05-15-2014 8:59 AM
Dear SCN fellows,
I am new to this community and generally new to asking for SAP help in discussions and blogs.
I need some advice on whether SAP Security Notes contain hacker and/or virus defences?
I am investigating a companies SAP Security settings against its policy and global market standards. I have identified that since our SAP rollout SAP Security notes patches have not been maintained. RSECNOTE provides a large list of missing security notes. I'm writing a report and what to confirm whether these notes offer any advice, support or notification of hacking or viruses. Similar to Internet security software I guess.
Can anyone advise if my thoughts and questioning is heading in the right direction or have I got the concept of SAP Security Notes completely wrong?
Thank you kindly.
Paul
05-15-2014 10:27 AM
Hi Paul,
I need some advice on whether SAP Security Notes contain hacker and/or virus defences?
SAP releases respective security notes as per the loophole identification. Once you run RSECNOTE you get the list of all applicable notes to your software release.
Applying these notes will help you to remove the vulnerability SAP identified, So yes it contains solution to remove vulnerability.
I'm writing a report and what to confirm whether these notes offer any advice, support or notification of hacking or viruses. Similar to Internet security software I guess.
Could you please elaborate it is not that clear to me.
BR,
Mangesh
05-15-2014 9:39 AM
Paul,
virus protection is important if your application allows users to upload files. There are SAP-certified solutions in the market that you can use for that.
Joerg
05-15-2014 10:27 AM
Hi Paul,
I need some advice on whether SAP Security Notes contain hacker and/or virus defences?
SAP releases respective security notes as per the loophole identification. Once you run RSECNOTE you get the list of all applicable notes to your software release.
Applying these notes will help you to remove the vulnerability SAP identified, So yes it contains solution to remove vulnerability.
I'm writing a report and what to confirm whether these notes offer any advice, support or notification of hacking or viruses. Similar to Internet security software I guess.
Could you please elaborate it is not that clear to me.
BR,
Mangesh
05-15-2014 4:46 PM
Hi Joerg, Mangesh,
Thank you for your quick feedback.
Confirmation that SAP Notes will help and advise SAP vulnerabilities opens the scope of my report to a new level.
Thanks
Paul
05-15-2014 9:45 PM
Hi,
Unfortunately RSECNOTE isn't as accurate as it could be right now so you should use system recommendations & https://service.sap.com/securitynotes to derive your list
05-16-2014 10:33 AM
That, for one! Good idea!
RSECNOTE deals with vulnerabilites striclty in a SAP-environment (that includes interfaces like saphttp, gateways, services (sicf), kernel, etc.) but does not cover up/downloads from/to harddisks or other such attempts. Everything leaving the SAP "environment" is strictly subject to the companies "other" security efforts, like firewalls, antivirus programs, malware detection etc. etc.
I'm really quite sure, that implementing all advice coming from RSECNOTE doesn't totally cover the SAP habitat. Only a complete upgrade including kernel, libraries, the OS and the DB can establish the latest security level. If you would on top of that add networking patches, that'll totally help making the nest "cleaner" (look at that heartbleed event of late). So yes, encryption, too.
Also: hello Alex
05-16-2014 3:40 PM
Actually, SAP does have a dedicated virus scan interface, because OS-Level anti-virus does not help when it comes to SAP uploads/downloads.
SAP Virus Scan Interface (SAP Library - Secure Programming)
This interface has evolved to much more than "only" virus scanning and now provides quite a few extras to protect the application itself from attacks, such as XSS in files.
just my 0.02$
Joerg
05-16-2014 4:17 PM
Yes, I know. But.
05-27-2014 11:59 AM
Hi Mylene,
actually, most default file upload/download methods use this interface by default. So in the vast majority of scenarios, no code changes are required to benefit from content scans (aka Virus scans, MIME filters, active content detection etc).
The latter also help mitigate attacks on the application itselt, such as XSS in uploaded files, Directory traversals etc.
you may want to check out this WP, in case you want to dig deeper into this matter: http://www.bowbridge.net/fileadmin/collateral/Whitepapers/BowBridge_White_Paper_-_The_Blind_Spot.pdf
cheers,
Joerg
PS: Full disclosure: I work for BowBridge!