1.
The importance of
applying SAP patches

2.
ERP Security
• Experts in SAP Security assessments and hardening
• Worldwide top 5 found SAP Security research
• Regular presenters on SAP Security
• Developer Protect4S
• Founded in 2010
• Several business partners in BeNeLux
• Our mission is to raise the level of security of mission-critical SAP platforms
with a minimal impact on daily business.
Affiliations:
Partners:
“ERP-SEC works closely together with SAP
to reduce risk in their customers systems.
ERP-SEC was invited twice by SAP’s global
security team in Walldorf to present on
their ongoing SAP Security research”

3.
Introduction
• Results security assessments over the years are not good
• Risk increased because of a more connected world
• The question is not if you need to secure your SAP landscape, but HOW
• Why?
Fraud
Sabotage
Theft

4.
0
100
200
300
400
500
600
700
800
2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011
2012
2013
2014
2015
2016
2017
SAP Security notes
Findings of SAP and external researchers had lead to many patches:
>4000 SAP SECURITY NOTES in total

5.
Just 1 missing note can hurt you
Game over…
• Demotime

6.
Just 1 missing note can hurt you
Game over…
• Demotime

7.
Just 1 missing note can hurt you
Game over…
• Demotime

8.
Typically seen at customers (no joke)
• Customers apply SP Stack once every year or less
• Some do SAP Security notes in between
• Most do not apply SAP Security notes on monthly basis
• Risk-window is long; months or even years
• (Keep in mind: SAP Security notes are easy to Reverse Engineer)
Long Risk-window

9.
Long Risk-window

10.
Your participation is appreciated: https://nl.surveymonkey.com/r/RM97TYC
SAP Security notes survey

11.
But what do they mean?
• 42
• 895
Some numbers
Min. number of days it took SAP
to fix one of our >70 reported issues
Max. number of days it took SAP
to fix one of our >70 reported issues

12.
A challenge for SAP customers
• Testing
• Securing SAP systems is complex and time consuming
• Time-consuming task: implementing SAP Security notes
• Up-to-now a manual, repetitive task
• SAP notes released on a monthly base by dozens
• Awareness
• Time
• Budget
• Knowledge
• ….
Some reasons for bad patchmanagement

13.
To know what SAP Security notes you are missing there are a few options:
• SAP Marketplace – Security notes launchpad  Match manually with systems
• SAP Solution Manager – System Recommendations
• 3rd party tooling
Solutions?

14.
Our Solution

15.
Business Benefits
Apply up to 75 % of SAP Security notes automatically to
• Drastically reduce boring, manual, repetetive activities
• Have better secured SAP systems (Patch frequentie can be raised)
• Save time and focus on other security items
• Have better compliance
SAP Security notes

16.
SAP, R/3, ABAP, SAP GUI, SAP NetWeaver and other SAP products and services mentioned herein as
well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and
other countries.
All other product and service names mentioned are the trademarks of their respective companies.
Data contained in this document serves informational purposes only.
The authors assume no responsibility for errors or omissions in this document. The authors do not
warrant the accuracy or completeness of the information, text, graphics, links, or other items
contained within this material. This document is provided without a warranty of any kind, either
express or implied, including but not limited to the implied warranties of merchantability, fitness for a
particular purpose, or non-infringement.
The authors shall have no liability for damages of any kind including without limitation direct, special,
indirect, or consequential damages that may result from the use of this document.
SAP AG is neither the author nor the publisher of this publication and is not responsible for its
content, and SAP Group shall not be liable for errors or omissions with respect to the materials.
No part of this document may be reproduced without the prior written permission of ERP Security BV.
© 2017 ERP Security BV.
Disclaimer