Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The importance of applying SAP patches (Joris van de Vis)


Published on

Most of us apply the monthly patches for our Operating system (Macbooks, windows systems, etc). But what about the monthly security patches for our SAP systems?

Many SAP running organisations don't do this as regular as they should. Some topics I'd like to discuss with the audience are;
- Why don't they do that?
- What are the risks involved?
- How to improve things?

Published in: Technology
  • Be the first to comment

  • Be the first to like this

The importance of applying SAP patches (Joris van de Vis)

  1. 1. The importance of applying SAP patches
  2. 2. ERP Security • Experts in SAP Security assessments and hardening • Worldwide top 5 found SAP Security research • Regular presenters on SAP Security • Developer Protect4S • Founded in 2010 • Several business partners in BeNeLux • Our mission is to raise the level of security of mission-critical SAP platforms with a minimal impact on daily business. Affiliations: Partners: “ERP-SEC works closely together with SAP to reduce risk in their customers systems. ERP-SEC was invited twice by SAP’s global security team in Walldorf to present on their ongoing SAP Security research”
  3. 3. Introduction • Results security assessments over the years are not good • Risk increased because of a more connected world • The question is not if you need to secure your SAP landscape, but HOW • Why? Fraud Sabotage Theft
  4. 4. 0 100 200 300 400 500 600 700 800 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 SAP Security notes Findings of SAP and external researchers had lead to many patches: >4000 SAP SECURITY NOTES in total
  5. 5. Just 1 missing note can hurt you Game over… • Demotime
  6. 6. Just 1 missing note can hurt you Game over… • Demotime
  7. 7. Just 1 missing note can hurt you Game over… • Demotime
  8. 8. Typically seen at customers (no joke) • Customers apply SP Stack once every year or less • Some do SAP Security notes in between • Most do not apply SAP Security notes on monthly basis • Risk-window is long; months or even years • (Keep in mind: SAP Security notes are easy to Reverse Engineer) Long Risk-window
  9. 9. Long Risk-window
  10. 10. Your participation is appreciated: SAP Security notes survey
  11. 11. But what do they mean? • 42 • 895 Some numbers Min. number of days it took SAP to fix one of our >70 reported issues Max. number of days it took SAP to fix one of our >70 reported issues
  12. 12. A challenge for SAP customers • Testing • Securing SAP systems is complex and time consuming • Time-consuming task: implementing SAP Security notes • Up-to-now a manual, repetitive task • SAP notes released on a monthly base by dozens • Awareness • Time • Budget • Knowledge • …. Some reasons for bad patchmanagement
  13. 13. To know what SAP Security notes you are missing there are a few options: • SAP Marketplace – Security notes launchpad  Match manually with systems • SAP Solution Manager – System Recommendations • 3rd party tooling Solutions?
  14. 14. Our Solution
  15. 15. Business Benefits Apply up to 75 % of SAP Security notes automatically to • Drastically reduce boring, manual, repetetive activities • Have better secured SAP systems (Patch frequentie can be raised) • Save time and focus on other security items • Have better compliance SAP Security notes
  16. 16. SAP, R/3, ABAP, SAP GUI, SAP NetWeaver and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. The authors assume no responsibility for errors or omissions in this document. The authors do not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. The authors shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of this document. SAP AG is neither the author nor the publisher of this publication and is not responsible for its content, and SAP Group shall not be liable for errors or omissions with respect to the materials. No part of this document may be reproduced without the prior written permission of ERP Security BV. © 2017 ERP Security BV. Disclaimer