[SCN NetWeaver Architecture] Keeping On Top Of The Latest Security Vulnerabilities For The Portal
Recently in the course of my work I have been looking at the quality of the measures which have been taken to
secure a couple of Internet Facing SAP Portal solutions.
A lot of us Portal people are familiar with the out of the box SAP solutions which can require setting up and Internet
Facing Portal, a couple of these are:
. SCN Partner Access – using the Portal as the door to the SAP Supply Chain Management system
. FSCM Biller Direct – Using the Portal as the door to the SAP Financial System
Both of these scenarios present companies with risk which must be mitigated and contained. As has been pointed
done to secure these scenarios must be done, because losing a SAP Financial System or a SAP Supply Chain
Management System to a security vulnerability does not need thinking about.
There are many philosophies for securing Internet or External Facing Portals and the SAP Infrastructure behind,
and I will not be going into these in this blog.
Instead this blog is focusing on the moving boundary of keeping up with known security vulnerabilities and strategies
to keep up with known security vulnerabilities. Viruses, vulnerabilities, hacking strategies, which are appearing
all the time 24/7 all day every day. This is one area of our technology that does not sleep.
Where are the vulnerabilities, the security vulnerabilities are everywhere, from the Operating System through the
Database through the Application, through the existing Security Infrastructure firewalls, proxies etc.
The goal of this blog is open the discussion on the best strategies to achieving the highest quality of keeping up with
known security vulnerabilities and mitigating them.
Back to what I been doing, so, recently I’ve been looking at the quality of securing some existing installations.
One of the steps I took was to search the SAP OSS Notes for security related OSS Notes and go through them
starting with the youngest.
I was surprised that in the last month alone there have been 80 SAP Security OSS Notes, not all for Portal, for all
different parts of the infrastructure, OS, DB, Application, Proxy, Firewall etc.
What Does This Mean For Basis Architects and Administrators ?
- This means new security risks & vulnerabilities are appearing all the time.
- As a result this means, new security risks must be monitored.
- And rated as to whether they require action or not.
In more recent security OSS Notes SAP is adherring to the CVSS standard for measuring security risk
[Common Vulnerability Scoring System (CVSS) is a free and open industry standard for assessing the
severity of computer system security vulnerabilities http://en.wikipedia.org/wiki/CVSS]
What To Do Next ?
- Decide whether to proactively monitor SAP’s published security risks or not ?
- Then the question is, how much effort should be put onto monitoring SAP’s published security vulnerabilities ?
How to Proactively Monitor SAP Security Risks
- Weekly or Monthly monitoring of:
- Setup SAP Hot News Priority 1 SAP Notes service on SMP
- Search for SAP’s latest published security vulnerabilities
- Search in the SMP section
- Implement OSS Note 888889 – Automatic checks for security notes using RSECNOTE
- Then run Transaction
“RSECNOTE”, the customer at any point of time can run this report and get a list
of notes required for their system and take decisions depending on the criticality
- SAP Security Patch Day
Based on feedback from customers and SAP user groups, SAP have now launched a regular
SAP Security Patch Day, scheduled for the second Tuesday of every month, to ensure that
security fixes for all SAP products subject to support through SAP Service Marketplace are
available to be downloaded.
This has the following advantages:
Better planning for SAP Security Notes implementation with this dedicated, regular schedule
More efficient review and selection of SAP Security Notes relevant for your organization
More efficient patching of SAP systems as it is on the same day as with other software providers
On the SAP Security Patch Day, SAP will provide the fixes in form of notes on SAP Service Marketplace.
Security fixes for SAP NetWeaver based products are also delivered with the support packages of these
For all notes with high or very high priority we provide this service for the support packages from the last
http://service.sap.com/securitynotes -> SAP Security Patch Day
So there it is, we all know the risks, we all knowsecurity vulnerabilities are a moving target with new threats
coming 24 hours a day 7 days a week.
We now all know where the best quality information provided by SAP on the latest Security Vulnerabilities is
We have no excuse now.
The only question we all have to make in all of our organisations is the measure the risks and decide what to
act upon and when.
Security Patch Process FAQ
This FAQ is written by Frank Buchholz and it is fair to say, Frank is Mr SAP Security just have a look
through Frank’s blogs
Protect your system with simple effort
SMP Security Section
All feedback on this subject is welcomed, the point of the [SCN NetWeaver Basis Architecture Space] is
to get like minded SAP Basis Architects and Administrators talking and sharing knowledge and information
and learning from each other.
If I have missed anything please add it in the comments, if you have more to add to this topic feel free to
contribute through the comments.
All the best,