[SCN NetWeaver Architecture] Keeping On Top Of The Latest Security Vulnerabilities For The Portal
Recently in the course of my work I have been looking at the quality of the measures which have been taken to
secure a couple of Internet Facing SAP Portal solutions.
A lot of us Portal people are familiar with the out of the box SAP solutions which can require setting up and Internet
Facing Portal, a couple of these are:
. SCN Partner Access - using the Portal as the door to the SAP Supply Chain Management system
. FSCM Biller Direct - Using the Portal as the door to the SAP Financial System
Both of these scenarios present companies with risk which must be mitigated and contained. As has been pointed
out clearly elsewhere including by alexander.polyakov in many of his alexander.polyakov the most which is possible to be
done to secure these scenarios must be done, because losing a SAP Financial System or a SAP Supply Chain
Management System to a security vulnerability does not need thinking about.
There are many philosophies for securing Internet or External Facing Portals and the SAP Infrastructure behind,
and I will not be going into these in this blog.
Instead this blog is focusing on the moving boundary of keeping up with known security vulnerabilities and strategies
to keep up with known security vulnerabilities. Viruses, vulnerabilities, hacking strategies, which are appearing
all the time 24/7 all day every day. This is one area of our technology that does not sleep.
Where are the vulnerabilities, the security vulnerabilities are everywhere, from the Operating System through the
Database through the Application, through the existing Security Infrastructure firewalls, proxies etc.
The goal of this blog is open the discussion on the best strategies to achieving the highest quality of keeping up with
known security vulnerabilities and mitigating them.
Back to what I been doing, so, recently I've been looking at the quality of securing some existing installations.
One of the steps I took was to search the SAP OSS Notes for security related OSS Notes and go through them
starting with the youngest.
I was surprised that in the last month alone there have been 80 SAP Security OSS Notes, not all for Portal, for all
different parts of the infrastructure, OS, DB, Application, Proxy, Firewall etc.
What Does This Mean For Basis Architects and Administrators ?
In more recent security OSS Notes SAP is adherring to the CVSS standard for measuring security risk
[Common Vulnerability Scoring System (CVSS) is a free and open industry standard for assessing the
severity of computer system security vulnerabilities http://en.wikipedia.org/wiki/CVSS]
What To Do Next ?
How to Proactively Monitor SAP Security Risks
Based on feedback from customers and SAP user groups, SAP have now launched a regular
SAP Security Patch Day, scheduled for the second Tuesday of every month, to ensure that
security fixes for all SAP products subject to support through SAP Service Marketplace are
available to be downloaded.
This has the following advantages:
Better planning for SAP Security Notes implementation with this dedicated, regular schedule
More efficient review and selection of SAP Security Notes relevant for your organization
More efficient patching of SAP systems as it is on the same day as with other software providers
On the SAP Security Patch Day, SAP will provide the fixes in form of notes on SAP Service Marketplace.
Security fixes for SAP NetWeaver based products are also delivered with the support packages of these
products.
For all notes with high or very high priority we provide this service for the support packages from the last
18 months.
http://service.sap.com/securitynotes -> SAP Security Patch Day
Wrapping Up
So there it is, we all know the risks, we all knowsecurity vulnerabilities are a moving target with new threats
coming 24 hours a day 7 days a week.
We now all know where the best quality information provided by SAP on the latest Security Vulnerabilities is
located.
We have no excuse now.
The only question we all have to make in all of our organisations is the measure the risks and decide what to
act upon and when.
Further information
Security Patch Process FAQ
http://scn.sap.com/community/security/blog/2012/03/27/security-patch-process-faq
This FAQ is written by frank.buchholzand it is fair to say, Frank is Mr SAP Security just have a look
through frank.buchholz
Protect your system with simple effort
http://scn.sap.com/people/gowrinadh.challagundla/blog/2010/05/17/protect-your-system-with-simple-eff...
CVSS
http://en.wikipedia.org/wiki/CVSS
SMP Security Section
https://service.sap.com/securitynotes
All feedback on this subject is welcomed, the point of the [SCN NetWeaver Basis Architecture Space] is
to get like minded SAP Basis Architects and Administrators talking and sharing knowledge and information
and learning from each other.
If I have missed anything please add it in the comments, if you have more to add to this topic feel free to
contribute through the comments.
All the best,
Andy Silvey.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
7 | |
5 | |
5 | |
5 | |
5 | |
4 | |
4 | |
4 | |
3 | |
3 |