Technology Blogs by Members
Explore a vibrant mix of technical expertise, industry insights, and tech buzz in member blogs covering SAP products, technology, and events. Get in the mix!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

[SCN NetWeaver Basis Architecture Space] Keeping On Top Of The Latest Security Vulnerabilities For The Portal

petr_solberg
Active Contributor
‎09-15-2013 8:03 PM

[SCN NetWeaver Architecture]  Keeping On Top Of The Latest Security Vulnerabilities For The Portal

Recently in the course of my work I have been looking at the quality of the measures which have been taken to

secure a couple of Internet Facing SAP Portal solutions.

A lot of us Portal people are familiar with the out of the box SAP solutions which can require setting up and Internet

Facing Portal, a couple of these are:

     . SCN Partner Access - using the Portal as the door to the SAP Supply Chain Management system

     . FSCM Biller Direct - Using the Portal as the door to the SAP Financial System

Both of these scenarios present companies with risk which must be mitigated and contained. As has been pointed

out clearly elsewhere including by alexander.polyakov in many of his alexander.polyakov the most which is possible to be

done to secure these scenarios must be done, because losing a SAP Financial System or a SAP Supply Chain

Management System to a security vulnerability does not need thinking about.

There are many philosophies for securing Internet or External Facing Portals and the SAP Infrastructure behind,

and I will not be going into these in this blog.

Instead this blog is focusing on the moving boundary of keeping up with known security vulnerabilities and strategies

to keep up with known security vulnerabilities. Viruses, vulnerabilities, hacking strategies, which are appearing

all the time 24/7 all day every day. This is one area of our technology that does not sleep.

Where are the vulnerabilities, the security vulnerabilities are everywhere, from the Operating System through the

Database through the Application, through the existing Security Infrastructure firewalls, proxies etc.

The goal of this blog is open the discussion on the best strategies to achieving the highest quality of keeping up with

known security vulnerabilities and mitigating them.

Back to what I been doing, so, recently I've been looking at the quality of securing some existing installations.

One of the steps I took was to search the SAP OSS Notes for security related OSS Notes and go through them

starting with the youngest.

I was surprised that in the last month alone there have been 80 SAP Security OSS Notes, not all for Portal, for all

different parts of the infrastructure, OS, DB, Application, Proxy, Firewall etc.

What Does This Mean For Basis Architects and Administrators ?

  • This means new security risks & vulnerabilities are appearing all the time.

  • As a result this means, new security risks must be monitored.

  • And rated as to whether they require action or not.

In more recent security OSS Notes SAP is adherring to the CVSS standard for measuring security risk

[Common Vulnerability Scoring System (CVSS) is a free and open industry standard for assessing the

severity of computer system security vulnerabilities  http://en.wikipedia.org/wiki/CVSS]

         

What To Do Next ?

  • Decide whether to proactively monitor SAP's published security risks or not ?

  • Then the question is, how much effort should be put onto monitoring SAP's published security vulnerabilities ?

How to Proactively Monitor SAP Security Risks

  • Weekly or Monthly monitoring of:
    • Setup SAP Hot News Priority 1 SAP Notes service on SMP
    • Search for SAP's latest published security vulnerabilities
    • Search in the SMP section
        https://service.sap.com/securitynotes
    • Implement OSS Note 888889 - Automatic checks for security notes using RSECNOTE
    • Then run Transaction
      “RSECNOTE”, the customer at any point of time can run this report and get a list
      of notes required for their system and take decisions depending on the criticality

    •   SAP Security Patch Day

 

          Based on feedback from customers and SAP user groups, SAP have now launched a regular

          SAP Security Patch Day, scheduled for the second Tuesday of every month, to ensure that

          security fixes for all SAP products subject to support through SAP Service Marketplace are

          available to be downloaded.

          This has the following advantages:

               Better planning for SAP Security Notes implementation with this dedicated, regular schedule

               More efficient review and selection of SAP Security Notes relevant for your organization

               More efficient patching of SAP systems as it is on the same day as with other software providers

               On the SAP Security Patch Day, SAP will provide the fixes in form of notes on SAP Service Marketplace.

               Security fixes for SAP NetWeaver based products are also delivered with the support packages of these

               products.

               For all notes with high or very high priority we provide this service for the support packages from the last

               18 months.

               http://service.sap.com/securitynotes -> SAP Security Patch Day

Wrapping Up

So there it is, we all know the risks, we all knowsecurity vulnerabilities are a moving target with new threats

coming 24 hours a day 7 days a week.

We now all know where the best quality information provided by SAP on the latest Security Vulnerabilities is

located.

We have no excuse now.

The only question we all have to make in all of our organisations is the measure the risks and decide what to

act upon and when.

Further information

     Security Patch Process FAQ
     http://scn.sap.com/community/security/blog/2012/03/27/security-patch-process-faq

     This FAQ is written by frank.buchholzand it is fair to say, Frank is Mr SAP Security just have a look

     through frank.buchholz

     Protect your system with simple effort
     http://scn.sap.com/people/gowrinadh.challagundla/blog/2010/05/17/protect-your-system-with-simple-eff...

     CVSS
     http://en.wikipedia.org/wiki/CVSS

     SMP Security Section
     https://service.sap.com/securitynotes

All feedback on this subject is welcomed, the point of the [SCN NetWeaver Basis Architecture Space] is

to get like minded SAP Basis Architects and Administrators talking and sharing knowledge and information

and learning from each other.

If I have missed anything please add it in the comments, if you have more to add to this topic feel free to

contribute through the comments.

All the best,

Andy Silvey.

5 Comments
Labels in this area
Popular Blog Posts