Most of us apply the monthly patches for our Operating system (Macbooks, windows systems, etc). But what about the monthly security patches for our SAP systems?
Many SAP running organisations don't do this as regular as they should. Some topics I'd like to discuss with the audience are;
- Why don't they do that?
- What are the risks involved?
- How to improve things?
2. ERP Security
• Experts in SAP Security assessments and hardening
• Worldwide top 5 found SAP Security research
• Regular presenters on SAP Security
• Developer Protect4S
• Founded in 2010
• Several business partners in BeNeLux
• Our mission is to raise the level of security of mission-critical SAP platforms
with a minimal impact on daily business.
Affiliations:
Partners:
“ERP-SEC works closely together with SAP
to reduce risk in their customers systems.
ERP-SEC was invited twice by SAP’s global
security team in Walldorf to present on
their ongoing SAP Security research”
3. Introduction
• Results security assessments over the years are not good
• Risk increased because of a more connected world
• The question is not if you need to secure your SAP landscape, but HOW
• Why?
Fraud
Sabotage
Theft
4. 0
100
200
300
400
500
600
700
800
2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011
2012
2013
2014
2015
2016
2017
SAP Security notes
Findings of SAP and external researchers had lead to many patches:
>4000 SAP SECURITY NOTES in total
8. Typically seen at customers (no joke)
• Customers apply SP Stack once every year or less
• Some do SAP Security notes in between
• Most do not apply SAP Security notes on monthly basis
• Risk-window is long; months or even years
• (Keep in mind: SAP Security notes are easy to Reverse Engineer)
Long Risk-window
10. Your participation is appreciated: https://nl.surveymonkey.com/r/RM97TYC
SAP Security notes survey
11. But what do they mean?
• 42
• 895
Some numbers
Min. number of days it took SAP
to fix one of our >70 reported issues
Max. number of days it took SAP
to fix one of our >70 reported issues
12. A challenge for SAP customers
• Testing
• Securing SAP systems is complex and time consuming
• Time-consuming task: implementing SAP Security notes
• Up-to-now a manual, repetitive task
• SAP notes released on a monthly base by dozens
• Awareness
• Time
• Budget
• Knowledge
• ….
Some reasons for bad patchmanagement
13. To know what SAP Security notes you are missing there are a few options:
• SAP Marketplace – Security notes launchpad Match manually with systems
• SAP Solution Manager – System Recommendations
• 3rd party tooling
Solutions?
15. Business Benefits
Apply up to 75 % of SAP Security notes automatically to
• Drastically reduce boring, manual, repetetive activities
• Have better secured SAP systems (Patch frequentie can be raised)
• Save time and focus on other security items
• Have better compliance
SAP Security notes