How to monitor Common Vulnerabilities and Security Notes in SAP Systems ?
Sükrü Ilker BIRAKO?LU
Managing Partner - CTO @ SAGESSE TECH / Securing SAP and other ERP Systems with state-of-the art products and solutions
Unpatched vulnerabilities in systems are one of the primary factors that cause cyberattacks today. At SAP, the Product Security Response Team (PSRT) collaborates with external security researchers for responsible disclosure of vulnerabilities identified on SAP products.
New security patches that need to be applied by SAP’s customers are published as?Security Notes?(Note: This portal is accessible only to users having S-User ID.) on the SAP Support Portal . A Security Note can contain patches to one or more vulnerabilities for a certain SAP product. They include details about the vulnerabilities, their impacts, relevant patch description, and product versions.
Exploitability risk and impact of a vulnerability on a product is currently evaluated at SAP using?Common Vulnerability Scoring System (CVSS) Version 3. CVSS is an open industry standard, initially developed by the National Infrastructure Advisory Council and continuously improved by the Forum of Incident Response and Security Teams, which consist of teams and companies all over the world. Based on the evaluated CVSS score, a vulnerability is categorized as Hot News, which corresponds to ‘Critical’ in CVSS severity rating scale, or as High, Medium, or Low. Consequently, a Security Note’s severity is decided by the severity of the most critical vulnerability that it patches.
To help customers plan a consistent patching strategy, SAP releases its Security Notes on the second Tuesday of every month, the company’s Security Patch Day. Patch Day Security Notes are typically released on Security Patch Day, along with Support Package Security Notes and Update Notes.?
Several tools and services are available to help technical experts on the customer side identify the notes relevant for their landscape, analyze whether applying an SAP Security Note has side-effects on the system, and confirm whether application of the SAP Security Note was successful. These tools can be used individually, as well as integrated with other SAP tools for optimum usage. These tools include:
System Recommendations — enables organizations to automatically identify SAP Security Notes that are relevant to them. ?
SAP Usage and Procedure Logging (UPL) — aids in the gathering of system usage data to easily identify SAP Security Notes addressing unused components. ?
Business Process Change Analyzer (BPCA) — helps in efficient testing after applying an SAP Security Note by determining the business processes affected by the SAP Security Note. ?
Configuration Validation — assists in validation after applying SAP Security Note; for example, by validating if a selected SAP Security Note has reached the production systems. ?
领英推荐
SAP EarlyWatch Alert — helps in identifying resource bottlenecks, misconfigurations, and security problems. By verifying the security checks in the Alert’s report, organizations can proactively prevent severe security problems. ?
The SAP Security Engineers of SAGESSE TECH, leading SAP and ERP Security Company of Turkey( www.sagessetech.com ) has created a tool to detect and optimize implementation status of SAP Security Notes in SAP Systems .
You can follow SAGESSE TECH using linke below for more information about SAP Security, ERP Security, SAP License Optimization Products.
You can see a few example dashboards of this solution: