Skip to Content

[SCN NetWeaver Architecture]  Keeping On Top Of The Latest Security Vulnerabilities For The Portal

Recently in the course of my work I have been looking at the quality of the measures which have been taken to

secure a couple of Internet Facing SAP Portal solutions.

A lot of us Portal people are familiar with the out of the box SAP solutions which can require setting up and Internet

Facing Portal, a couple of these are:

     . SCN Partner Access – using the Portal as the door to the SAP Supply Chain Management system

     . FSCM Biller Direct – Using the Portal as the door to the SAP Financial System

Both of these scenarios present companies with risk which must be mitigated and contained. As has been pointed

out clearly elsewhere including by Alexander Polyakov in many of his blogs the most which is possible to be

done to secure these scenarios must be done, because losing a SAP Financial System or a SAP Supply Chain

Management System to a security vulnerability does not need thinking about.

There are many philosophies for securing Internet or External Facing Portals and the SAP Infrastructure behind,

and I will not be going into these in this blog.

Instead this blog is focusing on the moving boundary of keeping up with known security vulnerabilities and strategies

to keep up with known security vulnerabilities. Viruses, vulnerabilities, hacking strategies, which are appearing

all the time 24/7 all day every day. This is one area of our technology that does not sleep.

Where are the vulnerabilities, the security vulnerabilities are everywhere, from the Operating System through the

Database through the Application, through the existing Security Infrastructure firewalls, proxies etc.

The goal of this blog is open the discussion on the best strategies to achieving the highest quality of keeping up with

known security vulnerabilities and mitigating them.

Back to what I been doing, so, recently I’ve been looking at the quality of securing some existing installations.

One of the steps I took was to search the SAP OSS Notes for security related OSS Notes and go through them

starting with the youngest.

I was surprised that in the last month alone there have been 80 SAP Security OSS Notes, not all for Portal, for all

different parts of the infrastructure, OS, DB, Application, Proxy, Firewall etc.

What Does This Mean For Basis Architects and Administrators ?

  • This means new security risks & vulnerabilities are appearing all the time.
  • As a result this means, new security risks must be monitored.
  • And rated as to whether they require action or not.

In more recent security OSS Notes SAP is adherring to the CVSS standard for measuring security risk

[Common Vulnerability Scoring System (CVSS) is a free and open industry standard for assessing the

severity of computer system security vulnerabilities  http://en.wikipedia.org/wiki/CVSS]

          OSSNote.PNG

What To Do Next ?

  • Decide whether to proactively monitor SAP’s published security risks or not ?
  • Then the question is, how much effort should be put onto monitoring SAP’s published security vulnerabilities ?

How to Proactively Monitor SAP Security Risks

  • Weekly or Monthly monitoring of:
    • Setup SAP Hot News Priority 1 SAP Notes service on SMP
    • Search for SAP’s latest published security vulnerabilities
    • Search in the SMP section
        https://service.sap.com/securitynotes
    • Implement OSS Note 888889 – Automatic checks for security notes using RSECNOTE
    • Then run Transaction
      “RSECNOTE”, the customer at any point of time can run this report and get a list
      of notes required for their system and take decisions depending on the criticality
    •   SAP Security Patch Day

 

          Based on feedback from customers and SAP user groups, SAP have now launched a regular

          SAP Security Patch Day, scheduled for the second Tuesday of every month, to ensure that

          security fixes for all SAP products subject to support through SAP Service Marketplace are

          available to be downloaded.

          This has the following advantages:

               Better planning for SAP Security Notes implementation with this dedicated, regular schedule

               More efficient review and selection of SAP Security Notes relevant for your organization

               More efficient patching of SAP systems as it is on the same day as with other software providers

               On the SAP Security Patch Day, SAP will provide the fixes in form of notes on SAP Service Marketplace.

               Security fixes for SAP NetWeaver based products are also delivered with the support packages of these

               products.

               For all notes with high or very high priority we provide this service for the support packages from the last

               18 months.

               http://service.sap.com/securitynotes -> SAP Security Patch Day

Wrapping Up

So there it is, we all know the risks, we all knowsecurity vulnerabilities are a moving target with new threats

coming 24 hours a day 7 days a week.

We now all know where the best quality information provided by SAP on the latest Security Vulnerabilities is

located.

We have no excuse now.

The only question we all have to make in all of our organisations is the measure the risks and decide what to

act upon and when.

Further information

     Security Patch Process FAQ
     http://scn.sap.com/community/security/blog/2012/03/27/security-patch-process-faq

     This FAQ is written by Frank Buchholz and it is fair to say, Frank is Mr SAP Security just have a look

     through Frank’s blogs

     Protect your system with simple effort
     http://scn.sap.com/people/gowrinadh.challagundla/blog/2010/05/17/protect-your-system-with-simple-effort

     CVSS
     http://en.wikipedia.org/wiki/CVSS

     SMP Security Section
     https://service.sap.com/securitynotes

All feedback on this subject is welcomed, the point of the [SCN NetWeaver Basis Architecture Space] is

to get like minded SAP Basis Architects and Administrators talking and sharing knowledge and information

and learning from each other.

If I have missed anything please add it in the comments, if you have more to add to this topic feel free to

contribute through the comments.

All the best,

Andy Silvey.

To report this post you need to login first.

5 Comments

You must be Logged on to comment or reply to a post.

  1. J. van de Vis

    Hi Andy,

    Great blog. As you said, securing / hardening the entire SAP infrastrcuture is a complex matter and needs involvement of several different teams. But you got to start somewhere, and patching is a very important component.

    Just a small link to another great document, which covers some basic steps to secure your ABAP server can be found here: http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/f0d2445f-509d-2d10-6fa7-9d3608950fee?overridelayout=true

    (0) 
    1. Andy Silvey Post author

      Hi Jan,

      nice document doing precisely what it says on the box cover, thanks.

      The thing about the latest OSS Notes for security is that they are not necessarily OSS Notes containing patches/enhancements to be deployed with SNOTE or the JSPM, there are a lot which are configuration or parameter changes and the OSS Notes medium is used as the mechanism for delivering/communicating these security updates.

      All the best,

      Andy.

      (0) 
      1. J. van de Vis

        Hi Andy,

        <WARNING: SECURITY IN SAP IS COMPLEX AND THERE IS NO SILVER BULLET>

        Keeping SAP security up-to-date is quite an effort. It is not just the applications (which is allready a lot of different systems) but you need to take into about the entire infrastructure. Securing SAP is about patching ABAP and JAVA (Via sp-stacks or single notes / java packages), making sure the configuration is OK (parameters, ACL’s, customising, etc, etc), but also patching and configuring the other components like saprouters, webdispatchers, operating system, databases, middleware, network equipment, network shares, SAP gui’s, Microsoft patches on the frontend, etc, etc.

        Since an end-to-end SAP process goes through this entire infrastructure, every component needs to be patched and configured correctly. This is not an easy task.

        What is see at many customes is that different components are handled by different teams and that there is no SAP specific responsible person/department. This might be a first good step to pick this up centrally to manage that all involved teams are connected.

        Also it is important to define what is in scope, make sure you get to know what components are involved and define where there are vulnerabilities, where risks lie, what risk you find acceptable and what the amount of money is you want to pay for securing the infra.

        Somoe more hints: Pay special attention to internet-connected systems, periodocally review the state of you infrastrucutre by doing audits. And not the SoD audits from the past, but complete infra audits on all these components. decide whether you need tooling to automate this. There are several.

        Additionally you can try to scan your custommade ABAP’s for dangerous statements. There are several tools for this.

        And I probably forget half of the rest 😉

        But I hope this gives you a bit of an idea.

        </WARNING: SECURITY IN SAP IS COMPLEX AND THERE IS NO SILVER BULLET>

        (0) 
    1. Andy Silvey Post author

      Hi Himanshu,

      thank you.

      Feel free to join in, if you have anything to add, or questions on the blog subject which people interested can discuss, then put it here.

      All the best,

      Andy.

      (0) 

Leave a Reply