SAP Security Patch Day in September
SAP, a German software vendor, has over 425,000 customers in over 180 countries. Their products allow large and medium organizations to manage business processes.
If you are an SAP customer, you know that every second Tuesday of the month, SAP issues patch releases. For September 2019, the set of security notes consists of 16 items. Each of them includes the fixed vulnerabilities discovered in different SAP products.
SAP vulnerabilities like any vulnerabilities identified in other vendors’ product lines are assessed according to the CVSS standard, or the Common Vulnerability Scoring System. It communicates the technical characteristics and severity of software vulnerabilities and ranges from zero (least severe) to 10 (most severe). This framework shows the ease of exploit, potential impact, and priority – Hot News (10-9), High (8-7), Medium (6-4), and Low (3-0).
The highest CVSS base score of patch update for September 2019 is 9.1, referring to two OS Command Execution vulnerabilities both addressing SAP JAVA platform.
Organizations running SAP have to secure data that SAP stores since attacks on their systems allow a cyber attacker to catch or change different business-critical information.
So SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.
Discussing how to manage today’s SAP risks
Today there are many cybersecurity tools that are more or less effective in protecting SAP systems. However, SAP clients should keep in mind that security risks are becoming increasingly serious and always stay alert. Protecting SAP applications is not the only focus business leaders usually expect from teams. They also want more in terms of “adding value across the wider risk management agenda”.
When Turnkey Consulting’s global management team met in Sydney, Australia, some of the biggest risk-related questions were considered facing SAP customers today.
The discussions on security challenges with SAP implementations, cyber initiatives, security challenges presented by moving to SAP S/4 HANA, etc. are presented in the videos.
SAP Access Management
When it comes to access management, security professionals pay great attention to the application layers. At the same time, the infrastructure of these applications is often left aside while all the information stored in the program layer can be accessed via the infrastructure. To avoid any security failures on this level, there are numerous questions that should be considered in the first place.
To start with, define who can have access at the infrastructure level. Who are the users that are allowed to access the infrastructure level and what part of their job role requires access?
It is preferable that the access is provided to the basis team, database administrators, backup administrators, and operating system administrators exclusively.
Then, all the users should be logging in with their own identifiable credentials as well. It is important to enable users’ logging functionality to track users’ actions.
Finally, there should be an emergency procedure planned in advance if some users perform inappropriate actions. Here, the response time predetermines the outcome of the critical situation and the impact on the system’s security overall.