why this is important,this is what this means, all
that sort of stuff, right?
Like, that's a I feel likethat's someone that is easier to
coach up and train and get theminto the right, the right
(32:44):
position, you know, for them tobe successful.
SPEAKER_00 (32:47):
I'll give you an example with myself for the
position that I'm in at Onapsis,right?
Director of research.
I, for me, prior to Onapsis, Ihad lived in the world outside
of SAP, right?
So I had lived in threatintelligence,
counterintelligence, doingsecurity operations, doing
engineering for threatintelligence, putting out it out
(33:08):
as a product.
So when I saw this position acouple of years ago, it captured
my eye.
You know, I'm looking at the jobdescription, I'm looking at the
details.
It's this vulnerability researchwith SAP, which I'm like, this
is fascinating.
Up until then, I had used SAP asa consumer within a business,
right?
And uh, and so before I hadspoken to anybody, I had put my
(33:34):
researcher hat on, my curiosityhat on, which is pretty much who
I am.
And I just started to take alook at Onapsis.
Okay, let's let's see what theOnapsis research labs is about.
Let's see what thesevulnerabilities are, let's see
what the threat reports are.
So I started to take a look andanalyze and learn and educate
(33:54):
myself.
And then I started talking tothe recruiter, and then I
started talking to the chiefproduct officer and the chief
technology officer, and I'masking them all those questions.
One of the feedbacks that I gotfrom the head recruiter at the
time was that I was one of thefew, if not the only, that took
the time to actually research,right?
So social skills, absolutelyimportant.
So is actually researching andbeing informed when you're
(34:18):
talking to the people at thecompany when you're
interviewing, right?
So it's not just, yeah, I want ajob, right?
It's hey, all this interestingstuff that you're doing, I love
it.
And I want to do more.
I want to be part of thesolution.
And when I saw what Onapsis wasdoing and the impact that they
had working with SAP to securecustomers worldwide against
(34:39):
threats, and and I saw what SAPactually was, it blew my mind.
It brought me back to that timeperiod in my youth, which was
wow, this feels like it's thematrix, right?
It's the world underneath thecovers kind of thing.
And frankly, with all my peers,none of us were really aware of
(35:00):
the ERP space, right?
It's something that for SAP,it's something like the basis
team took care of, right?
And uh, and and that's that wasalso part of what worked for me.
It was I approached it from theperspective of I'm not a
candidate talking to a recruiteror to the hiring manager.
(35:21):
I am having a professionaldiscussion, a professional talk,
like we are, right?
So it's it was a chat like that,where we're talking about my
experience, they're talkingabout their experience, the
challenges, all that stuff, andcreating a connection.
Um, so I think that that's partof a secret sauce that can work
too.
Now, I will caution right thatas much as those aspects can
(35:45):
help find candidates that youmight want to hire, it's also
something that a candidate canuse when they're interviewing to
determine if that's a placewhere they want to be.
So I use those things for myselfas a candidate to make that
determination.
So when I I've hired here peopleat Onapsis, but in coming to
join Onapsis, I use that.
(36:06):
And I gotta tell you, Onapsis isquite special.
I'm happy I'm here.
And like you're saying, you wishwe met a few years ago, which I
agree.
It would have been great if wemet a few years ago.
I wish I learned of Onapsisyears ago and I got on sooner.
SPEAKER_01 (36:21):
Hmm.
So talk to me about ONAPSIS andthe zero days that you guys
found in SAP.
Maybe even maybe when you'rewhen you're done telling me
about Onapsis, tell me what SAPis if someone doesn't, you know,
already know and they'relistening to the podcast.
SPEAKER_00 (36:40):
Yeah.
So Onapsis has the Onapsisresearch labs.
And essentially that's howOnapsis had started.
It started with the threefounders, where they were in
engagements and they were pentesting, right?
They're going out there andthey're in environments and
they're doing pen testing andthey came across SAP 14, 15
years ago, and then they werelike, wow, what is this?
(37:02):
There's bugs.
So fast forward to today.
Um, well, first, I think we'repretty fortunate to have
founders who are still with thecompany that have that research
mentality, right?
It's it's great to be in thatkind of position.
It it brings joy to me to beable to do what we do and have
that support from theleadership.
Earlier this year, through ourSAP Threat Intel Network, we
(37:26):
captured some activity, right?
And when we started to analyzethat activity, we realized what
had happened that ultimately ledto the patch that SAP released
for the zero day, which was the2025 31324.
That zero day, fascinating, veryadvanced.
Someone had to have known theintricacies and the
(37:52):
sophistication to be able tocraft together this Java chain
and be able to put the payloadinto that sync in the gadget
chain that would ultimately leadto remote code execution.
So that's what we started tosee.
When we took a look in ournetwork, we started to see that
activity at the beginning of theyear, starting in January.
(38:14):
And then we started to see backin March the exploration of
remote code execution using thezero day.
And then in April, SAP issuedthe patch.
And then after that, we startedto see a lot more use of these
web shells.
So we captured that activity, wecaptured those exploits, those
attacks.
(38:34):
And it was my team that was wespun up, we spent a lot of time
looking at those attacks.
We were ripping apart the PCAPs,we're doing all the work that we
needed to do to deconstruct andto understand what was going on.
And then we're partneringclosely with SAP product
security to make sure that wewere passing on the intelligence
and the information to them thatthey can use that can continue
(38:57):
to be rolled out as patches, asnotes to all of SAP customers
globally.
So we've been on that all year.
I'm still amazed, right?
We've been telling customers fora long time, just on Apsis
overall, SAP is a target.
We issued some reports a coupleof years ago when we partnered
(39:18):
with Flashpoint that now SAP wasbeing talked about in the
underground.
It was being actively talkedabout across the whole spectrum
of miscreants from people thatdon't have the knowledge, that
don't have the capacity.
They're using tools, right?
We refer to them as scriptkitties, all the way up to APTs,
government-sponsored groups, soon and so forth, right?
(39:40):
We saw that there was nowinterest in ERP.
And then here's the zero day.
And sadly, a lot of companieshave gotten compromised by the
zero day, and even more nowbecause of the release of the
PO, the POC by Shiny Hunters.
As to SAP, SAP, I believe theyare the largest software company
(40:01):
in Europe, I think the thirdlargest in the world.
They've been around for a verylong time.
They create this product, thissuite of products that are
wrapped under the name SAP.
And so they are enterpriseresource planning applications.
And there's a whole bunch ofthose applications.
They're targeting sectors likeoil, they're targeting other
(40:21):
types of sectors likepharmaceuticals, some specific
applications, applicationswithin the environment to for
automotive, for instance,manufacturing, for hiring, for
financials, for compliance.
There's a whole suite of toolsand capabilities that companies
have in order to make sure thattheir businesses are running and
that they stay compliant withregulations.
(40:44):
But it is complex.
And so what we refer to thatinformation, we call that the
crown jewels.
So a company's crown jewels areusually are typically stored
within an ERP system like SAP.
And that's what we do atOnapsis.
We we have our own applicationcalled the Onapsis Platform that
(41:04):
customers can purchase and theycan go ahead and roll out in
their environment to assesstheir environment, to defend
their environment, and to docode audits of their code that
gets pushed out to SAP.
But we also have my team in theOnapsis Research Labs where we
actively work on findingvulnerabilities with an SAP.
We partner with SAP, we reportthem to SAP.
(41:27):
So next week is patch Tuesday.
SAP will go ahead and releaseits patches.
You'll see some patches from us,usually month to month.
But on top of that, like I said,we have our intelligence sensor
network.
And from that, we activelymonitor the ongoing attacks
against SAP.
We work to understand what'shappening, sort of like a
(41:50):
weather report, right?
Day to day, week by week, monthby month.
And certainly this year hasbeen, I think, the biggest
eye-opener for a lot ofcompanies worldwide.
Because SAP really wasn'ttargeted before like it is now.
I would consider this to be thepoint of no return, right?
All the criminals, all themalicious actors are aware that
(42:11):
SAP is important to companiesand that if it gets taken
offline, you can shut down abusiness as we're seeing now
with some businesses out there.
Their manufacturings are shutdown.
Huh.
SPEAKER_01 (42:24):
I didn't even realize that there was active
SAP threats going on inenvironments that were shutting
down factories.
So were you able to do anyattack attribution to you know
this to this exploit?
Do you know potentially of whereit came from or who put it
(42:46):
together?
SPEAKER_00 (42:47):
Now I've got a slide with some information.
For the zero day, the zero day,we suspect that there was
involvement from Russia or slashChina.
We don't know exactly who, butwe suspect it's out of there.
What we do know is once the webshell started to get deployed,
that it was being used byChinese actors.
(43:11):
And now with Shiny Huntersreleasing the POC, I mean the
exploit's now public, right?
Anyone can go ahead and use theexploit and activate it.
So yeah, unfortunately, it wentfrom very private hands to now
it's very public.
There are a lot of other groupsthat are targeting SAP.
I'm pulling up a slide herebecause I don't remember all of
(43:33):
them off the top of my head, butwe've got like Fin7, Fin13,
Cobalt Spider, Queen Lin, youknow, Shiny Hunter, Scattered
Spider, Lapsus, APT 41, EarthLamia, APT 10, UNC 5221, and the
list goes on.
Yeah.
SPEAKER_01 (43:53):
So you you said that it was a remote execution on the
SAP system.
But can we just talk throughwhat it was actually doing in
the system?
Because you know, like youalluded that it that it's pretty
complex, right?
It required a lot of effort toput it together because they
(44:14):
would have had to know, youknow, a lot of inner workings of
this system for them to be ableto put this together.
So what is it actually doing andwhat are some of those inner
workings that it they would haveto understand to kind of like
put it into context, you know,for people.
SPEAKER_00 (44:30):
Yeah.
So let's talk about the initialzero day, right?
We talk about WAFs, we talkabout putting in filters into
the web application firewall tobe able to stop things, right?
You usually go ahead and lookfor cross-site scripting, you
look for those types of things,right?
You can refer to the OWASP OWASPtop 10.
But in this particular case, itwas a straight HTTP attack
(44:51):
against an endpoint, themetadata uploader, which is a
totally legit application withan SAP.
But the payload involved thisgadget chain, right?
So it's a series of Java classesthat were constructed together
and it was passed serializedover to the endpoint metadata
uploader, where at one pointit's getting deserialized.
(45:15):
And once it gets deserializedwithin that sync of the gadget
chain is the actual payload thatwas malicious.
So for the RCE, the remote codeexecution, we would see
execution.
Remote code execution doesn'tnecessarily mean a web shell is
being dropped, right?
Or a remote code execution cango ahead and execute a command
(45:36):
right on the command line, forinstance, and there might not be
a file that's left behind.
Okay.
So it might run a command onthere, it might run something
like who am I?
It might run some other type ofcommand where you might want to
run curl, for instance, todownload a file or do something
else that's malicious.
But that's the that's the ideaof this.
(45:58):
And actually, that's the thingsthat we started to see at the
beginning of the year before theweb shelves were being dropped.
So we were seeing evidence ofthese attacks coming through
this HTTP endpoint to metadatauploader, where the chain was
being deserialized and executedand some sort of remote code
(46:19):
execution was being run.
Now, how do you stop thatthrough a web application
firewall?
Right.
Yeah.
Because it looks like alegitimate request.
SPEAKER_01 (46:27):
Yeah.
unknown (46:29):
Huh.
SPEAKER_01 (46:30):
Yeah, it's really fascinating.
I uh I keep telling myselfthough, like once I'm done with
my PhD, I'm I'm just gonna likego be a security researcher
somewhere.
Like, because I find it sofascinating.
Yeah, like it's so fascinating,and I I want to go more
offensive threat threat intelside.
That's like the area, that'sprobably the one area that I
(46:51):
haven't I haven't necessarilytouched, but I think I would be
really good at it.
So that's just yeah.
Offensive in terms of like pentesting and those types of
things?
I wouldn't say necessarily pentesting.
And don't get me wrong, I wantto get my OSCP and the OSCE more
of more of out of my own extremecuriosity and and need to not be
(47:15):
comfortable, I guess.
I want to get those, but youknow, the the security
researchers side overall, I feellike pulls a lot from pen
testing to some degree, right?
And so I feel like that's a goodlike foundational skill for that
side.
SPEAKER_00 (47:31):
Our pen testing is different than the traditional
pen testing, right?
We're not coming in and testingperimeters, we're not testing
firewalls.
We're going, we focus on cominginto an environment and testing
SAP.
So we do black box testing forcustomers.
And I love being able to do thatbecause it challenges customer
perceptions, right?
(47:52):
So they may think that they havea level of security, and then we
come in and we show that that'snot the case.
So our researchers not only workwith SAP and understand what the
vulnerabilities are, and then wework.
So when I say work with SAP, wehave SAP applications, right,
that we test, that we work with.
And then once we find thosevulnerabilities, we go ahead and
(48:13):
report them.
But we also go into environmentswhere we test actual SAP
installations at customerpremise.
And that's that's not only a wayfor us to help them understand
their environment and help themto gain additional security, but
it's also a path for us tounderstand how SAP is being used
that gives us insight to furtherour own research.
So offensive security to me alsomeans from prior experiences
(48:37):
where I set up and rancounterintelligence operations
where I engaged threat actors.
So I did this at the various.
If you looked at my LinkedInprofile, you can kind of get an
understanding of where thatmight have happened.
But yeah, I mean, I've beeninvolved in engaging threat
actors and getting themarrested, working with law
(48:57):
enforcement and working withthrough legal channels to do
botnet ticked downs to getthreat actors arrested.
I had a case where Iinvestigated one of the biggest
spam attacks at one company thatI was at and identified who the
threat actors were, passed thatinformation over to law
enforcement.
We identified that that personwas landing in a country that
(49:18):
was kind of like a partner tothe United States.
So once that person landed, wewere able to get that person
arrested.
Nice.
SPEAKER_01 (49:26):
Wow.
Well, Paul, you know, we'redefinitely at the top of our
time, unfortunately, but Idefinitely want to bring you
back on and talk to talk aboutsome of that other stuff, you
know, that you were doing.
It's some pretty cool,interesting stuff.
You know, I think you might havesome good stories to talk about.
But I I really appreciate youcoming on and taking the time.
SPEAKER_00 (49:46):
Absolutely.
My pleasure.
I mean, it sounds like we canhave a lot to discuss, whether
it's all that other stuff orwhether it's advice for people
trying to get in.
I would love to be able to joinback on.
SPEAKER_01 (49:58):
Yeah.
Yeah, absolutely.
Well, we'll we'll definitelyfigure it out.
But before I let you go, howabout you tell my audience where
they could find you if theywanted to connect with you and
where they could find Onapsis ifthey wanted to learn more about
your company and your solution?
SPEAKER_00 (50:13):
Absolutely.
So for my company, you can go toonapsis.com and at onapsis.com,
you can look at the navigation.
You can find us under theOnapsis Research Labs.
There's information in therethat we put up.
We put up blog posts, we put upthreat reports, we have
webinars.
We've had a lot of webinars andreports about 31324.
(50:35):
So if you actually do a Googlesearch for ONAPSIS in 2025
31324, you'll see our main go-toarticle over this zero day.
SAP has actually thanked us intheir patch month release notes
for working with them intimatelyabout this zero day.
So that's been 31324 has been afantastic journey.
(50:58):
For me personally, you canprobably reach me out on
LinkedIn.
So if you do a search, you'llsee me on LinkedIn.
Feel free to send me an invite.
I'd be more than willing toconnect with you no matter over
what topic you want to discuss,whether it's SAP security,
whether it's offensive security,whether it's security or IT or
how to get into this, I'm morethan willing to help out.
SPEAKER_01 (51:18):
Awesome.
Well, thanks everyone.
I hope you enjoyed this episode.
How's it going, Paul?
It's it's great to get you onthe podcast.
I don't know how long we've beenplanning this thing, but like
I'm glad to get you on nowbecause I I just looked at the
rest of like my year's recordingschedule and already like yeah,
I'm I'm done recording for likeJanuary and February.
(00:21):
I'm not like touching thosemonths.
SPEAKER_00 (00:25):
Well, thanks for having me, Joe, with you here so
that we can have a chat.
I'm looking forward to it.
SPEAKER_01 (00:31):
Yeah, yeah, absolutely.
So, Paul, you know, why don't westart with how you got into, you
know, IT or security overall,right?
Like what was the thing in yourpast when you were starting out
that kind of prompted you downthis path, right?
Because it's not necessarily anormal path, right?
(00:53):
I mean, you're you're aprofessional looking at how to
break things, you know, on adaily basis.
Not everyone, you know, likesthat, right?
Not everyone is built out forthat.
So what do you think were somekey points that kind of maybe
drove you towards it?
SPEAKER_00 (01:09):
Yeah, that's a good question.
So it was pretty much right as Istarted to become aware in life
back when I was just a littlekid.
And I first got my hands on someof the original gaming consoles,
like the Atari.
But I think the pivotal momentwas when I walked, when my
parents were at one of the stripmalls, and I noticed this Apple
(01:33):
logo and had to walk in there.
I just didn't know what it wasabout as a little kid.
And we walked into the store andI just saw all these original
Apple machines back at the time,and my child dropped, and I fell
in love with this thing, and Ihad no idea what it was about.
Eventually, I ended up with notan Apple, but a Commodore 64.
(01:56):
And I started to learn about ohwow, there's this thing called
BBS.
Wow, I can actually connect overthe phone.
So I ended up getting my firstmodem.
It was a 300-baud modem.
And I started to find phonenumbers to BBSs.
I connected, I found I can runmy own.
(02:17):
I got my first BBS on aCommodore 64, and you needed a
little dongle for the licensekey to plug it in.
And it just kind of took hold,it cemented, right?
When I was this, this like10-year-old.
And uh, and then from there, Ijust started to expand out.
You know, eventually I taughtmyself how to program in basic.
(02:38):
I started to go into Windows,and then I heard of this
application or this softwarecalled MacAfee.
Like that was brand new at thetime, and I was looking at files
through hex and and it just itjust took hold, right?
And and the first, the firstsoftware that was malicious at
the time were were very muchinterested in making sounds off
(03:02):
of your machine, right?
So you would run thisapplication, and then all of a
sudden there was a bug in thecode or or something that
someone had put in there thatcaused your machine to make
sounds or make music.
And and I thought that wasfascinating.
The fact that things can go bad.
And how does that happen?
Uh how do you figure out howthat happens and where do you
find it?
(03:22):
So that began, in essence, theseeds of the journey that led to
a lifelong fascination andpractice within information
technology that led tocybersecurity.
And I've been doingcybersecurity now in various
domains in cybersecurity for thebulk of my career.
(03:43):
Hmm.
SPEAKER_01 (03:45):
Yeah, it's like uh it's like that unquenchable
curiosity.
You know, I I feel like youprobably like stumbled into it,
you know, early on.
Like my my first experienceswith computers was like trying
to figure out how to get mycomputer to run like games on
it, right?
So I mean, me and my brother,real big into games.
(04:06):
Well, my parents could onlyafford, you know, one console,
right?
So he's on the console.
All right, now I gotta figureout how to play games with this
thing, you know, and startdiving into it like that.
It's an interesting time.
And I like I haven't thoughtabout that in you know forever,
right?
I never thought that that wouldlike make me more inclined
towards computers or anythinglike that.
(04:28):
Because after a while, Iactually kind of stepped away
from it, and mostly because Ihad to like focus on graduating
high school.
Because like I went through, Iwent from you know, being smart
enough to pass everythingwithout studying to taking like
college prep classes, and it waslike I have to, I have to study.
Well, I don't know how to study.
(04:50):
Like, I gotta, I gotta learn howto study now, you know, like all
that stuff.
So tinkering with computers kindof died off for me for a little
bit.
SPEAKER_00 (04:58):
Yeah, for me, I I would describe that period of
time as something like theMatrix or something like the
Wild West.
You know, it wasn't known, itwas unknown to pretty much the
whole world.
I mean, it was well before theinternet took off.
And and I mean, it was just itwas awesome.
It was great to be in a spacethat was brand new and
(05:19):
everything was a discovery.
SPEAKER_01 (05:22):
Yeah.
Yeah, it's a stark contrast totoday, where everything is kind
of readily available.
You know, like you you said thatyou were starting to read, you
know, applications in hex.
Well, you know, if someonewanted to do that today, right,
there's probably a YouTube, youknow, basics hex 101 video on
(05:43):
it, right?
Like, and back then, you'reprobably having to like go to
the library, find a book on hex,figure out what it is, go
translate it to what you'reseeing on the computer.
It's a different level of it's adifferent level of like interest
and enthusiasm you you you haveto have, you know.
SPEAKER_00 (06:02):
100%.
I think that that an example,one example of the difference
between back then when I wasgetting into it, versus having a
lot of different tools andtechnology and AI being able to
bootstrap people is like the thedefinition or the view of the
term hacker.
(06:22):
You know, the the term hackerback then was essentially what
you're describing, right?
It's that curiosity.
It's going in and just kind ofripping things apart, trying to
understand how things work.
And that's a very differentconnotation today.
SPEAKER_01 (06:34):
Yeah.
So when, you know, back then,when you started to like
actually get into security, whatdid that look like?
Because back then, you know,security wasn't a focus.
It was like an afterthought.
It was, you know, not reallythought about much at all.
So what did that look like foryou?
Did you kind of create your ownpath in security while being in
(06:56):
another, you know, IT domain,like sysadmin or networking or
something?
SPEAKER_00 (07:00):
Yeah, I mean, that's a good, that's a good point.
Back then, when I was runningBBSs, I certainly came across
hacked software, right?
That was a big thing back then.
But there was no focus from lawenforcement, there was no focus
from any from anybody, right?
It just was relatively unknown.
As I went into a a career, so tospeak, I came into it as a help
(07:27):
desk person, right?
Like that I would think like anaverage or traditional path for
people wanting to get into IT,you step into like a service
type role, right?
Where you're helping people withyour knowledge situations,
right?
They may have situations withtheir operating system, they may
have situations with theirusername, password.
So that was something that thatI got into.
(07:49):
And uh and I remember being inthat role as a client liaison, I
started to do other things,right?
So I saw opportunities toeducate.
And so I created internalwebsites, I created educational
material for my clients and madesure that they were empowered
with the information that I hador information that my
(08:10):
organization, Informatics, hadthat we can impart to our
customers and internal customersand make them more efficient.
But at that same time, Iremember we had like one of the
big worms hit and it justfascinated all of us.
It was like, what is this?
Right.
I remember printing it out.
I remember looking at it.
I think it was Melissa, I'd I'dhave to double check, but that
(08:33):
was back around 1998, 1999,somewhere around there.
Had a big worm go around.
And once that had happened, thatwas the pivotal moment for me,
knowing that that was thedirection I definitely wanted to
take.
Right.
(08:53):
Like I enjoyed being in IT, Ienjoy working with tech, and I
enjoy working with people aroundtech.
But when that worm hit, it was ajaw-dropping event.
And so, yes, I was familiar withall the other things before, but
I had not seen it impact in sucha way like that worm did.
(09:13):
And uh, and then all of asudden, the the junkie in me,
the adrenaline junkie, theambulance, I was an EMT.
So, you know, I I I hesitate tosay ambulance chaser when I used
to actually be on an ambulanceas an empty and a firefighter at
the same time.
But it it's that it's thatcuriosity, it's that fascination
(09:37):
of something was done with theintention to cause harm, right?
And I don't want that.
And I think that there'ssomething I can do to help
either prevent that or or helpto remediate against it, or help
to detect it.
And what does that look like?
And and so I just started tofocus on that.
(09:59):
And I it wasn't easy to kind ofget there because that was a
different time, right?
And we didn't necessarily havethose types of professions or or
paths at the time, but I knew Iwanted to focus on on malicious
applications, malicious use ofapplications, malicious use of
(10:21):
features that were designed andnot meant to be used in a way
that they were used to seek someulterior motive.
SPEAKER_01 (10:29):
Yeah, that's that's uh that's fascinating.
You know, if you were to givesomeone, you know, maybe that's
in college looking to graduate,right?
Give someone advice of how theyshould get started in
cybersecurity, what's the paththat you would recommend that
(10:49):
they start going down?
SPEAKER_00 (10:51):
I think the the biggest help for me has been
having knowledge and coding.
That's been huge.
And to your point, right, whenyou were talking about how do
you study, how do you do thosetypes of things, taking, taking,
going through challenges thatput you into that kind of space
that help you to think and tohelp you to think I hesitate to
(11:14):
say programmatically.
I have a math degree.
So math going through that mathprogram helped me to think in a
way that I didn't think before,right?
I had to do proofs, I had to dotheorems.
And so it forced me out of mycomfort zone into a place that I
had to work hard to try andunderstand.
But fundamentally, that wascritical, right?
(11:36):
Because when you step intocybersecurity, especially in
what we do, right, where wefocus on vulnerability research
and we focus on things like thezero day earlier this year that
targeted SAP, that reallyrequires out-of-the-box
thinking, right?
That requires you to be able tothink in ways that are out of
(12:00):
the box.
And so that's that's one, right,is to understand code, I think
is important.
And two is to is to get yourselfout of the comfort zone and to
ask questions, the ability toask questions and to understand
what types of questions to ask,right?
(12:21):
So that that's kind of like thethe conceptual level, right?
In terms of execution, I wouldsay certainly having classes or
or experience to coding, havingclasses or experience with
operating systems and networksprotocols is a big one because a
lot of this stuff happens overHTTP or RFC.
(12:44):
So understanding how to take alook at those protocols,
understanding how to usesomething like Wireshark to be
able to take a look at thePCAPs, to take a look at what's
actually happening on the wire.
Getting, if you're in college,signing up for those
internships, right?
Get into those internships whereyou have the opportunities.
If you don't have an opportunityto work in cybersecurity, try to
(13:06):
get something where you'reworking in I, right?
Because that's still getting youthat exposure.
And that's something that youcan quantify on your resume.
And that's something that youcan build upon that gets you
into those initial positions.
The other side, too, that Iencourage people is you may take
a look at an entry-levelposition, right?
(13:26):
And it may say, Oh, you needthis kind of experience or that.
I challenge you to apply for itanyway, especially if you have
that passion and curiosity.
Because I, for one, when I hirepeople, I look at I look at the
three A's.
I take a look at the attitude,approach, and the aptitude,
(13:48):
right?
So do you have so you may notnecessarily have the background,
you may not necessarily have theexperience, but if you show me
that your approach is there,that your attitude is there, and
that you have the aptitude tolearn this stuff, you're in,
right?
Because I want people who areengaged, I want people who are
(14:08):
passionate and who have thatcuriosity.
Because that's when you bringthat and you're part of a team
that has that, great creativethings can happen.
SPEAKER_01 (14:17):
Yeah.
Yeah, no, that that makes a lotof sense.
I I always, you know, I Irecommend that people start in
help desk.
And I think you kind of likedescribe that too, to a certain
extent, right?
And I I just feel like theexperience that you get on help
desk, you know, when someone'sangry calling you and you pick
(14:37):
up the phone and they're yellingat you because you know
something broke or whatever itmight be, right?
And every help desk is going tobe different.
But when you get thatexperience, you know, you're
you're starting to be in anuncomfortable situation.
You're getting used to being ina situation where maybe you
don't know everything, you know,and you have to find out and you
learn how to find out and allthat sort of stuff.
(14:59):
It pays dividends, you know,later on down the line in
security when you're talking toa developer and they're very
opposed to you deploying a WAFon their application, you know,
that's that's public, right?
Like they're very opposed to itbecause it breaks all all this
different functionality, and nowthey have to, you know, work
with you to build it into theWAF to allow it and everything
(15:21):
else like that.
I mean, you know, I I I I was Iwas deploying the AWS WAF at a
company, a large automotivemanufacturer, and uh you know, I
got on a call with like 150devs.
It was like the the only callbecause everyone was having you
know alleged issues with the WAFthat they didn't want to you
(15:43):
know deploy it a certain way orthey didn't want to like have a
certain functionality with it orwhatever it was.
And so I get on this call, it'san hour-long call with 150 devs
across the country, and they'rejust they're just yelling at me,
they're just berating me for anhour.
And it's literally me and oneother guy on the call that's a
friendly.
I mean, every everyone'sfriendly at the end of the day,
(16:04):
but I think you understand whatI'm saying.
Like, there's one other guy onthe call that's not even on my
team, but he's a security experton another team, and we're just
listening to everything, youknow, and and and they were like
trying to really like get aroundwhat they were asking for.
They wanted me to put in acertain rule, like all of them
(16:25):
were on the same page.
All of them wanted me to put ina certain rule into the WAF.
They didn't want to tell me whatthe w rule was doing, and I'm
like, guys, I'm a securityperson, right?
I'm the most curious person likeon this call.
I promise you, I am more curiousthan anyone.
I'm not putting in somethingthat I don't understand what it
(16:47):
is actually going to do 100% ofthe time, right?
Like, this is a WAF, and that'sa public application, you know.
Like we're taking personal datawith that, you know.
And literally after an hour, I Ifinally put it together and I
just said to him, I was like,Oh, so are you trying to just
bypass the WAF altogether withthis rule?
(17:08):
Because like that's what youwere describing to me that you
didn't want to point out or sayor anything, you know, and
they're like, Well, yeah, youknow, that's effectively what it
would do.
I was like, Okay, well, thatcould have been a five-minute
conversation or an email becauseI'm just gonna tell you no, and
now I'm kind of mad because youwasted my time.
It's like, come on, you know,what are we doing here?
SPEAKER_00 (17:32):
We all have those war stories, and I've come to
through time to time, right?
I sometimes I start meetingswhen now I'm anticipating
something like that and saying,hey, this is a blame-free
working group session.
Yeah, let's focus on walkingaway with action items.
SPEAKER_01 (17:50):
Yeah.
Yeah, I I I remember before thatcall, I actually, you know,
talked to my CISO and I said,Hey, look, I'm getting on a call
with all these devs.
They're probably gonna yell atme about something.
You know, I'm sure you will hearabout it during or after or
whatever.
But, you know, don't worry.
Not gonna put the organizationat risk.
(18:11):
I'm not gonna say anythingthat's against, you know, what
we're doing.
He's he's he said, okay.
And right after the call, hesaid he got a call from the the
lead dev asking, do we reallyhave to follow what Joe is
saying?
And my CISO, without evendropping a B, he goes, Whatever
Joe said, you can assume I saidit.
Now, don't waste my time anddon't waste Joe's time like that
(18:33):
again.
Like he didn't even ask what theconversation was about or
anything.
He's like, I don't care at thispoint.
Like, if Joe had to go throughthat, you're not dealing that to
me.
SPEAKER_00 (18:44):
You raise a great point.
Having that curiosity isfantastic.
I love working with people thatshare the same curiosity and the
same passion.
Yet, one of the pitfalls is whatyou're talking about, right?
High level, our fundamentally,our job comes with those
challenges, right?
(19:04):
Our job is not the most wellreceived by the business.
SPEAKER_01 (19:08):
It's like hated.
Because all that we do is costmoney and we slow things down
and we make it more difficult,you know?
It's like a natural adversary tosome extent, you know.
And I've been in environmentswhere man, I I've been in
environments where like thesecurity was so bad that I I I
(19:32):
wouldn't put my own personalinformation in their systems,
you know, like that's how bad itwas.
And I'm over here justrecommending like best
practices, just normal stuff.
And I'm getting shot down anddenied, and I'm like, all right,
well, either we're gonna getbreached, like, or I need to
like run for the hills before weget breached.
(19:55):
Like that sort of situationwhere it's just like, and then
it's refreshing when you comeacross an environment that you
know embraces security, thatactually includes you in things
and whatnot.
SPEAKER_00 (20:05):
I agree.
I I have some ideas that I'veexecuted in those types of
environments.
I'm curious as to what you'vedone in additional environments,
right?
That you've had to deal withthat.
What have you done that hashelped navigate that complexity?
SPEAKER_01 (20:23):
Yeah, so you know, typically what I'll do is I'll
I'll get on the call with theleads, you know, of whatever the
product might be or whatever itmight be, and I'll just explain,
I'll just explain to them, youknow, why it's important.
You know, like what, hey, youknow, I got the scan over here.
This is the vulnerability, thisis what it's telling me that
(20:44):
it's doing, right?
And maybe we'll even test it outright there on the call because
maybe I'm incorrect aboutsomething.
Maybe there's a control that Idon't know that that exists, you
know, that they've already builtin that handles it a different
way, but the scanner still picksit up for some reason.
If if that's not the case, youknow, then we start going down
(21:04):
the path of, okay, well, how dowe actually resolve it?
What does your time look like?
You know, like how does the nextsprint look like for you?
All that sort of stuff.
And really overcommunicating,right?
So I'll do that call, and then,you know, I I like to hold
people to what they're tellingme.
So I'm I'm sending a follow-upemail with potentially, you
(21:26):
know, their manager or mymanager on it.
Like, hey, we had this call, wediscussed this, we agreed on
this, moving forward, it shouldbe done by this date, right?
And if it's not, if there's morepushback, you know, then it goes
up, it goes up a level, right?
So it just continues to go upuntil someone either accepts the
risk officially or it gets takencare of.
(21:47):
And so that's what I have foundthat typically works.
It's worked, you know, nine outof ten times, but that one time
that it that it doesn't work,and that I don't want to say the
one time that this processdoesn't work, it was related to
a single environment, that itjust nothing worked because it
was just it was a cultureproblem.
Yeah, they were more focused ondelivering features rather than
(22:11):
sacrificing any sort offunctionality in any way.
SPEAKER_00 (22:14):
Yeah, I for me, I I was both an IT perspective when
dealing with the risks that werecalled out, as well as from the
engineering perspective.
So when I was the head of theSOC, we had to handle it from
the perspective of, okay, here'sthe C VSS score, right?
Here's how it's going to impactour systems, and and here's the
(22:35):
risk for us internally, right?
So we need to prioritize this.
We need to figure, we need tofigure things out.
And so to that end, it didinvolve a lot of what you're
saying, especially theovercommunication and the
transparency.
But that's hard, right?
It's hard to do from an ITperspective.
When I was in engineering, whenI was ahead of my engineering
team, it was a different story,right?
(22:56):
I didn't necessarily have toworry about it from that
perspective.
For me, it was more of a now Ican have the capacity to shift
left in in that wholeengineering process, right?
So shift it all the way left towhere we're talking about it
conceptually and working it intothe architecture and into the
designs so that we can startdealing with it right up front
before it ever gets to the backend where the feature or the
(23:19):
product is released, and thenwe're dealing with bugs, and
then we're dealing with handlingthat afterwards.
So, you know, it's interestingto deal with it from both
perspectives.
And I think it's good, to yourpoint, to have as much diversity
and perspective as possiblebecause then it gives you the
tool set to be able tocommunicate to various people
(23:40):
and to try and understand theirconcerns and to make sure that
you're voicing their concernsappropriately so that they
understand you understand andthat you're addressing it in a
way that is amenable to them andit's amenable to the customers
and it's amenable to thebusiness, right?
So sometimes in our position, wehave to kind of juggle that
(24:04):
relationship too.
SPEAKER_01 (24:05):
Yeah, I feel like that's a part that's often
missed, you know, in security,where we're more focused on
telling someone no rather thanhearing their reason behind it
and you know, understandingwhere they're coming from.
Sorry, I'm like still gettingover a cold that my kids gave me
last week is very veryfrustrating for me.
(24:27):
It's like and they're both homeat the same time, sick with the
exact same thing.
It's like, oh my gosh.
I've been lucky.
My kids have been sick, but I'vegotten nothing.
Man.
Yeah, well, my my kids, youknow, they're they're little,
right?
So two and a half and six monthsold.
And so my kids, when they getsick, all that they want to do
is sit on my lap.
(24:48):
So it's like inevitable that I'mgoing to get sick as well.
It's just come on.
SPEAKER_00 (24:54):
Yeah.
Definitely been down that road.
And and I was walking past oneof my kids the other day and he
coughed right into my eye.
Yeah.
unknown (25:02):
Jeez.
SPEAKER_01 (25:03):
Kids, man.
It's the joys of having kids,you know?
I love being dad.
Best job on the planet.
Yeah, for sure.
It's absolutely my my mostfavorite thing.
If I could stop everything elseand just be a dad, that'd be
amazing.
But I didn't marry a lawyer, soyou know, can't do that.
Well, you know, Paul, like I Iwish I would have met you
(25:26):
earlier on in my career when Iwas trying to get into, you
know, cybersecurity.
Because I'll tell you, it tookme two and a half years to
actually get into cybersecurity,and I was trying everything.
You know, I I was on the helpdesk and I was forcing my way
into doing vulnerabilitymanagement for the company that
I was at without having asecurity title.
(25:49):
And I was getting certificationsat the time, I was working on my
master's at the time.
I was applying to everythingthat said security analyst in
the title, like any low-leveltitle.
You know, I had hundreds ofapplications over two and a half
years.
And uh it took me that longbecause not many people were
(26:10):
willing to take a quote unquoterisk on me when I didn't have
experience with Splunk or Ididn't have experience, you
know, with Carbon Black orwhatever you know the tool was
in their environment.
I'm just sitting here like, youknow, I don't know how else I
can prove to you that I'm readyto learn when I literally like I
just I just don't have$10,000laying around to pay for a
(26:33):
Splunk license to deploy it inour environment for 30 days, you
know, to learn it, right?
Like, and how much am I reallygonna learn if I do that, right?
It just that was the mostfrustrating part for me.
And it, you know, I I eventuallyran into a manager that had your
(26:54):
same mentality where it waslike, hey, he doesn't have to
have all of the you knowhands-on skills and experience.
Like, we can teach that, but wecan't teach is the personality,
the drive, you know, all thoseother intangibles that people
need to actually be successful.
To like, you know, hey, when Iwhen I give you this project, I
(27:17):
need you to figure out how to doit.
You know, like that manager gaveme a project and I went and
learned PowerShell with it.
It was like, oh, this is theeasiest way to do it.
Yeah, I need to I need to learnPowerShell, you know, spent a
couple weeks doing it, right?
Like, but you know, I I stillfigured it out.
And that's not what a lot ofpeople that's not what a lot of
(27:38):
people would would do.
You know, they wouldn't learn awhole like scripting language
just to achieve some, you know,fairly low-level project, right?
But yeah, uh, I don't know whereI was going with that, but I I
feel like I feel like it wouldhave been really beneficial to
meet you early on.
SPEAKER_00 (27:54):
I feel like you've just given me a light bulb
moment for for the first timeconcerning this.
Because I I don't get a lot ofthat, right?
So with what you just told me,it kind of makes me go back to
what we were talking about withhow I started out, right?
And there was this, I knewnothing, right?
Anyone at that time knewnothing.
I mean, it was literally we'reall learning everything at the
(28:16):
same time.
And uh, and you had to becurious, you had to have that
drive.
And so I wonder if if that is aprerequisite as a hiring person,
right, that understands thataptitude is so important, right?
And your attitude and your thosethree A's.
They're so important to me.
I've hired interns.
I love having interns.
(28:37):
I love exposing them to what wedo.
I love hiring interns.
I don't look for unicornsbecause I know that uh that I
can bring people on who havethose three things and they grow
up their skills in theenvironment in which I hired
them into.
Right.
So they become part of the team,they understand that it's safe
(28:58):
to ask questions and there's no,there's no negativity.
We celebrate not only the wins,we celebrate the the quote
unquote failures.
I don't like using that wordfailure, but I'm gonna use that
here.
I I tend to refer to failures asopportunities, right?
It's it's the whole mentality ofproof of concepts, right?
(29:19):
So you have the theory, you goahead and test the theory.
It's like a scientist, it'sbeing a scientist, right?
You have a theory, you test yourtheory, it didn't work, great,
success.
Check, we've we've uh checkedthat theory, it doesn't work,
let's move on to the nexttheory, right?
So that that's to me thedefinition of a failure.
(29:40):
We went through, uh, tested outa theory.
Let's take a look at how wetested it, it didn't work,
great.
If if it did work, uh wecontinue on with it, right?
So I do believe in uh in givinganybody and everybody
opportunity so long as they havethe attitude that the The
aptitude and the approach.
(30:02):
You know, if their approach isthey're going to interrupt
people, right?
If their approach is they onlydon't like to repeat themselves.
I like to hire people and have ateam where it's okay to ask
questions.
It's okay to repeat yourself,right?
Because we we have very diverseteams.
Times, not everyone speaks thesame language.
(30:23):
And even when someone speaks thesame language, they interpret it
differently, right?
What you intend to say might notland the way that it was
intended.
So it's important to be in anenvironment where you can go
ahead and repeat yourself, whereyou can rephrase something so
that everyone has anunderstanding and you drive
(30:44):
alignment and calibration, andthat allows a team to be able to
drive towards its goals.
SPEAKER_01 (30:50):
Yeah.
I mean, what you're describingthere is like people skills.
You know, people skills really Isaid this maybe last episode or
a couple episodes ago, but it'sa pretty common theme where, you
know, it as the market becomesmore saturated with more and
more, you know, professionals onthe marketplace, right?
There's fewer roles in someinstances for for these
(31:14):
positions, right?
You have to find a way to standout.
And how do you best, you know,stand out when you may have the
same certification as someoneelse, you may have the same
experience, you may have thesame years of experience.
The thing that'll help you standout is the people skills at the
end of the day, right?
I mean, this podcast helps me inso many other ways, other than
(31:38):
any sort of money that it bringsin, which is basically nothing.
It it helps me, you know, talkto people, helps me show people
skills, helps me almostinterview without interviewing,
right?
Which is hugely beneficial andit is something that I never
ever expected when I started.
You know, like it's just like anadded benefit.
I just wanted to talk to coolpeople about interesting things,
(32:01):
and that was it, right?
But you know, people skills areprobably like the easiest way to
set yourself apart because Iwould rather take someone that
knows knows less or knows verylittle on a on a topic, you
know, let's say vulnerabilitymanagement, that can talk really
well, that can go and theninteract with, you know, the dev
(32:23):
team or the engineering team orthe infrastructure team and say,
like, hey, can we just get thisdone?
And before that call, I'mcoaching them up, like, hey,
this is why this is important,this is what this means, all
that sort of stuff, right?
Like, that's a I feel likethat's someone that is easier to
coach up and train and get theminto the right, the right
(32:44):
position, you know, for them tobe successful.
SPEAKER_00 (32:47):
I'll give you an example with myself for the
position that I'm in at Onapsis,right?
Director of research.
I, for me, prior to Onapsis, Ihad lived in the world outside
of SAP, right?
So I had lived in threatintelligence,
counterintelligence, doingsecurity operations, doing
engineering for threatintelligence, putting out it out
(33:08):
as a product.
So when I saw this position acouple of years ago, it captured
my eye.
You know, I'm looking at the jobdescription, I'm looking at the
details.
It's this vulnerability researchwith SAP, which I'm like, this
is fascinating.
Up until then, I had used SAP asa consumer within a business,
right?
And uh, and so before I hadspoken to anybody, I had put my
(33:34):
researcher hat on, my curiosityhat on, which is pretty much who
I am.
And I just started to take alook at Onapsis.
Okay, let's let's see what theOnapsis research labs is about.
Let's see what thesevulnerabilities are, let's see
what the threat reports are.
So I started to take a look andanalyze and learn and educate
(33:54):
myself.
And then I started talking tothe recruiter, and then I
started talking to the chiefproduct officer and the chief
technology officer, and I'masking them all those questions.
One of the feedbacks that I gotfrom the head recruiter at the
time was that I was one of thefew, if not the only, that took
the time to actually research,right?
So social skills, absolutelyimportant.
So is actually researching andbeing informed when you're
(34:18):
talking to the people at thecompany when you're
interviewing, right?
So it's not just, yeah, I want ajob, right?
It's hey, all this interestingstuff that you're doing, I love
it.
And I want to do more.
I want to be part of thesolution.
And when I saw what Onapsis wasdoing and the impact that they
had working with SAP to securecustomers worldwide against
(34:39):
threats, and and I saw what SAPactually was, it blew my mind.
It brought me back to that timeperiod in my youth, which was
wow, this feels like it's thematrix, right?
It's the world underneath thecovers kind of thing.
And frankly, with all my peers,none of us were really aware of
(35:00):
the ERP space, right?
It's something that for SAP,it's something like the basis
team took care of, right?
And uh, and and that's that wasalso part of what worked for me.
It was I approached it from theperspective of I'm not a
candidate talking to a recruiteror to the hiring manager.
(35:21):
I am having a professionaldiscussion, a professional talk,
like we are, right?
So it's it was a chat like that,where we're talking about my
experience, they're talkingabout their experience, the
challenges, all that stuff, andcreating a connection.
Um, so I think that that's partof a secret sauce that can work
too.
Now, I will caution right thatas much as those aspects can
(35:45):
help find candidates that youmight want to hire, it's also
something that a candidate canuse when they're interviewing to
determine if that's a placewhere they want to be.
So I use those things for myselfas a candidate to make that
determination.
So when I I've hired here peopleat Onapsis, but in coming to
join Onapsis, I use that.
(36:06):
And I gotta tell you, Onapsis isquite special.
I'm happy I'm here.
And like you're saying, you wishwe met a few years ago, which I
agree.
It would have been great if wemet a few years ago.
I wish I learned of Onapsisyears ago and I got on sooner.
SPEAKER_01 (36:21):
Hmm.
So talk to me about ONAPSIS andthe zero days that you guys
found in SAP.
Maybe even maybe when you'rewhen you're done telling me
about Onapsis, tell me what SAPis if someone doesn't, you know,
already know and they'relistening to the podcast.
SPEAKER_00 (36:40):
Yeah.
So Onapsis has the Onapsisresearch labs.
And essentially that's howOnapsis had started.
It started with the threefounders, where they were in
engagements and they were pentesting, right?
They're going out there andthey're in environments and
they're doing pen testing andthey came across SAP 14, 15
years ago, and then they werelike, wow, what is this?
(37:02):
There's bugs.
So fast forward to today.
Um, well, first, I think we'repretty fortunate to have
founders who are still with thecompany that have that research
mentality, right?
It's it's great to be in thatkind of position.
It it brings joy to me to beable to do what we do and have
that support from theleadership.
Earlier this year, through ourSAP Threat Intel Network, we
(37:26):
captured some activity, right?
And when we started to analyzethat activity, we realized what
had happened that ultimately ledto the patch that SAP released
for the zero day, which was the2025 31324.
That zero day, fascinating, veryadvanced.
Someone had to have known theintricacies and the
(37:52):
sophistication to be able tocraft together this Java chain
and be able to put the payloadinto that sync in the gadget
chain that would ultimately leadto remote code execution.
So that's what we started tosee.
When we took a look in ournetwork, we started to see that
activity at the beginning of theyear, starting in January.
(38:14):
And then we started to see backin March the exploration of
remote code execution using thezero day.
And then in April, SAP issuedthe patch.
And then after that, we startedto see a lot more use of these
web shells.
So we captured that activity, wecaptured those exploits, those
attacks.
(38:34):
And it was my team that was wespun up, we spent a lot of time
looking at those attacks.
We were ripping apart the PCAPs,we're doing all the work that we
needed to do to deconstruct andto understand what was going on.
And then we're partneringclosely with SAP product
security to make sure that wewere passing on the intelligence
and the information to them thatthey can use that can continue
(38:57):
to be rolled out as patches, asnotes to all of SAP customers
globally.
So we've been on that all year.
I'm still amazed, right?
We've been telling customers fora long time, just on Apsis
overall, SAP is a target.
We issued some reports a coupleof years ago when we partnered
(39:18):
with Flashpoint that now SAP wasbeing talked about in the
underground.
It was being actively talkedabout across the whole spectrum
of miscreants from people thatdon't have the knowledge, that
don't have the capacity.
They're using tools, right?
We refer to them as scriptkitties, all the way up to APTs,
government-sponsored groups, soon and so forth, right?
(39:40):
We saw that there was nowinterest in ERP.
And then here's the zero day.
And sadly, a lot of companieshave gotten compromised by the
zero day, and even more nowbecause of the release of the
PO, the POC by Shiny Hunters.
As to SAP, SAP, I believe theyare the largest software company
(40:01):
in Europe, I think the thirdlargest in the world.
They've been around for a verylong time.
They create this product, thissuite of products that are
wrapped under the name SAP.
And so they are enterpriseresource planning applications.
And there's a whole bunch ofthose applications.
They're targeting sectors likeoil, they're targeting other
(40:21):
types of sectors likepharmaceuticals, some specific
applications, applicationswithin the environment to for
automotive, for instance,manufacturing, for hiring, for
financials, for compliance.
There's a whole suite of toolsand capabilities that companies
have in order to make sure thattheir businesses are running and
that they stay compliant withregulations.
(40:44):
But it is complex.
And so what we refer to thatinformation, we call that the
crown jewels.
So a company's crown jewels areusually are typically stored
within an ERP system like SAP.
And that's what we do atOnapsis.
We we have our own applicationcalled the Onapsis Platform that
(41:04):
customers can purchase and theycan go ahead and roll out in
their environment to assesstheir environment, to defend
their environment, and to docode audits of their code that
gets pushed out to SAP.
But we also have my team in theOnapsis Research Labs where we
actively work on findingvulnerabilities with an SAP.
We partner with SAP, we reportthem to SAP.
(41:27):
So next week is patch Tuesday.
SAP will go ahead and releaseits patches.
You'll see some patches from us,usually month to month.
But on top of that, like I said,we have our intelligence sensor
network.
And from that, we activelymonitor the ongoing attacks
against SAP.
We work to understand what'shappening, sort of like a
(41:50):
weather report, right?
Day to day, week by week, monthby month.
And certainly this year hasbeen, I think, the biggest
eye-opener for a lot ofcompanies worldwide.
Because SAP really wasn'ttargeted before like it is now.
I would consider this to be thepoint of no return, right?
All the criminals, all themalicious actors are aware that
(42:11):
SAP is important to companiesand that if it gets taken
offline, you can shut down abusiness as we're seeing now
with some businesses out there.
Their manufacturings are shutdown.
Huh.
SPEAKER_01 (42:24):
I didn't even realize that there was active
SAP threats going on inenvironments that were shutting
down factories.
So were you able to do anyattack attribution to you know
this to this exploit?
Do you know potentially of whereit came from or who put it
(42:46):
together?
SPEAKER_00 (42:47):
Now I've got a slide with some information.
For the zero day, the zero day,we suspect that there was
involvement from Russia or slashChina.
We don't know exactly who, butwe suspect it's out of there.
What we do know is once the webshell started to get deployed,
that it was being used byChinese actors.
(43:11):
And now with Shiny Huntersreleasing the POC, I mean the
exploit's now public, right?
Anyone can go ahead and use theexploit and activate it.
So yeah, unfortunately, it wentfrom very private hands to now
it's very public.
There are a lot of other groupsthat are targeting SAP.
I'm pulling up a slide herebecause I don't remember all of
(43:33):
them off the top of my head, butwe've got like Fin7, Fin13,
Cobalt Spider, Queen Lin, youknow, Shiny Hunter, Scattered
Spider, Lapsus, APT 41, EarthLamia, APT 10, UNC 5221, and the
list goes on.
Yeah.
SPEAKER_01 (43:53):
So you you said that it was a remote execution on the
SAP system.
But can we just talk throughwhat it was actually doing in
the system?
Because you know, like youalluded that it that it's pretty
complex, right?
It required a lot of effort toput it together because they
(44:14):
would have had to know, youknow, a lot of inner workings of
this system for them to be ableto put this together.
So what is it actually doing andwhat are some of those inner
workings that it they would haveto understand to kind of like
put it into context, you know,for people.
SPEAKER_00 (44:30):
Yeah.
So let's talk about the initialzero day, right?
We talk about WAFs, we talkabout putting in filters into
the web application firewall tobe able to stop things, right?
You usually go ahead and lookfor cross-site scripting, you
look for those types of things,right?
You can refer to the OWASP OWASPtop 10.
But in this particular case, itwas a straight HTTP attack
(44:51):
against an endpoint, themetadata uploader, which is a
totally legit application withan SAP.
But the payload involved thisgadget chain, right?
So it's a series of Java classesthat were constructed together
and it was passed serializedover to the endpoint metadata
uploader, where at one pointit's getting deserialized.
(45:15):
And once it gets deserializedwithin that sync of the gadget
chain is the actual payload thatwas malicious.
So for the RCE, the remote codeexecution, we would see
execution.
Remote code execution doesn'tnecessarily mean a web shell is
being dropped, right?
Or a remote code execution cango ahead and execute a command
(45:36):
right on the command line, forinstance, and there might not be
a file that's left behind.
Okay.
So it might run a command onthere, it might run something
like who am I?
It might run some other type ofcommand where you might want to
run curl, for instance, todownload a file or do something
else that's malicious.
But that's the that's the ideaof this.
(45:58):
And actually, that's the thingsthat we started to see at the
beginning of the year before theweb shelves were being dropped.
So we were seeing evidence ofthese attacks coming through
this HTTP endpoint to metadatauploader, where the chain was
being deserialized and executedand some sort of remote code
(46:19):
execution was being run.
Now, how do you stop thatthrough a web application
firewall?
Right.
Yeah.
Because it looks like alegitimate request.
SPEAKER_01 (46:27):
Yeah.
unknown (46:29):
Huh.
SPEAKER_01 (46:30):
Yeah, it's really fascinating.
I uh I keep telling myselfthough, like once I'm done with
my PhD, I'm I'm just gonna likego be a security researcher
somewhere.
Like, because I find it sofascinating.
Yeah, like it's so fascinating,and I I want to go more
offensive threat threat intelside.
That's like the area, that'sprobably the one area that I
(46:51):
haven't I haven't necessarilytouched, but I think I would be
really good at it.
So that's just yeah.
Offensive in terms of like pentesting and those types of
things?
I wouldn't say necessarily pentesting.
And don't get me wrong, I wantto get my OSCP and the OSCE more
of more of out of my own extremecuriosity and and need to not be
(47:15):
comfortable, I guess.
I want to get those, but youknow, the the security
researchers side overall, I feellike pulls a lot from pen
testing to some degree, right?
And so I feel like that's a goodlike foundational skill for that
side.
SPEAKER_00 (47:31):
Our pen testing is different than the traditional
pen testing, right?
We're not coming in and testingperimeters, we're not testing
firewalls.
We're going, we focus on cominginto an environment and testing
SAP.
So we do black box testing forcustomers.
And I love being able to do thatbecause it challenges customer
perceptions, right?
(47:52):
So they may think that they havea level of security, and then we
come in and we show that that'snot the case.
So our researchers not only workwith SAP and understand what the
vulnerabilities are, and then wework.
So when I say work with SAP, wehave SAP applications, right,
that we test, that we work with.
And then once we find thosevulnerabilities, we go ahead and
(48:13):
report them.
But we also go into environmentswhere we test actual SAP
installations at customerpremise.
And that's that's not only a wayfor us to help them understand
their environment and help themto gain additional security, but
it's also a path for us tounderstand how SAP is being used
that gives us insight to furtherour own research.
So offensive security to me alsomeans from prior experiences
(48:37):
where I set up and rancounterintelligence operations
where I engaged threat actors.
So I did this at the various.
If you looked at my LinkedInprofile, you can kind of get an
understanding of where thatmight have happened.
But yeah, I mean, I've beeninvolved in engaging threat
actors and getting themarrested, working with law
(48:57):
enforcement and working withthrough legal channels to do
botnet ticked downs to getthreat actors arrested.
I had a case where Iinvestigated one of the biggest
spam attacks at one company thatI was at and identified who the
threat actors were, passed thatinformation over to law
enforcement.
We identified that that personwas landing in a country that
(49:18):
was kind of like a partner tothe United States.
So once that person landed, wewere able to get that person
arrested.
Nice.
SPEAKER_01 (49:26):
Wow.
Well, Paul, you know, we'redefinitely at the top of our
time, unfortunately, but Idefinitely want to bring you
back on and talk to talk aboutsome of that other stuff, you
know, that you were doing.
It's some pretty cool,interesting stuff.
You know, I think you might havesome good stories to talk about.
But I I really appreciate youcoming on and taking the time.
SPEAKER_00 (49:46):
Absolutely.
My pleasure.
I mean, it sounds like we canhave a lot to discuss, whether
it's all that other stuff orwhether it's advice for people
trying to get in.
I would love to be able to joinback on.
SPEAKER_01 (49:58):
Yeah.
Yeah, absolutely.
Well, we'll we'll definitelyfigure it out.
But before I let you go, howabout you tell my audience where
they could find you if theywanted to connect with you and
where they could find Onapsis ifthey wanted to learn more about
your company and your solution?
SPEAKER_00 (50:13):
Absolutely.
So for my company, you can go toonapsis.com and at onapsis.com,
you can look at the navigation.
You can find us under theOnapsis Research Labs.
There's information in therethat we put up.
We put up blog posts, we put upthreat reports, we have
webinars.
We've had a lot of webinars andreports about 31324.
(50:35):
So if you actually do a Googlesearch for ONAPSIS in 2025
31324, you'll see our main go-toarticle over this zero day.
SAP has actually thanked us intheir patch month release notes
for working with them intimatelyabout this zero day.
So that's been 31324 has been afantastic journey.
(50:58):
For me personally, you canprobably reach me out on
LinkedIn.
So if you do a search, you'llsee me on LinkedIn.
Feel free to send me an invite.
I'd be more than willing toconnect with you no matter over
what topic you want to discuss,whether it's SAP security,
whether it's offensive security,whether it's security or IT or
how to get into this, I'm morethan willing to help out.
SPEAKER_01 (51:18):
Awesome.
Well, thanks everyone.
I hope you enjoyed this episode.
Popular Podcasts
My Favorite Murder with Karen Kilgariff and Georgia Hardstark
My Favorite Murder is a true crime comedy podcast hosted by Karen Kilgariff and Georgia Hardstark. Each week, Karen and Georgia share compelling true crimes and hometown stories from friends and listeners. Since MFM launched in January of 2016, Karen and Georgia have shared their lifelong interest in true crime and have covered stories of infamous serial killers like the Night Stalker, mysterious cold cases, captivating cults, incredible survivor stories and important events from history like the Tulsa race massacre of 1921. My Favorite Murder is part of the Exactly Right podcast network that provides a platform for bold, creative voices to bring to life provocative, entertaining and relatable stories for audiences everywhere. The Exactly Right roster of podcasts covers a variety of topics including historic true crime, comedic interviews and news, science, pop culture and more. Podcasts on the network include Buried Bones with Kate Winkler Dawson and Paul Holes, That's Messed Up: An SVU Podcast, This Podcast Will Kill You, Bananas and more.
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com