Wednesday, 19 April 2017 12:37

Patch Management for SAP systems, is it necessary at all?

is a question, which I have heard very frequent the last years. And yes, it is a quite good one, one which should be answered really carefully. Of course, security-patching of an SAP-system takes a lot of time and effort, and sometimes -to be truly honest- it is really annoying. And that is the reason why many organizations are often completely ignorant or handle SAP security patching with a far too low priority.

Security patching of an SAP system, is it necessary at all?

Before I begin my article, please allow me to introduce myself. My name is Markus Stuiber, I´m 20 years old and I started my IT-career in a big automotive group, where I was working in the SAP Basis area, more specially in the SAP Security environment. Since April 2017 I´m working for ABAP-Experts.com as SAP Security Consultant. Through this article, I would like to start sharing 1,5 years of my experience in the topic of SAP-Security.

“SAP Security Patching. Is it worth?”

is a question, which I have heard very frequent the last years. And yes, it is a quite good one, one which should be answered really carefully. Of course, security-patching of an SAP-system takes a lot of time and effort, and sometimes -to be truly honest- it is really annoying. And that is the reason why many organizations are often completely ignorant or handle SAP security patching with a far too low priority.

More recently statistics show us that cyber-attacks targeting SAP-Systems have steadily increased. In the recently released IBM X-Force Threat Intelligence Index 2017 (https://www-01.ibm.com/marketing/iwm/dre/signup?source=urx-13655&S_PKG=ov57325), IBM-Security presents an analysis of the security data harvested across 8.000 of its customers spread over 100 countries. A key statement within the report is an increase of stolen data records by 566 %, from 600 million in 2015 to more than 4 billion in 2017!

Companies may not even have recognized that they have been hacked already, as it in average takes 265 days before a hack or data theft has taken place. Thus, no timely measures are taken and the financial damage exponentially grows when it is already too late. Sure, you can´t protect a system up to 100% from any type of hacking. But one should try the outmost, by closing all known vulnerabilities, in order to avoid well known weaknesses. Google may be the world’s most famous search engine, with little effort only it also provides access to some very interesting hacking manuals.

So the question “is SAP Security-Patching necessary” directly links to customer and employee data protection, confidential business information, trade secrets, … can only be answered with a “Yes” !

Security patching should be a core IT-task within each company. It might be perceived as a boring housekeeping activity; it may not only be the housekeeper who’s affected when security patching would have failed.

SAP Security patchday

On SAP Security patchday, which is every second Tuesday of the month, SAP releases a list of security notes which fix vulnerabilities discovered in SAP products. You´ll find the security notes at:

securitynotes

Source: https://launchpad.support.sap.com/#/securitynotes (Login requires a S-User)

In average, SAP releases round about 20 - 25 Notes per month. In April 2017 they released 20 security notes, two of them are classified with category “HotNews”. In order to keep a SAP system secured from known vulnerabilities and exploits, it is vital you action these security notes on a regular basis. For more information about the security risks of operation with SAP, check out our product video of SecurityBridge:

 

In my next article, I will elaborate further on Security Notes also providing a hands-on on SAP-security patching.

Markus Stuiber

Markus Stuiber

"The people who are crazy enough to think they can change the world are the ones who do" - Steve Jobs

Email This email address is being protected from spambots. You need JavaScript enabled to view it.