Skip to Content

You may have read part 1 of this blog where I explained how the process to identify relevant security notes was getting easier.  Part 1 of the blog can be found here: Do your doors have locks?  Are they installed?  If not today, when?

 

I have participated in two focus groups over the last year to improve the security notes process.  This process was not only an attempt to make the identification of SAP security notes easier, but to ensure that the content, rating, and messages were consistent.   SAP had previously communicated to CIO’s several critical notes which had a low implementation rate.  As a vendor, this is neither a timely message nor cost effective communication.   The latest process update for identifying high priority notes may be the biggest improvement since sliced bread.

 

If you use Earlywatch or have been reviewing the security notes from the support portal, you would have seen a consulting note informing you of note 888889 https://websmp230.sap-ag.de/sap(bD1lbiZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=0000888889.   Many of the high priority notes and hotnews notes have also documented note 888889 as a related note.  I enjoy sliced bread, but I believe this is the greatest improvement in the identification of relevant SAP security notes in this century.  The tool is not complex enough to determine if you have the functionality configured, but does filter out notes based on your current release and patch levels.  In the Service Marketplace Security Notes list (https://websmp210.sap-ag.de/securitynotes) you could review more than 30 notes released during the past month or over 400 that are currently documented in total.  However, reviewing a short status report of notes that apply directly to your installation is perfect in these days of lean IT.

 

The tool RSECNOTE is included with software component ST-A/PI as of Release 01M_*.   If you are on a lower release you can apply the note manually to begin using the tool without applying a support pack.  If you were from Missouri, you might ask me to show you how easy it is.  Once the tool is installed you can begin the analysis from transaction ST13.  (Depending on your security role design, you may need additional authorizations to execute the tool.  The specific authorizations required are also documented within the note.) 

image

Since the RSECNOTE tool is also an ABAP program you can execute it using transaction SA38 also.  However, from an audit perspective, there is less risk when executing from ST13.    After clicking execute, the tool returns a report documenting the missing recommendations, successfully applied recommendations and manually confirmed recommendations.  Each of the missing recommendations should be reviewed to determine if they apply to your environment.  If the note does not apply, you can set the status manually to green which will move the note into the manually confirmed recommendation status.  You can also reset the status if the note was updated in error.   Although you may not have specific functionality configured in your environment, you may still have risk in your system depending on the security vulnerability.  Here is an excerpt showing missing recommendations from a sample system:

image

Note that you will have two status types for the missing recommendations.  HotNews notes are flagged with a red traffic light and high priority notes are flagged with a yellow traffic light.

image

Within the Successfully Implemented section of the report, the RSECNOTE documents notes that have been implemented in your system.  I have been using the tool about six months and identified several notes that resolved security related anomalies within our environment.  We have applied others to ensure that we were addressing security vulnerabilities in a timely manner.  With access to a simple tool like RSECNOTE, all SAP customers should be developing a process to review and apply these recommendations in a timely manner.    

.    

To report this post you need to login first.

3 Comments

You must be Logged on to comment or reply to a post.

  1. Chris Bentley
    … it doesn’t go anywhere near far enough.
    What if there is a security hole in my JAVA stack system or my TREX or SAP Content Servers?

    As far as I’m concerned this is a good step forward but because RSECNOTE only covers ABAP then more development is required in this area I feel.

    (0) 
    1. Frank Buchholz

      Recently I’ve extended the report ZSECNOTE_CENTRAL which is presented in the project “Cross-system check for Security Notes” mentioned above:

      – Show application component of notes

      – Select and download multiple notes into SNOTE for local system

      – Show status of notes from transaction SNOTE for the local system

      – Implement notes via transaction SNOTE for the local system

      – Start transaction SNOTE for remote systems

      (0) 

Leave a Reply