SAP Security Patch Day – September 2024
Many ‘Medium’ to ‘Low’ priority notes. The September release contains a total of 19 patches for the severities illustrated as follows.
PwC Germany and SecurityBridge are committed to strengthening the security of the SAP ecosystem by conducting thorough research and providing expert advice on SAP Security. This is the second and final article of the series dedicated to the CVE-2023-36922 vulnerability and stems from the combined effort of three SAP Security experts: Daniel Peisker (PwC Germany), Benedikt Schumacher (PwC Germany), and Joris Van De Vis (SecurityBridge).
In our first article, we provided a detailed analysis of the SAP vulnerability CVE-2023-36922, shedding light on its security risk. As vulnerabilities with potential access on the OS layer (either via commands or direct file access) are not an isolated case, we guide on reducing the overall risk going beyond mere patching. Let’s now focus on how you can practically and efficiently reduce the risk of all OS-access vulnerabilities in SAP code.
To reduce the risk, you should consider a combination of measures and controls:
Decreasing the probability of vulnerability occurrence can be done by strengthening processes around vulnerability and patch management for the SAP standard code base and ensuring the enacting of a DevSecOps approach with automated security checks and quality gates for your SAP custom code.
To maintain a robust security posture, organizations must manage their SAP Security Notes and Support Package Stacks (SPS) and apply patches promptly. The Security Patch Management process for SAP involves handling Security Notes and Support Package Stacks (SPS). Specifically, when Security Notes are released (often on Patch Tuesday), it’s crucial to swiftly assess their applicability and criticality. The criticality of the vulnerability addressed in these security notes determines the urgency for mitigation and patch application. Patch application and mitigation measures should always be tracked and monitored to ensure and track efficient handling.
To streamline this process, consider leveraging SecurityBridge. It provides valuable insights and can assist with automation related to patch implementation.
In SAP custom code development, however, integrating DevSecOps practices enhances security and mitigates code security risks. DevSecOps security practices across its stages of planning, development, testing, continuous integration / continuous deployment (CI/CD), enabling monitoring, maintenance, and developer training, organizations can proactively address security risks at every stage.
Specific measures to proactively prevent the mentioned vulnerabilities in SAP custom code from the DevSecOps process could be:
By combining guidelines, developer knowledge, and an integrated tool you can significantly enhance the security posture of your custom code within the DevSecOps process.
Consider introducing monitoring and logging measures to detect unauthorized access attempts from SAP binaries in non-SAP directories on the host system layer. Monitor and alert if SAP binaries are accessing or executing non-whitelisted SAP directories/files or if unintentional activities are taking place (e.g., sudo from SAP users).
To compensate for the impact in case OS-access vulnerabilities are exploited, at least the following measures should be conceived and aligned:
Thank you for reading this article, and please remember the importance of taking a comprehensive approach to SAP security. By addressing the risk strategically and not solely relying on patching isolated vulnerabilities, you can strive for a more robust and resilient security posture.
Posted by
Daniel Peisker (PwC Germany),
Benedikt Schumacher (PwC Germany),
Joris van de Vis (SecurityBridge)
Find recent Security Advisories for SAP©
Looking into securing your SAP landscape? This white-paper tells you the “Top Mistakes to Avoid in SAP Security“. Download it now.
Many ‘Medium’ to ‘Low’ priority notes. The September release contains a total of 19 patches for the severities illustrated as follows.
SAP Cloud Identity Access Governance (IAG): An Introduction to Best Practices SAP Cloud Identity Access Governance (IAG) enables organizations to manage user access and compliance
Join industry leaders for a one-day event in Madrid to explore SAP security solutions and fortify your enterprise against evolving threats.