SAP Security Automation

Securing SAP systems: Is applying high-priority security patches enough?

By
2 Minute Read

Applying monthly high-priority SAP security patches is important, but it's not enough. In fact, it might only be the tip of the iceberg. These high-priority patches address known critical vulnerabilities and help reduce risks. However, several other factors are crucial for maintaining a secure SAP environment.

Low-priority security patches

Firstly, what about the lower-priority security patches?

In line with the National Vulnerability Database (NVD) SAP’s security patches are published with a vulnerability score based on the Common Vulnerability Scoring System (CVSS). SAP rates those scoring nine or higher as critical, seven to nine as high, four to seven as medium, and any under four as low.

Most SAP IT teams diligently apply those with high and critical scores very soon after release, and the others when they find the time.  However, taking the April 2024 release as an example, only three out of the 12 were rated above seven. The remaining nine were rated as medium. Combined, these nine could critically expose an SAP system.

User access

Next, what about user access and authorisation?

Most SAP IT teams understand how important managing user access is, which is one area most are concerned about. Not surprisingly.  70% of attacks occur from within the company's own network, making proactive preparation against this kind of access essential. Understanding the state of SAP user access and authorisations is a 'weak link' and vital to preventing unauthorised access. Hackers, they say, don’t break in, they log in.

GRC compliance, Segregation of Duties, and access beyond what a user requires must be monitored and updated.

Monitoring

Then, finally, is continual monitoring to watch for changes in the system. Often, an SAP team spends lots of time getting things right, but it only takes something small to reopen a critical vulnerability. User access changes, code insertions, security patch overwrites, and many other BAU activities could reverse fixes or introduce new risks. Previous security work can be undone, its not uncommon. Applied security patches may be overwritten, user access may be regained, and repaired configuration may be undone. Without continuous monitoring, these kinds of things go unnoticed, and a system that was considered secure may be far from it.

So, while applying monthly high-priority SAP security patches is a foundational security practice, it should be part of a comprehensive security strategy that includes strong access controls, and continuous monitoring to ensure the ongoing security of SAP systems.

Next Steps

Leg Up Software is hosting a webinar by smarterSec on May 30th. You might like to attend. The webinar will discuss some of the above and more. If nothing else, it will help you better understand the complexities involved in securing SAP systems.

Webinar Registration

About us.

Leg Up Software is an expert in SAP IT operational and infrastructure software automation solutions, including those that support enterprises’ transformation journeys.

We know the SAP operations and infrastructure automation solutions landscape and have already done the legwork identifying the best available solutions.

We have excellent relationships with many software vendors, including those providing solutions mentioned here, and can negotiate an evaluation process that best suits your circumstances and budget.

Why not set up a time to start the conversation by putting something in our calendar?

Chat with Rick

Rick Porter

Rick Porter

With over two decades of working within the SAP ecosystem, Rick has met and worked with SAP IT professionals from broad backgrounds and experiences. Rick knows the stresses and strains experienced by those managing SAP systems and enjoys bringing these insights and reflections into conversations.

Author