Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Do SAP Security Notes contain hacker and/or virus defence?

Go to solution
Former Member

‎05-15-2014 8:59 AM

0 Kudos

Dear SCN fellows,

I am new to this community and generally new to asking for SAP help in discussions and blogs.

I need some advice on whether SAP Security Notes contain hacker and/or virus defences?

I am investigating a companies SAP Security settings against its policy and global market standards.  I have identified that since our SAP rollout SAP Security notes patches have not been maintained.  RSECNOTE provides a large list of missing security notes.  I'm writing a report and what to confirm whether these notes offer any advice, support or notification of hacking or viruses.  Similar to Internet security software I guess.

Can anyone advise if my thoughts and questioning is heading in the right direction or have I got the concept of SAP Security Notes completely wrong?

Thank you kindly.

Paul

1 ACCEPTED SOLUTION

Go to solution
Former Member

‎05-15-2014 10:27 AM

0 Kudos

Hi Paul,



I need some advice on whether SAP Security Notes contain hacker and/or virus defences?

SAP releases respective security notes as per the loophole identification.  Once you run RSECNOTE you get the list of all applicable notes to your software release.

Applying these notes will help you to remove the vulnerability SAP identified, So yes it contains solution to remove vulnerability.



I'm writing a report and what to confirm whether these notes offer any advice, support or notification of hacking or viruses.  Similar to Internet security software I guess.

Could you please elaborate it is not that clear to me.

BR,

Mangesh

8 REPLIES 8

Go to solution
bowbridge
Explorer

‎05-15-2014 9:39 AM

0 Kudos

Paul,

virus protection is important if your application allows users to upload files. There are SAP-certified solutions in the market that you can use for that.

Joerg

Go to solution
Former Member

‎05-15-2014 10:27 AM

0 Kudos

Hi Paul,



I need some advice on whether SAP Security Notes contain hacker and/or virus defences?

SAP releases respective security notes as per the loophole identification.  Once you run RSECNOTE you get the list of all applicable notes to your software release.

Applying these notes will help you to remove the vulnerability SAP identified, So yes it contains solution to remove vulnerability.



I'm writing a report and what to confirm whether these notes offer any advice, support or notification of hacking or viruses.  Similar to Internet security software I guess.

Could you please elaborate it is not that clear to me.

BR,

Mangesh

Go to solution
Former Member
In response to Former Member

‎05-15-2014 4:46 PM

0 Kudos

Hi Joerg, Mangesh,

Thank you for your quick feedback.

Confirmation that SAP Notes will help and advise SAP vulnerabilities opens the scope of my report to a new level.

Thanks

Paul

Go to solution
Former Member
In response to Former Member

‎05-15-2014 9:45 PM

0 Kudos

Hi,

Unfortunately RSECNOTE isn't as accurate as it could be right now so you should use system recommendations & https://service.sap.com/securitynotes to derive your list

Go to solution
Former Member
In response to Former Member

‎05-16-2014 10:33 AM

0 Kudos

That, for one! Good idea!

RSECNOTE deals with vulnerabilites striclty in a SAP-environment (that includes interfaces like saphttp, gateways, services (sicf), kernel, etc.) but does not cover up/downloads from/to harddisks or other such attempts. Everything leaving the SAP "environment" is strictly subject to the companies "other" security efforts, like firewalls, antivirus programs, malware detection etc. etc.

I'm really quite sure, that implementing all advice coming from RSECNOTE doesn't totally cover the SAP habitat. Only a complete upgrade including kernel, libraries, the OS and the DB can establish the latest security level. If you would on top of that add networking patches, that'll totally help making the nest "cleaner" (look at that heartbleed event of late). So yes, encryption, too.

Also: hello Alex

Go to solution
bowbridge
Explorer
In response to Former Member

‎05-16-2014 3:40 PM

0 Kudos

Actually, SAP does have a dedicated virus scan interface, because OS-Level anti-virus does not help when it comes to SAP uploads/downloads.

SAP Virus Scan Interface (SAP Library - Secure Programming)

This interface has evolved to much more than "only" virus scanning and now provides quite a few extras to protect the application itself from attacks, such as XSS in files.

just my 0.02$

Joerg

Go to solution
Former Member
In response to Former Member

‎05-16-2014 4:17 PM

0 Kudos

Yes, I know. But.

  • It's only about viruses - not overall security
  • it's an interface you can call in your coding from Abap/Java
  • as far as I know, up/downloads of lists etc. from an ERP are not parsed through this interface

Go to solution
bowbridge
Explorer
In response to Former Member

‎05-27-2014 11:59 AM

0 Kudos

Hi Mylene,

actually, most default file upload/download methods use this interface by default. So in the vast majority of scenarios, no code changes are required to benefit from content scans (aka Virus scans, MIME filters, active content detection etc).

The latter also help mitigate attacks on the application itselt, such as XSS in uploaded files, Directory traversals etc.

you may want to check out this WP, in case you want to dig deeper into this matter: http://www.bowbridge.net/fileadmin/collateral/Whitepapers/BowBridge_White_Paper_-_The_Blind_Spot.pdf

cheers,

Joerg

PS: Full disclosure: I work for BowBridge!