cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Sequence of implementing SAP security notes

Go to solution
Former Member

on ‎07-16-2013 11:48 AM

0 Kudos

Dear Experts,

We have a 3 system landscape – Development (DEV), Quality (QAS) & Production (PRD) system.

We have identified the security notes from ST13->RSECNOTE tool for each system & were able to find the common notes for all 3 systems.

1->Please let us know the sequence in which we need to apply the notes? Date wise or note number wise (increasing order)

2->Also can we club the common notes in one transport request and then transport it in all 3 systems ?

As per custom, we would be applying security notes starting from DEV->QAS->PRD.

Issue is , we found some notes which are different for each system. Please guide how do we proceed ?

Whether to import the uncommon notes first or common notes, or in total sequence for each system independently ?

3->By clicking the ‘check side effects button’ We were able to also find some list of notes. These must be the side effects notes of previously applied notes…Should these notes also be implemented first ?

4-> We are also able to see different corrections section as per release version in most of the notes.Should we implement the note(containing all the corrections release wise) or the correction corresponding to the release of our system (in this case we should download the correction only and not the note then ? )

Please guide me...

Regards

Imaan

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Reagan
Advisor
Advisor
‎07-17-2013 3:39 PM
0 Kudos

Hello

1->Please let us know the sequence in which we need to apply the notes? Date wise or note number wise (increasing order)

Development (DEV), Quality (QAS) & Production (PRD)

This is the order you need to bear in mind. There is no such order of date wise or number wise.

2->Also can we club the common notes in one transport request and then transport it in all 3 systems ?
As per custom, we would be applying security notes starting from DEV->QAS->PRD.
Issue is , we found some notes which are different for each system. Please guide how do we proceed ?
Whether to import the uncommon notes first or common notes, or in total sequence for each system independently ?

Check for the missing security Notes in the PRD system first.

Implement those notes in the DEV system and create a transport request and then import it in the order mentioned above.

If a security note is installed in the DEV system and not implemented in the PRD system then there is no need to implement that note through SNOTE in the PRD system. Instead import the transport request which contains the SAP Note. Just search for the note in the Note Browser present in the Tx SNOTE.

3->By clicking the ‘check side effects button’ We were able to also find some list of notes. These must be the side effects notes of previously applied notes…Should these notes also be implemented first ?

The notes that are part of a main note should be implemented along with the main note.

4-> We are also able to see different corrections section as per release version in most of the notes.Should we implement the note(containing all the corrections release wise) or the correction corresponding to the release of our system (in this case we should download the correction only and not the note then ? )

When you implement an SAP note using the Tx SNOTE the system checks whether the note is valid for the system you have. The Tx SNOTE takes care of the implementation of the correction instructions.

Regards

RB

Show replies
Show replies
Former Member
‎07-18-2013 8:09 AM
0 Kudos

Dear All,

Thanks for the updates...Point 2 and point 4 clarified with below updates :

Point 2 -  

Check for the missing security Notes in the PRD system first.
Implement those notes in the DEV system and create a transport request and then import it in the order mentioned above.

With above point it implies that take all the recommended notes from PRD and start implementing them from DEV..

Point 4 -  

When you implement an SAP note using the Tx SNOTE the system checks whether the note is valid for the system you have. The Tx SNOTE takes care of the implementation of the correction instructions.

With above point it implies that we just implement the note(containing all the corrections release wise). The system will automatically pick the correction corresponding to our release.

@Reagan - For point 1 , we still need to know the sequence to apply notes in one system

I found a note 1734485 which states below sequence for applying notes

The order to start applying notes would be as follows:

  1. In case of ABAP based system start with the selected notes which are checked by the EarlyWatch Alert and shown by the tool RSECNOTE (do not distinguish between the priorities red= HotNews and yellow=others). Continue with the very high and high priority notes shown by the application “System Recommendations”.

Iam unable to locate the 'System Recommendations' in my RSECNOTE tool. Please help me where can i find it ??

I can only view the light icons Red - Hotnews & Yellow - Others

Thanks

Imaan

Reagan
Advisor
Advisor
‎07-18-2013 10:00 AM
0 Kudos

Hello

The output produced by the tool RSECNOTE will show you "Missing Recommendations"

The Missing Recommendations = System Recommendations

Regards

RB

Former Member
‎07-18-2013 1:27 PM
0 Kudos

Hi Reagan,

Agreed with your point...

But we are able to see only Red and Yellow flags..in  Missing recommendations"

HotNews are flagged with a red traffic light and notes are flagged with a yellow traffic light.

There is no sign of Priority level notes.


Currently we have 3 options to implement the sequence of notes :

1->Date wise or Note number wise in ascending order irrespective of any color..

2->Red & Yellow flags in Missing recommendation (As per note 1734485, SAP says no to this option)

3->Very high priority & high priority as per note 173885 (But Just found System recommendation is available in Solution manager https://service.sap.com/sysrec , we have not configured so this option ruled out )

Regards

Imaan

Reagan
Advisor
Advisor
‎07-20-2013 2:16 PM
0 Kudos

Hello

There is no sign of Priority level notes.

One of the methods SAP uses to prioritize the Security Notes is the CVSS.

Learn more about that in the FAQ's section under this link:

https://websmp108.sap-ag.de/securitynotes/

Additionally read this link:

https://websmp208.sap-ag.de/~sapidb/011000358700000727232013/

Here is an excerpt:

How should I use the CVSS information provided for by SAP?
SAP is providing CVSS information as an estimate of the risk posed by the issue reported in this Security Note. This estimate does not take into consideration your own system configuration, or operational environment. It is not intended to replace any risk assessments you are advised to conduct when deciding the applicability or priority of any SAP security note.
How does SAP use CVSS to prioritise security notes?
SAP will continue to publish an SAP-specific priority rating for each security note. To do this, SAP uses multiple criteria to determine the priority of a security note, and CVSS is one of these criteria. SAP also considers the impact of the issue to the way in which SAP secures its software, and its public availability. For example, in a cross-site scripting vulnerability, CVSS only considers a primary attack where some data could be obtained from the client. However, as this data could include information SAP uses to secure sessions, we deem the issue as a higher priority than CVSS alone would reflect. Similarly, if the issue is publically known, or is likely to be disclosed in the near future, we raise the priority of the issue to reflect the higher likelihood that customers could be exploited using the vulnerability mitigated by the security note.
What is CVSS?
The Common Vulnerability Scoring System (CVSS) is an open scoring system designed to unify the risk assessment of multiple vendors. CVSS is under the custodial care of FIRST (Forum of Incident Response and Security Teams). You can find out more about CVSS here.

To see the CVSS score you need run ST13 - RSECNOTE and click on the note number (link) to see the score. Most probably the score will be visible under the red ones.

The priority of implementing the notes by date wise or number wise is irrelevant.

I already told you what is the most import sequence to be considered for implementing the notes.

The priority is NOT for the sequence to be followed when implementing them but the vulnerability or the issue addressed in the SAP Note. These issues can affect the system due to security loop holes. If you think the Note mentioned by the RSECNOTE tool is not important for your system then you can ignore it.

Regards

RB

Former Member
‎07-23-2013 6:57 AM
0 Kudos

Thanks to every body for their support...

@Reagan - Thanks for the introduction of CVSS score. I was able to see it (it was started introducing in notes from June 2011) .

I have decided to go for those notes which are related to only missing authorization check first.

Will go datewise for the start...

Regards

Imaan

Answers (1)

Answers (1)

former_member80258
Participant
‎07-16-2013 11:45 PM
0 Kudos

Hello Imaan

I suggest you that follow the next points:

1. First, apply the yellow and after the red alerts.

2. No, each SAP Note applied must be in transport request, not all Notes in one transport request.

3. No, the Side Effects are independent SAP Notes, here must to plan the implementation.

4. The corrections corresponding about SAP release.

Regards

Erick Verbena

PROLAMSA

Show replies
Show replies
bxiv
Active Contributor
‎07-17-2013 1:17 AM
0 Kudos

To @Erick's second point, if you lump all the corrections into one large transport it will make it faster/easier to move the the landscapes, but if it breaks a critical process you then have no idea what correction brought down your system(s).

In the case of Solution Manager I solved 60% or more of my security issues by just updating my kernel, so while you may have a lot of notes showing up in ST13->RSECNOTE (or EWA) some are for kernel exploits.

Former Member
‎07-17-2013 6:35 AM
0 Kudos

@Eric & Billy - Thanks for the response...

1-> If we follow first yellow alerts then in that also should we follow date wise or note number wise ??

2-> we have approx 40 notes per system . So 40 transport requests to be created...This will be very slow..

3-> I didnt get your point.. Should we implement the side effect notes first before applying any new note ?? Can you let me know why these notes appear in the system..

4-> As per instructions in below link, i understand that we implement the note(containing all the corrections release wise) & system will automatically check the corresponding correction..please correct me...

''To implement the correction instructions from an SAP Note in your system, select the Note on the initial screen in Note Assistant and choose Implement Note.

The system first checks which correction instructions in the SAP Note correspond to your system release and Support Package level.''

http://help.sap.com/saphelp_nw73ehp1/helpdata/en/48/b41a59fc096ff4e10000000a42189b/content.htm?frame...

bxiv
Active Contributor
‎07-17-2013 1:12 PM
0 Kudos

I would opt to go for the oldest notes first, but thats just my train of thought.

When you are in snote and you tell the system to download a snote it will prompt for the # of the snote; at which point the system will download the correct set of instructions into the system.

Perhaps an easier way to go about this is to do 5 notes a week/bi-week as this will slowly start fixing your Security note check and will keep a fairly stable environment for you and your user base.

Have you also consider verifying that SP updates will resolve these security issues?

former_member80258
Participant
‎07-17-2013 2:33 PM
0 Kudos

Good day everybody

1. Must be date wise in function yellow alert, and the last, date wise red alert.

2. Each SAP security note applied in one Transport Request, not many SAP security Notes in one Transport Request. Therefore, start at Monday with 3 or 5 SAP Security Notes implemented each week

3. The Side Effects goes in Transport Request about SAP security note.

4. That's right, within SNOTE transaction you implement any SAP note and SAP security note.

Erick Verbena

PROLAMSA

Ask a Question