[SCN NetWeaver Basis Architecture Space] Keeping On Top Of The Latest Security Vulnerabilities For The Portal
[SCN NetWeaver Architecture] Keeping On Top Of The Latest Security Vulnerabilities For The Portal
Recently in the course of my work I have been looking at the quality of the measures which have been taken to
secure a couple of Internet Facing SAP Portal solutions.
A lot of us Portal people are familiar with the out of the box SAP solutions which can require setting up and Internet
Facing Portal, a couple of these are:
. SCN Partner Access – using the Portal as the door to the SAP Supply Chain Management system
. FSCM Biller Direct – Using the Portal as the door to the SAP Financial System
Both of these scenarios present companies with risk which must be mitigated and contained. As has been pointed
out clearly elsewhere including by Alexander Polyakov in many of his blogs the most which is possible to be
done to secure these scenarios must be done, because losing a SAP Financial System or a SAP Supply Chain
Management System to a security vulnerability does not need thinking about.
There are many philosophies for securing Internet or External Facing Portals and the SAP Infrastructure behind,
and I will not be going into these in this blog.
Instead this blog is focusing on the moving boundary of keeping up with known security vulnerabilities and strategies
to keep up with known security vulnerabilities. Viruses, vulnerabilities, hacking strategies, which are appearing
all the time 24/7 all day every day. This is one area of our technology that does not sleep.
Where are the vulnerabilities, the security vulnerabilities are everywhere, from the Operating System through the
Database through the Application, through the existing Security Infrastructure firewalls, proxies etc.
The goal of this blog is open the discussion on the best strategies to achieving the highest quality of keeping up with
known security vulnerabilities and mitigating them.
Back to what I been doing, so, recently I’ve been looking at the quality of securing some existing installations.
One of the steps I took was to search the SAP OSS Notes for security related OSS Notes and go through them
starting with the youngest.
I was surprised that in the last month alone there have been 80 SAP Security OSS Notes, not all for Portal, for all
different parts of the infrastructure, OS, DB, Application, Proxy, Firewall etc.
What Does This Mean For Basis Architects and Administrators ?
- This means new security risks & vulnerabilities are appearing all the time.
- As a result this means, new security risks must be monitored.
- And rated as to whether they require action or not.
In more recent security OSS Notes SAP is adherring to the CVSS standard for measuring security risk
[Common Vulnerability Scoring System (CVSS) is a free and open industry standard for assessing the
severity of computer system security vulnerabilities http://en.wikipedia.org/wiki/CVSS]
What To Do Next ?
- Decide whether to proactively monitor SAP’s published security risks or not ?
- Then the question is, how much effort should be put onto monitoring SAP’s published security vulnerabilities ?
How to Proactively Monitor SAP Security Risks
- Weekly or Monthly monitoring of:
- Setup SAP Hot News Priority 1 SAP Notes service on SMP
- Search for SAP’s latest published security vulnerabilities
- Search in the SMP section
https://service.sap.com/securitynotes - Implement OSS Note 888889 – Automatic checks for security notes using RSECNOTE
- Then run Transaction
“RSECNOTE”, the customer at any point of time can run this report and get a list
of notes required for their system and take decisions depending on the criticality
- SAP Security Patch Day
Based on feedback from customers and SAP user groups, SAP have now launched a regular
SAP Security Patch Day, scheduled for the second Tuesday of every month, to ensure that
security fixes for all SAP products subject to support through SAP Service Marketplace are
available to be downloaded.
This has the following advantages:
Better planning for SAP Security Notes implementation with this dedicated, regular schedule
More efficient review and selection of SAP Security Notes relevant for your organization
More efficient patching of SAP systems as it is on the same day as with other software providers
On the SAP Security Patch Day, SAP will provide the fixes in form of notes on SAP Service Marketplace.
Security fixes for SAP NetWeaver based products are also delivered with the support packages of these
products.
For all notes with high or very high priority we provide this service for the support packages from the last
18 months.
http://service.sap.com/securitynotes -> SAP Security Patch Day
Wrapping Up
So there it is, we all know the risks, we all knowsecurity vulnerabilities are a moving target with new threats
coming 24 hours a day 7 days a week.
We now all know where the best quality information provided by SAP on the latest Security Vulnerabilities is
located.
We have no excuse now.
The only question we all have to make in all of our organisations is the measure the risks and decide what to
act upon and when.
Further information
Security Patch Process FAQ
http://scn.sap.com/community/security/blog/2012/03/27/security-patch-process-faq
This FAQ is written by Frank Buchholz and it is fair to say, Frank is Mr SAP Security just have a look
through Frank’s blogs
Protect your system with simple effort
http://scn.sap.com/people/gowrinadh.challagundla/blog/2010/05/17/protect-your-system-with-simple-effort
CVSS
http://en.wikipedia.org/wiki/CVSS
SMP Security Section
https://service.sap.com/securitynotes
All feedback on this subject is welcomed, the point of the [SCN NetWeaver Basis Architecture Space] is
to get like minded SAP Basis Architects and Administrators talking and sharing knowledge and information
and learning from each other.
If I have missed anything please add it in the comments, if you have more to add to this topic feel free to
contribute through the comments.
All the best,
Andy Silvey.
Hi Andy,
Great blog. As you said, securing / hardening the entire SAP infrastrcuture is a complex matter and needs involvement of several different teams. But you got to start somewhere, and patching is a very important component.
Just a small link to another great document, which covers some basic steps to secure your ABAP server can be found here: http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/f0d2445f-509d-2d10-6fa7-9d3608950fee?overridelayout=true
Hi Jan,
nice document doing precisely what it says on the box cover, thanks.
The thing about the latest OSS Notes for security is that they are not necessarily OSS Notes containing patches/enhancements to be deployed with SNOTE or the JSPM, there are a lot which are configuration or parameter changes and the OSS Notes medium is used as the mechanism for delivering/communicating these security updates.
All the best,
Andy.
Hi Andy,
<WARNING: SECURITY IN SAP IS COMPLEX AND THERE IS NO SILVER BULLET>
Keeping SAP security up-to-date is quite an effort. It is not just the applications (which is allready a lot of different systems) but you need to take into about the entire infrastructure. Securing SAP is about patching ABAP and JAVA (Via sp-stacks or single notes / java packages), making sure the configuration is OK (parameters, ACL's, customising, etc, etc), but also patching and configuring the other components like saprouters, webdispatchers, operating system, databases, middleware, network equipment, network shares, SAP gui's, Microsoft patches on the frontend, etc, etc.
Since an end-to-end SAP process goes through this entire infrastructure, every component needs to be patched and configured correctly. This is not an easy task.
What is see at many customes is that different components are handled by different teams and that there is no SAP specific responsible person/department. This might be a first good step to pick this up centrally to manage that all involved teams are connected.
Also it is important to define what is in scope, make sure you get to know what components are involved and define where there are vulnerabilities, where risks lie, what risk you find acceptable and what the amount of money is you want to pay for securing the infra.
Somoe more hints: Pay special attention to internet-connected systems, periodocally review the state of you infrastrucutre by doing audits. And not the SoD audits from the past, but complete infra audits on all these components. decide whether you need tooling to automate this. There are several.
Additionally you can try to scan your custommade ABAP's for dangerous statements. There are several tools for this.
And I probably forget half of the rest 😉
But I hope this gives you a bit of an idea.
</WARNING: SECURITY IN SAP IS COMPLEX AND THERE IS NO SILVER BULLET>
Very nicely presented and documented.
Regards,
Himanshu
Hi Himanshu,
thank you.
Feel free to join in, if you have anything to add, or questions on the blog subject which people interested can discuss, then put it here.
All the best,
Andy.