Facing a relentless increase in cybercrime and threats, many SAP Customers have been forced to improve their security posture and patch their SAP systems. But patching remains an uncomfortable balance between both business and security needs because it is possible that the implementation of a security patch may negatively affect or even break business processes.
Evolution of global cyber threats
With the fast-growing adaption of the internet starting around 2001, cybercrime also developed and over the last 20 years it has evolved in a global plague that is estimated to have cost the world 1 trillion (that is 1 x 1012) USD over 2020 (Source: McAfee). Some sources expect this value to rise to 6 trillion (6 x 1012) USD by the end of 2021.
Companies are learning hard lessons right now and catching up on security as fast as possible. This means patching infrastructure components like routers, firewalls, switches etc. but also software that supports the essential business processes, like SAP.
The harsh reality
Unfortunately, patching software like SAP is not as straightforward and there are several reasons for this:
SAP systems are critical to business processes and any change (including a security patch) done to an SAP system must be tested in a Test system before it can be applied to a Production system.
Most companies apply security patches without testing them or testing them implicitly by leaving then in Test for a period to see if nothing out of the ordinary happens.
SAP has recognized this and has come up with a Solution Manager based tool the SAP Solution Manager Test Suite that is able to analyse changes to SAP systems. The Business Process Change Analyzer (BPCA) collects information about objects used in business processes and is able to identify business processes that could possibly be impacted by the changed object(s) in a security note transport.
The tool requires considerable effort in setting it up and establishing a kind of process around it, which not every company is able to afford or to manage. And in the end, despite all the analysis, it is still up to the SAP customers to decide whether to implement the patch.
Increased risk due to patch window
Another aspect of security patching is that it takes time to implement new patches. Possible reasons:
- ongoing SAP projects and the chance that these could be affected
- patching requires system unacceptable downtime(s)
- a patch could have dependencies on other components in the software stack
- a change process is involved that simply takes time.
- A patch could disrupt business functions
SAP customers typically may take up to 6 months to apply a security note, exposing their SAP systems to an increased risk due to reverse engineering of patches into exploits:
See our blog: Can SAP Security Notes be used for creating exploits?
Pragmatic options
Given all the problems relating to the implementation of security patches, what can companies do to make their systems safer while avoiding negative effects on business processes as much as possible?
To limit security risks while minimizing impact on business processes, companies could be more selective in choosing the patches they apply, by using one or more of the selection criteria below:
- Only implement SAP security patches that have High or Hot News priority. Provided that support package stacks are applied regularly, these will then take care of the rest of the security notes later.
- Implement SAP security patches that are relevant to the NetWeaver layer SAP_BASIS, SAP_ABAP, ST-PI, SAP_BW (for ABAP systems) and Java Core components BASETABLES, J2EEFRMW, ENGINEAPI, SERVERCORE, CORETOOLS, J2EEAPPS* in the SAP Java systems.
- Implement SAP security patches for which known exploits exist (for instance RECON).
- Implement SAP security patches that are valid for all releases.
- Implement SAP security patches for vulnerabilities that are easy to exploit: missing authorisations (only those that apply to a functional area that is used), SQL-injection, Command-injection, or URL manipulation.
- Implement SAP Security patches that do not have a lot of dependent notes.
Protect4S
Protect4S offers SAP customers the option to apply missing SAP security Notes automatically. See our demonstration video. During this process it is possible to make a sensible selection of the SAP security notes to be applied based on: Risk, Impact, Likelihood, Mitigation Effort and CVSS Score.
To keep SAP systems safe, SAP Customers need a Vulnerability Management process. Protect4S offers an automated SAP Vulnerability Management Solution that can execute thousands of security checks in complex and large SAP environments, present the findings in a clear manner and offer mitigation and remediation advice based on SAP’s own Best Practices.
Protect4S offers a free trial so you can experience how much easier SAP Platform Security becomes with Protect4S and how easy it is to start up and work with it.
