Just to remind, a zero-day is a vulnerability that is not yet widely known, and no patch exists. Hence patching is not an option. This does not mean that regular and timely patching is not one of the most effective exercises to protect against exploitation, on the contrary. Next week Tuesday on the 8th of February, SAP customer expect to see another SAP Security Patch Day. Any second Tuesday of a month, SAP publishes the new security patches. This event starts the race between attackers and defenders, who can only win by installing the patch before the exploitation.
SAP sponsors bug bounty programs to support bug hunters and security researchers. There are various individual researchers but also entire research labs that analyze standards software for vulnerabilities, however, even with a combined effort zero-days can’t be eliminated.
SecurityBridge Patch Management informs you once a new patch has been published that is relevant for your specific system installation to reduce effort and lead time before patching. Additionally, the SecurityBridge product team instantly issues signature updates that allow customers to monitor for potential exploits of yet unpatched vulnerabilities.
However, as no patch is available for a zero-day, there are a few other things that you need to consider: