0% found this document useful (0 votes)

38 views157 pages

AGS Security Patch Process

The document outlines the process for implementing SAP Security Notes, emphasizing the importance of a monthly patch process to maintain system security. It discusses tools such as System Recommendations, Usage Procedure Logging, and Business Process Change Analyzer for identifying and managing security vulnerabilities. The document also highlights the risks of not applying security patches, including potential data theft and system manipulation.

Uploaded by

Silvia Mazuela

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

38 views157 pages

AGS Security Patch Process

Uploaded by

Silvia Mazuela

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 157

Security Patch Process

Implementing SAP Security Notes: Tools and Best Practices

SAP Center of Excellence – Security Services

October 2019
Abstract

This session shows how to set up a monthly patch process based on the application System
Recommendations within the SAP Solution Manager to track down critical Security Notes which are
required for your systems.
See the integration with the Usage Procedure Logging (UPL) and the Business Process Change Analyzer
(BPCA) to identify business processes which might get affected by the implementation of security notes.
And you will get additional information about the cross-system queries of Configuration Validation which
can be used to analyze the security configuration for single systems as well as for the complete system
landscape.
Goals:
➢ Identify required security notes for a large system landscape.
➢ Manage work lists with notes that should be implemented.
➢ Audit successful implementation of required security notes.

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 2

SAP Security Patches
Why is patching necessary? Why are there so many Security Notes?

“ Isn’t SAP using advanced techniques to avoid security flaws? Just like Microsoft, Google or Apple do?
1. SAP operates research departments for code security which are top league.1
2. In its code development lifecycle, SAP makes use of a variety of mechanisms to keep a very high level of quality. This
includes dynamic code scanning, static code scanning, automated dynamic testing (such as fuzzying) and other
techniques – wherever these are suitable.2
3. Unfortunately, hackers and security researchers find new attack methods over time. This makes fixing newly
discovered vulnerabilities inevitable. And Oracle, Microsoft, Google and Apple are no exception to this rule.
4. SAP makes sure that only critical patches or those with dependencies to other software releases are published.

Result: For its Business Suite (“ERP”), over the last 3

years SAP issued just 18 patches of priority
“Hot News” (very high). Among these only 3 required a downtime. Put this into context of the over
400 million lines of code SAP has to maintain for the Business Suite. And compare this to Apple with
some 90M lines of code for MacOS and MS being at roughly 50M for the Office Suite.
1 Example: “Beyond Metadata: Code-centric and Usage-based Analysis of Known Vulnerabilities in Open-source Software” which just recently got the IEEE TCSE Distinguished Paper Award
2 While fuzzy testing is highly applicable to code written in C, it does not make much sense for database (SQL) based vulnerabilities.

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 3

What do security minded customers do?
Such customers implement SAP Security Patches as a corporate policy

“ Trade-off tips to the patching side

“We apply SAP security patches immediately and move them to our productive systems after a
1 month cooling time whether or not we've had the time to test them.” ExxonMobil, October 2014

“ Time to patch follows priority

“We decided to apply all security notes (immediately after every patch day) and our operations
managers have to do it within the decided processing times per note priority.” BMW, October 2014

“ Negligible critical side effects

“From a security patching perspective we can confirm that we have had no impact on the
productivity of the systems in the last 6 months.” ExxonMobil, October 2014

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 4

And if you don’t do it? One story from real-life.
The real business impact when not patching

1. Customer SAP system was deeply compromised, including full administrative access & code changes
2. Attackers got in through “Hot News” (very high) vulnerability that was not patched for months
3. What next? Options were very limited:

Hack impact: Need for

forensics and restore Business: Bring up system
back to normal operations
▪ SAP system was removed from the network
immediately after attacks were identified ▪ SAP recommended to re-build system from
scratch as attackers modified additional
▪ BUT: Backups were not usable to restore parts of the system
SAP system to point before first successful
attacks ▪ Customer business decision:
– SAP system was to go live again, with manual
▪ SAP system was not available for
removal of infected parts
several weeks
– Unknown if attacker manipulated other parts of
the SAP system, and may return

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 5

The bottom line

Risk and impact

 The operational impact of implementing SAP security patches is

largely overestimated
 The risk of lost availability and data theft due to vulnerable,
unpatched SAP systems is largely underestimated
 Customers who started security patching in real life found it
remarkably smooth

SAP Security Patching is a part of standard

IT operations just like it is for other vendors

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 6

Agenda

➔ SAP Security Notes and SAP Security Patch Day

What they are, when they’re published

Security Tools and Services EWA

Security Notes
■ are standard SAP Notes / HotNews
■ with information about known security vulnerabilities
■ and appropriate countermeasures (correction instruction, configuration, service
pack, upgrade, manual measures)
■ whose corrections are contained in subsequently released Support Packages, if
possible

They can be found here: https://support.sap.com/securitynotes

■ Each customer has to regularly review this list and has to verify for each
entry whether the security note applies to his systems or not and what to
do if necessary

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 12

Security Notes in the SAP Support Portal
https://support.sap.com/securitynotes

Here you can find

all Security Notes
published by SAP
… but maybe you
prefer the “Expert
Search” which In addition you
offers detailed find Security
filters. Spotlight News

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 18

Security Notes in the SAP Support Portal
https://support.sap.com/securitynotes
Initially you start with a filtered list
based on your own favorite systems
which you have selected from the
systems which belong to the
customer numbers of your S-user.

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 19

Security Notes in the SAP Support Portal
https://support.sap.com/securitynotes
You can du some simple
status management but keep
in mind that this is your
personnel classification
which others cannot access.

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 20

Security Notes in the SAP Support Portal
https://support.sap.com/securitynotes → “Access SAP Security Notes”

Changing the view shows the

complete list of “All SAP Security
Notes”

4381 Document(s)

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 21

“Notes Search” in the SAP Support Portal
https://support.sap.com/notes → “Launch the Expert Search”

Use the filter to select

01.01.2019 – 31.10.2019
➢ Document Type = SAP Security Notes
➢ Priority = <HotNews, High, …>
➢ Released On (Free) = <Date range, e.g. since previous Patch Day>

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 24

Patch Day Notes vs. Support Package Implementation Notes

Patch Day Notes

 SAP Security Notes published on and for Security Patch Day
 Contain important security corrections with
priorities: HotNews, High, Medium, or Low
 Very often address security issues reported from
external sources
 Have CVSS scoring and CVE entries in most cases

Support Package Implementation Notes (SPIN)

 Typically address security issues found SAP internally with
priorities: High, Medium, or Low
 Should not be published in the first place but just be contained in future SPs
 Had to be published outside SP and outside the Patch Day schedule because some
customer production issue depended on it to be implemented first
SPIN might be published on Patch Day dates as well!
© 2019 SAP SE or an SAP affiliate company. All rights reserved. 26
Count of new or changed Security Notes per Month

Status from February 2019:

Most notes are covered by a ~4276 Security Notes in total
regular support package update
Caution: There are exceptions
Changed strategy:
because of notes describing Publish "Patch Day Notes" only but
manual security configurations postpone "Support Package Notes"

Average
of ‘typical’
month

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 31

Count of new or changed Security Notes per Month

March 2018 - February 2019:

212 Security Notes in total

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 32

SAP Security Notes address vulnerabilities in SAP applications

Risk and impact

 Full control over SAP systems bypassing any other

SAP security controls
 Manipulation of data which endangers legal compliance
 Data theft
 No traceability due to missing audit trail
 Unavailability of data and systems

Manipulation of business processes in

SAP systems is possible, availability at risk

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 37

Three key messages as take away!

Go for regular Support Package updates first

Establish a monthly patch process to analyze

and implement SAP Security Notes

Schedule security optimization projects to

cover new options for security configuration

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 38

Agenda

➔ SAP Security Notes and SAP Security Patch Day

What they are, when they’re published

Security Tools and Services EWA

?
?
How to identify important
SAP Security Notes
that need to be implemented?

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 40

SAP Notes
Security notes SAP's expert advice regarding important actions and patches to
ensure the security of your customers' systems:
https://support.sap.com/securitynotes

Performance relevant notes SAP notes containing information and

corrections for performance improvement of SAP systems

Java patches
A patch is a code-correction for a specific version of an SAP product.

SAP System
Legal Change notes
Respond to requirements caused by changes in legal regulation
You have to apply various
types of notes and patches to HotNews
keep your SAP systems up-to- SAP customer notes with priority 1 (very high priority) to resolve or avoid
date and secure. problems that can cause the SAP system to shut down or lose data.

Others like system measurement notes and correction notes

Notes having ABAP correction instructions

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 42

Where to get information and recommendations about new released
SAP Notes
▪ Your can set up a filter for a (registered) Security notes
system in SAP Support Portal to show
new notes for that system in the SAP
ONE Launchpad: Performance
https://support.sap.com/kb- relevant notes
incidents/notifications.html
(Limitation: You cannot define notifications) ? ?
Java patches

or (recommended)
New released Legal Change notes
▪ You can use application System SAP notes
Recommendations in the SAP
Solution Manager to check all
relevant notes and patches for HotNews
the selected systems and easily
keep all of your systems up-to- System measurement
date. System and correction notes
Recommendations
© 2019 SAP SE or an SAP affiliate company. All rights reserved. 43
System Recommendations
Advantages & Features
◼ Increase system security by ◼ The recommendations ◼ Integration into Change
applying up-to-date security- comprise the following notes Request Management
relevant notes exactly tailored categories: (CharM) to directly create
for the respective system
➢ Security notes Requests for Change for the
◼ Provides a detailed selected notes
➢ HotNews
recommendation based on ◼ Integration with Usage
➢ Performance relevant notes
the system release and Procedure Logging (UPL) to
already implemented SAP ➢ Legal Change notes
distinguish between used and
notes ➢ System Measurement notes
unused code
◼ Easy-to-use filter settings ➢ Correction notes
(deactivated by default) ◼ Integration into Business
allow exact selection of Process Change Analyzer
system or solution (BPCA) to calculate the test
impact

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 45

How System Recommendations supports your security
Process flow
SAP Patch Day System Recommendations Implementation Tools

Select system(s) to check & update and the time frame

SAP releases security
patches on the
second Tuesday
every month The checked relevant
SAP notes and patches
https://support.sap.com/ are applied to the SAP
securitynotes system using the
corresponding tools,
e.g. SNOTE, SUM.
System Recommendations identifies the relevant
patches and SAP notes
© 2019 SAP SE or an SAP affiliate company. All rights reserved. 46
System Recommendations: Process Flow

Customer SAP
1. Select system to check
& update Connect to SAP Global
3. Support Backbone

2. Retrieve system
information (SP level, 5. Send information back to 4. Provide information on latest
patch level) the customer‘s SAP relevant notes (for SP level,
Solution Manager patch level)
system

6. Retrieve system infor-

mation (implemented 7. Calculate delta between OSS provided notes and already
notes) implemented notes. Show relevant notes of the system(s) via
System Recommendations or Configuration Validation
© 2019 SAP SE or an SAP affiliate company. All rights reserved. 47
System Recommendations in SAP Solution Manager 7.2

➢ User Interface based on Fiori

➢ Individual views and selections as Fiori tiles
➢ Cross-system view
➢ Customizing for status values
➢ Status with history and cumulative comments
➢ Detail screens: Object List with Usage Data (UPL), Prerequisite Notes
➢ Hide Application Components which do not match to used DB or OS installations
➢ General Customizing and Personalization
➢ Simplified Activation

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 62

Open the Fiori Launchpad

On the Solution Manager, start the Fiori Launchpad and navigate to the Fiori Tile Group
“SAP Engagement and Service Delivery”

How?
Start transaction “SOLMAN_WORKCENTER”
and then navigate to “SAP Engagement and ...”
or
Start the Work Center from the Easy Access menu tree
or
Add a link for the Fiori Launchpad on your Favorites.

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 63

Add Favorites link for Fiori Launchpad

3. Choose radio button

1 “SAP Fiori Launchpad”

Add a link on your Favorites.

2
How?

1. Go to the Favorites Menu and choose

“Add other objects”

2. In the “Add additional object” window, 3

scroll and select the “SAP Fiori App”
© 2019 SAP SE or an SAP affiliate company. All rights reserved. 64
Add Favorites link for System Recommendations

3. Choose radio button “Intent”

Enter Semantic Object
“Action” and Action
“UISMMySAPNotes”
You can add parameters for
1 the client and language, too.

3
Add a link on your Favorites.
2
How?

1. Go to the Favorites Menu and choose

“Add other objects”

2. In the “Add additional object” window,

scroll and select the “SAP Fiori App”
© 2019 SAP SE or an SAP affiliate company. All rights reserved. 65
System Recommendations in SAP Solution Manager 7.2
Personnel Launchpad
Call transaction
SM_WORKCENTER to
start Fiori Launchpad

You can store

individual views and
selections as Fiori
tiles.

The example shows

security notes for
these systems for
which you are
responsible having
selected status values
(‘new’).
© 2019 SAP SE or an SAP affiliate company. All rights reserved. 66
System Recommendations in SAP Solution Manager 7.2
System Overview

Mark one or several systems and

select one of available actions:
➢ Show Java Support Packages
and Patches to prepare an
update of the selected system(s)
➢ Show SAP Notes to work with
the list of recommended SAP
notes for the selected system(s)
➢ Refresh SAP Notes to run the
corresponding background job,
collecting the information.

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 67

System Recommendations in SAP Solution Manager 7.2
Note Overview
▪ You can filter this list of
available SAP notes by
➢ Technical system
➢ Release date
➢ Note type
➢ Note status
▪ Use “Advanced Search”
for further filter options.
▪ Click on the note number
or short text for more
details

▪ At “Actions” you can

navigate to the Object
List, Prerequisite Notes
or Side-Effect Notes for
the selected SAP notes

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 68

System Recommendations in SAP Solution Manager 7.2
Advanced Search

In the Advanced search you can reduce the list of SAP notes.
▪ The SAP note status „New“ and „New version available“ are pre-selected, other could be
added manually. Keep this in mind working with the note list.
▪ SAP notes marked “Kernel” in the corresponding field contain kernel corrections.
▪ Release dependent SAP notes are relevant for the system they addressed to and should be
implemented.
▪ For release independent SAP notes it is not technically possible to determine its relevance.
Check the relevance by your own.
▪ After setting additional filters click on “Search” button.
© 2019 SAP SE or an SAP affiliate company. All rights reserved. 69
System Recommendations in SAP Solution Manager 7.2
Integration with SAP Support Portal

Clicking on the Note number or the

short text allows the navigation to
the note in the SAP Support Portal
https://support.sap.com/notes
Or choose the navigation to the
detailed information (explained on
the next slide)

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 70

System Recommendations in SAP Solution Manager 7.2
Note Details: Overview

▪ Status records and comments are stored

with timestamp and user and never get
modified or deleted
▪ Using Actions → Change Status you can
change the current status or add a comment
to this SAP note

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 71

System Recommendations in SAP Solution Manager 7.2
Status and Comments
Individual and cross-
system mass status
management possible

You can customize user

status values, e.g. for ‘fast
track transport’, ‘normal
transports’, or specific
projects.

Status records and

comments are stored with
timestamp and user and
never get modified or
deleted.

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 72

Status and comments customizing (1)

Status ID Default Statuses

IMP To Be Implemented To add your own status proceed as follows:
▪ Call transaction SM30
INP New version available
▪ Maintain table AGSSR_STATUS
NEW New
▪ Select existing status and copy it with Copy as…
NOR Irrelevant ▪ Edit the information in the table
PSP Postponed ▪ Save your changes

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 73

System Recommendations in SAP Solution Manager 7.2
Status and Comments

Transaction
SM30_AGSSR_STATUS

for customizing table

AGSSR_STATUS

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 74

System Recommendations in SAP Solution Manager 7.2
Status and Comments

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 75

System Recommendations in SAP Solution Manager 7.2
Note Details: Integration with Usage Procedure Logging (UPL)

The information about the usage count comes from UPL

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 76

System Recommendations in SAP Solution Manager 7.2
Note Details: Prerequisite Notes
▪ A list of prerequisite SAP notes for the
selected one is available
▪ Using “Action” menu it is possible to change
the notes status
▪ Using “Integrated Desktop Actions” it is
possible to download the SAP notes into the
managed systems from SAP Solution
Manager directly
(If you have a trusted user in the managed
system with the role SAP_SM_S_RFCACL).
Or start integrated Change Impact Analysis
or Change Request Management

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 77

System Recommendations in SAP Solution Manager 7.2
Confirm download of SAP Notes into managed system

▪ Check the system ID and click on Confirm Download

▪ Transaction SNOTE will be automatically called in the new window and you can start with the
note implementation

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 78

System Recommendations in SAP Solution Manager 7.2
Show JAVA Support Package Patches

Select at least one system for which you want to install a support package patch and choose
Actions → Show (JAVA) Support Package Patches

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 79

System Recommendations in SAP Solution Manager 7.2
JAVA Support Package Patch Overview

▪ Select the support package

patches, you want to download
and choose Put in Download
Basket.
▪ Use the SAP Download Manager
to retrieve the selected packages
▪ Install the support package
patches

or
▪ use the Maintenance Planner to
prepare and run the update

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 80

Integration with Business Process Change Analyser (BPCA) and
Change and Request Management (ChaRM)
▪ The BPCA has been automatically opened in
the new window
▪ The Object Type and Object Name of the
selected note are taken over.

▪ A new Request for Change (RfC) has been created automatically

▪ You can be navigated to the RfC by clicking on its number

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 81

System Recommendations in SAP Solution Manager 7.2
Request for Change created from System Recommendations

▪ The RfC Description “Created from

System Recommendation” and the
user data are taken over into General
Data AB
▪ The notes number is added into SAP
Notes Assignment Block (AB)

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 82

Filter by IT Admin Role or Priority

Use transaction LMDB to

maintain the IT Admin Role
and the Priority of systems.
You can use these fields
for filtering.

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 83

System Recommendations in SAP Solution Manager 7.2
Adding additional SAP Note Types
Field Type Retrieved by
Value default in System
Recommendations
H HotNews
S Security Notes
L Legal Change Notes
P Performance Notes
A System Measurement / License Audit Notes (7.2 SP 8)
C Correction Notes

Correction notes (Type C – containing vital corrections to the SAP Solution Manager core functions)
must be specified manually to be retrieved:
▪ Call transaction SM30_DNOC_USERCFG_SR
▪ In the field SYSREC_NOTE_TYPES add or remove the relevant values

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 84

System Recommendations in SAP Solution Manager 7.2
Hide Application Components of not-used DB or OS installations

Transaction
SM30_AGSSR_OSDB

for customizing table

AGSSR_OSDB

Set components, do not

match your used OS and
DB to inactive (for
additional information
refer to the next slide).

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 85

Overview about Application Components for DB/OS:

Databases Operating Systems

ADA BC-DB-SDB LVC BC-DB-LVC AIX BC-OP-AIX SINIX BC-OP-FSC-REL
ADA BW-SYS-DB-SDB AIX BC-OP-BUL
MSS BC-DB-MSS SOLARIS BC-OP-FSC-SOL
DB2 BC-DB-DB2 MSS BW-SYS-DB-MSS HP-UX BC-OP-HPX SOLARIS BC-OP-SUN
DB2 BW-SYS-DB-DB2
ORA BC-DB-ORA LINUX BC-OP-LNX SUNOS BC-OP-SUN
DB4 BC-DB-DB4 ORA BW-SYS-DB-ORA LINUX BC-OP-PLNX
DB4 BW-SYS-DB-DB4 LINUX BC-OP-ZLNX TRU64-UNIX BC-OP-CPQ
SAP BC-DB-SDB TRU64-UNIX BC-OP-TRU64
DB6 BC-DB-DB6 SAP BW-SYS-DB-SDB LINUX OS/3 BC-OP-LNX
DB6 BW-SYS-DB-DB6 LINUX OS/3 BC-OP-PLNX UNIX BC-OP-CPQ
SYB BC-DB-SYB LINUX OS/3 BC-OP-ZLNX UNIX BC-OP-TRU64
HDB BC-DB-HDB SYB BW-SYS-DB-SYB
HDB BW-SYS-DB-HDB OS/400 BC-OP-AS4 WIN-NT BC-OP-NT
HDB HAN-DB TD BC-DB-TD
TD BW-SYS-DB-TD Z/OS BC-OP-S390
INF BC-DB-INF
INF BW-SYS-DB-INF

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 86

General Customizing and Personalization
Transaction SM30_DNOC_USERCFG_SR
SYSREC_STATUS_FILTER (*) Defines which SAP Notes are counted on the overview page: By default it only shows SAP Notes
that are in the 'new' or 'new version available' status.
SYSREC_UPL_ACTIVE (*) Activate/deactivate the integration with UPL while showing the object list of ABAP notes.
SYSREC_UPL_MONTH (*) Count of month for which UPL data get loaded. The default is 2 which represents the current and the
previous month.
SYSREC_NOTE_TYPES Defines for which types of SAP Notes the application calculates results. Enter the list of characters
representing the note types HotNews, Security, Performance, Legal Change, License Audit, and
Correction.
SYSREC_LAST_MONTHYEAR Defines the earliest calculated SAP Notes. By default the application calculates all SAP Notes which
were released between January 2009 and the current month.
SYSREC_BPCA_USER Defines if the current user should be added as selection for BPCA.
SYSREC_BPCA_DATE Defines the earliest filter for BPCA results. You can change the start date for this period.
SYSREC_CHARM_LOG_TYPE Defines the text id according to table TTXID for the text object CRM_ORDERH.
SYSREC_CHARM_USER Defines if the current user should be added as selection for ChaRM.
SYSREC_CHARM_DATE Defines the earliest filter for ChaRM results. You can change the start date for this period.
SYSREC_OBJECT_EXP Lifetime of the cache which contains the object list of SAP notes. The default is 14 days.
SYSREC_REQ_EXP Lifetime of the cache which contains the required notes of SAP notes. The default is 14 days.
SYSREC_SIDE_EFFECT Lifetime of the cache which contains the side-effect notes of SAP notes. The default is 14 days.
SYSREC_UNSUPPORTED_SYSTEM (*) System types which you want to block from SysRec (one entry per system type)
SYSREC_UNUSED_SUBHR Calculate results for unused HR components (see note 2712210)
(*) User specific personalization
© 2019 SAP SE or an SAP affiliate company. All rights reserved. 87
System Recommendations in SAP Solution Manager 7.2
Simplified Activation

The activation of System Recommendations

is an automated activity within Managed
System Configuration.

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 88

System Recommendations in SAP Solution Manager 7.2
Simplified Activation

In an upgrade to SolMan 7.2 you get a

notification if EWA Monitoring or System
Recommendations is not activated yet.

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 89

System Recommendations: Setup in SAP Solution Manager 7.2
Entry point
Generally the System Recommendations scenario is ready to be used when the following guided procedures
have been successfully finished:

▪ Mandatory configuration
(transaction SOLMAN_SETUP)
➢ System Preparation
➢ Infrastructure Preparation
➢ Basic Configuration
▪ Managed Systems
Configuration

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 90

System Recommendations: Setup in SAP Solution Manager 7.2
RFC connection SAP-OSS
Check setup of RFC destination SAP-OSS
▪ Transaction SOLMAN_SETUP
➢ System Preparation
➢ Step 3.1 Setup Connectivity
➢ RFC destination SAP-OSS should be successfully created
and rated green.

▪ You can additionally check this RFC in transaction SM59

➢ ABAP Connections
➢ Choose RFC destination SAP-OSS
➢ Utilities
➢ Test
➢ Authorization test

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 91

System Recommendations: Setup in SAP Solution Manager 7.2
System Recommendations job

Check System Recommendations Job scheduling

▪ Transaction SOLMAN_SETUP
➢ Basic Configuration
➢ Step 2 “Schedule Jobs”
➢ Select the System Recommendations job SM:SYSTEM RECOMMENDATIONS and schedule it by clicking on
“Schedule Jobs as Planned”
➢ Ensure that you schedule the job weekly after PatchDay closing which is Tuesday morning right after midnight in CET
timezone

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 92

System Recommendations: Setup in SAP Solution Manager 7.2
Enable System Recommendations for Managed Systems

Enable System Recommendations for

managed systems
▪ Transaction SOLMAN_SETUP
➢ Managed Systems Configuration
➢ Select technical system (with green
RFC status)
➢ Start full of minimal configuration
➢ Navigate to step 5 “Enter Landscape
Parameters”
➢ Set the mark to “Enable System
Recommendations”

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 93

System Recommendations: Setup in SAP Solution Manager 7.2
Enable System Recommendations for Managed Systems

Apply Settings for System

Recommendations
▪ Transaction SOLMAN_SETUP
➢ Managed Systems Configuration
➢ Select technical system (with green
RFC status)
➢ Start full of minimal configuration
➢ Navigate to step 8 “Finalize
Configuration”
➢ Ensure that this step has been
executed and rated green

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 94

System Recommendations: Setup in SAP Solution Manager 7.2
Requires roles

Roles having authorizations for running System Recommendations on SolMan (#):

SAP_SYSREC_DIS System Recommendations (with work center Change Management)

SAP_SYSREC_ALL System Recommendations (with work center Change Management)

Roles to show the Fiori application of System Recommendations on Fiori Hub:

SAP_STUI_SYSREC_TCR Solution Manager: System Recommendations Technical Catalogue

SAP_STUI_SYSREC_AUTH Solution Manager: System Recommendations Authorizations (*)

(#) There is no special display-mode in System Recommendations. Both roles offer same functionality including
entering status and comments for notes

(*) As described in the role documentation you have to add an authorization proposal into the role menu.
© 2019 SAP SE or an SAP affiliate company. All rights reserved. 95
System Recommendations: Setup in SAP Solution Manager 7.2
Requires roles
If you are using a separate Fiori Hub you need to
generate the OData service for System
Recommendations using transaction
/n/IWFND/MAINT_SERVICE as described in the
Security Guide of the SAP Solution Manager (see
chapter 4.6.1 SAP Fiori Launchpad and NWBC).

In any case for role SAP_STUI_SYSREC_AUTH you

have to add an ‘Authorization Default’ in the
role menu. Choose ‘TADIR Service’ with object
type IWSG and search for the TADIR service name
AGS_SYSREC_SRV_*

Navigate to the authorizations. You will see an

authorization for authorization object S_SERVICE.
Finally, generate the authorization profile and
assign the user(s).
© 2019 SAP SE or an SAP affiliate company. All rights reserved. 96
Fiori Web Assistant – In-Application Help
Open Help

Use the help icon to activate the in-application help.

Prerequisites:
- Configure profile parameters and redirect file for SAP Web Dispatcher
- Create Fiori Catalog with specific target mapping
- Create role containing the Fiori Catalog and assign it to all users

References:
Online Help - Setup of In-Application Help
https://help.sap.com/viewer/89a6c6256d8d4ae9b329e34c44607a32/106/en-US/879b33575fbb0950e10000000a441470.html

Blog - S/4HANA – HowTo: Activate context-sensitive help from SAP

https://blogs.sap.com/2017/03/17/s4hana-howto-activate-context-sensitive-help-from-sap/

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 97

Fiori Web Assistant – In-Application Help
System Overview
System Overview

Shows all the systems for which the background

System Types job is running successfully.

The system type is read from the LMBD.

Choose a system type to filter for these systems.

Sort, Filter, and Group

You can sort by attribute, as well as filter by

technical system, IT admin role, and system
priority.

What's this App? You can group by system type and favorites.

Here, you can manage the SAP Notes and support

package patches that are not yet implemented and
installed on your managed systems.
For more information, see System
Recommendations (link is defect).

What's this App? System Overview System Types Sort, Filter, and Group
This is the System Shows all the systems for Filter for a system type Display the systems that
Recommendation app. which system are relevant for you
recommendations are
available

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 98

Fiori Web Assistant – In-Application Help
System Overview

Refresh SAP Notes

Integrated Desktop Actions
After refreshing the status of the SAP Notes that
are implemented on the managed systems, only You can show requests for changes and change
the SAP Notes are displayed that are available, but impact analyses for one or several systems.
that are not fully implemented.

Thus, you can quickly check whether certain SAP

Notes are already implemented.

Refresh SAP Notes Integrated Desktop

Refresh the status of the Actions
SAP Notes that are On the System Overview
implemented on the screen, you show
managed systems information for one or
several systems

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 99

Fiori Web Assistant – In-Application Help
Note Overview
Export

Download the SAP Notes to a file in CSV format.

Implementation Status
When downloading the SAP Notes overview file,
New shows new SAP Notes (after the last run). Processing Status
the following applies:
New Version shows whether there is a new version You can assign workflow statuses, but you can also
Only the SAP Notes are included in the file that
for an SAP Note that you did not already set a customize statuses that reflect implementation
apply to the current filter criteria.
processing status for. projects. Thus, you can assign SAP Notes to
projects.
Regardless of which columns are displayed on the
Updated shows whether there is a new version for
UI, the file contains all available colums, to provide
an SAP Note that you are already processing. You can also assign comments when changing a
a maximum of information.
processing status. The comment is displayed on
When an SAP Note is in implementation status the Show SAP Note detail page.
New Version or Updated, consider to re-evaluate
its processing status.

Export Implementation Status Processing Status

Download the SAP Notes Shows the status of the Shows the processing
from the overview SAP Notes as released by status that you assigned
SAP

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 100

Fiori Web Assistant – In-Application Help
Note Overview

Save as Tile

Filter for specific attributes such as systems or

priority.

Choose Save as Tile.

Integrated Desktop Actions
You can now access the SAP Note Overview with
your filters from a launchpad tile. You can download SAP Notes, create requests for
changes, and start change impact analyses for one
or several systems.
Save as Tile Integrated Desktop
Save specific filters to Actions
quickly display them from On the SAP Note
the launchpad Overview screen, you
perform the integrated
desktop actions

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 101

Fiori Web Assistant – In-Application Help
Note Overview

Save as Tile

Filter for specific attributes such as systems or

priority.

Choose Save as Tile.

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 102

Fiori Web Assistant – In-Application Help
Note Details

Usage Count

For ABAP systems, shows the data that is available

from Usage and Procedure Logging.

Usage Count
Shows the Usage and
Procedure Logging data

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 103

Troubleshooting: Application Log

Use transaction SLG1 for log object

AGS_SR to inspect the application log for
the background job of System
Recommendations

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 104

Troubleshooting: Support Tools for System Recommendations
Note 2427140 / 2423962 - SYSREC: Support tool for Solution Manager

Report AGSNO_RPT_EASY_SUPPORT records the same data

sent from your SAP Solution Manager system to SAP
backend during note calculation but in a readable format
which is more appropriate for analysis on SAP backend.

Execution of Report:
1. Run report AGSNO_RPT_EASY_SUPPORT and choose the
system ID and the system type (e.g. ABAP or JAVA)
2. Save the generated xml file in your local directory.
You can inspect the xml file with any xml viewer.
3. Compress the xml file into a .zip file using the common
zip program
4. Create a support ticket on component SV-SMG-SR and
add the zip file as an attachment.
© 2019 SAP SE or an SAP affiliate company. All rights reserved. 105
Troubleshooting: Support Tools for System Recommendations
Note 2418578 - Report to batch download solution manager trace files

You use program SMBI_TRACE (see

note 1394862) to trace the communication
between your SAP Solution Manager system
and the SAP Backbone system.

Some applications like System

Recommendations (which has the application
code SOLMANNOTE) may generate many
trace files within a single transaction and it's
difficult to manually download all trace files
and analyze their content.
Use report AGSNO_RPT_TRACE_DOWN to batch download these trace files and to extract information
from them into additional log files. An authorization to read trace file is required to run this report.

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 106

Send Configuration Validation reports via email (7.2 SP 3)
Note 2427770 - Configuration Validation: Sending compliance results via email

BW Information Broadcasting is not

longer supported in SAP BW 7.40
(Note 2020590)
Conclusion: You cannot schedule
broadcast notifications for the System
Recommendations BW report in SAP
Solution Manager 7.2 anymore
New report to send System
Recommendations results via email:
System Recommendations Report
DIAGCV_SEND_SYSREC

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 107

New filter option for notes (7.2 SP 5)

✓ New filter option for individual notes:

Navigate to any notes list and adjust the filter by
removing all other filter valued and enter individual note
numbers.

✓ Tip for using the date filter

10.05.2017 - 13.06.2017
Starting from: 01.01.2017 - 31.12.9999
Range: 10.05.2017 - 13.06.2017
One day: 13.06.2017 - 13.06.2017

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 108

Show side effect solving notes (7.2 SP 5)

Show side effect solving notes for selected list of notes:

Show side effect solving

notes on detail screen of
notes:

Recommendation:
Implement side effect
solving notes right after
implementation of the
original notes
© 2019 SAP SE or an SAP affiliate company. All rights reserved. 109
What‘s new in System Recommendations

If a Software Component is not part of ABAP / JAVA / HANA systems in SLD / LMDB you do not
find corresponding notes in System Recommendations.

Special Software Components:

BC-FES-GUI added to all ABAP systems as a virtual software component of type

‘Support Package Independent‘ as of May 2017

CRYPTOLIB 8 SP000 added to ABAP and JAVA systems as a virtual software component
as of July 2017

SAPHOSTAGENT not covered yet

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 110

System Recommendations 7.2 SP 7
Separation between “Implementation Status” and “Processing Status”

The “Implementation Status” is set by the background job automatically

• New New note
• New version available Implemented ABAP note for which a new version is available
• Updated Updated note compared with previous run
• [Implemented] Implemented notes are omitted in System Recommendations

The “Processing Status” is set by the user manually

• Maintain available status values in customizing table AGSNOTE_STATUS
• Ensure to enter texts in all required languages
• The background job migrates existing status data into the new field once
If the old status was “New” or “New version available” then the new status becomes “Undefined”

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 111

System Recommendations 7.2 SP 7
Separation between “Implementation Status” and “Processing Status”

User-defined Status
SAP Status
Customizing table
(fixed values) AGSNOTE_STATUS

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 112

System Recommendations 7.2 SP 7
New column “Support Package containing the solution” for ABAP notes

You have to activate

this column manually
New column showing SP
containing the solution

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 113

System Recommendations 7.2 SP 7
New columns

You have to activate column “Support Package” manually at the

settings on the Notes Overview page

The columns “Implementation Status” and “Processing Status”

are activated automatically

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 114

What's new in System Recommendations 7.2 SP 8
Support for Notes which are Relevant for System Measurement
Similar like for HotNews, Performance Notes, or Legal Change Notes you can now identify
relevant notes having the attribute „Relevancy for System Measurement“
aka „License Audit Notes“

Note: System recommendations:

Limitation: The Notes Search on SAP Support Portal https://support.sap.com/notes does not show a filter option for such notes
© 2019 SAP SE or an SAP affiliate company. All rights reserved. 115
What's new in System Recommendations 7.2 SP 8
Support for Notes which are Relevant for System Measurement
Preparation, which only required if you have previously changed the customizing, i.e. to view
correction notes, too.

In this case you have to extend the settings via transaction SM30_DNOC_USERCFG_SR
for table DNOC_USERCFG

SYSREC_NOTE_TYPES HSLPCA

See Online Help: https://help.sap.com/viewer/34eaf25a11d54485aecf05e041f78555/107/en-US/aab02c8d37b54536bc3319521ea08eff.html

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 116
What's new in System Recommendations 7.2 SP 8
Support for Notes which are Relevant for System Measurement
You can activate a new filter field
on the SAP Note Overview screen:

You can display the System Measurement and System Measurement ID columns on the SAP
Note Overview screen via the settings button:

See Online Help: https://help.sap.com/viewer/34eaf25a11d54485aecf05e041f78555/107/en-US/aab02c8d37b54536bc3319521ea08eff.html

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 117
What's new in System Recommendations 7.2 SP 8
Support for Notes which are Relevant for System Measurement -
Examples
Engine Measurement Correction
Note 2621557 - ILM Audit Module: Introduction of additional measurement units
Note 2512261 - FKKINV: Usage measurement for SAP Convergent Invoicing still includes documents for …
Note 2294328 - Measurement result for metric ID 3216 is 1 too high
Note 2254780 - Enhancement of software license audit for SAP GTS
Note 2234559 - Transaction USMM triggers a runtime error DBSQL_SQL_ERROR

LAW Consolidation
Note 2407507 - LAW 2.0 SDCCN transfer does not work to 7.31
Note 2164594 - LAW 2.0: Falsche Nutzertypen bei Konsolidierung
Note 2112104 - LAW 2.0: Fehlende Sortierfunktion im RFC STATUS

System Measurement USMM

Note 2213466 - System measurement: Performance during determination of user address data
Note 2170034 - System measurement: Incorrect measurement date is displayed in the License Administration Workbench
Note 1900773 - System measurement: Automatic measurement via RFC or as a background job

RFC Result Transfer

Note 2498932 - System measurement job RSUVM017 or RSUVM007 terminates sporadically
Note 2170036 - LAW 2.0: RFC results from component systems are placed in LAW1 inbox
Note 1630359 - Report RSLAW_PLUGIN: Error message in case of RFC problems
© 2019 SAP SE or an SAP affiliate company. All rights reserved. 118
System Recommendations 7.2
Online Help

Online Help - SAP Solution Manager 7.2 SP 8

https://help.sap.com/viewer/product/SAP_Solution_Manager/7.2.08/en-US

➢ Change Control Management - System Recommendations (abstract only)

https://help.sap.com/viewer/8b923a2175be4939816f0981b73856c7/7.2.08/en-US/61d626565b13e121e10000000a4450e5.html

➢ Application-Specific Security Guide - Using System Recommendation Application (security)

https://help.sap.com/viewer/0043dbb640674d9bb916602fe2ec90e8/7.2.08/en-US/80f99ea7999a4a1392e8882bb0aa7cce.html

Online Help - SAP Fiori for SAP Solution Manager

➢ System Recommendations @ Fiori 1.0 SPS 7 (documentation)

https://help.sap.com/viewer/34eaf25a11d54485aecf05e041f78555/107/en-US/a5e801557f614c55e10000000a4450e5.html

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 119

System Recommendations in SAP Solution Manager 7.2
SAP Fiori apps reference library
https://fioriappslibrary.hana.ondemand.com/sap/fix/externalViewer

→ e.g. search for Required Back-End Product

→ SAP Solution Manager

→ Check System Recommendations

At „Implementation Information“ you find

references for roles in the Front-End and the
Back-End as well as the list of related oData
Services.

See Blog
How To Explore “Fiori Apps Reference Library”
© 2019 SAP SE or an SAP affiliate company. All rights reserved. 120
Benefit of SAP Solution Manager System Recommendations

Result and value

 Detailed gap analysis of SAP systems for Security Notes
 Listing of missing notes with possibility to set status
 Integration into change management and reporting

Limitation
 The automatic analysis covers the software level but not new
options for security configuration

Use System Recommendations to create

work lists for implementing Security Notes

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 122

Agenda

➔ SAP Security Notes and SAP Security Patch Day

What they are, when they’re published

Security Tools and Services EWA

?
?
What code do I
use anyway?

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 124

Usage and Procedure Logging (UPL)
The New Way Getting the Real System Usage
Require-
ments

SAP Kernel
Optimize Design
Custom Code
Lifecycle
Management

Build &
Operate
Test

Deploy

 Kernel based logging technology with no measurable performance impact

 Easy to activate via central Solution Manager 7.1
 100 % reliable based on execution of ABAP procedure units like methods, function modules,
subroutines and much more
 Data base for additional activities like clearing, test scoping, reduction of custom code
maintenance
 Indicator for business criticality based on time slices
 Full BW reporting capability
© 2019 SAP SE or an SAP affiliate company. All rights reserved. 125
SAP Usage and Procedure Logging (UPL)
FAQ about UPL

How to find out if UPL collection is collecting data?

Start transaction SCOV in the managed system. If UPL is activated, you will see a status information "SCOV lite is activated!"
Furthermore the traffic light under "Data collection" should be green. In this case everything is fine.
Will UPL have any impact on the system performance?
No, there is no measurable impact, because we count the usage as soon as the ABAP compiler is loading the code. This is
confirmed by the SAP benchmark team.
Are there any risks to activate UPL?
No, there is no known risk to activate UPL.
How much data will be consumed in the managed system?
We collect usage data on a daily basis. As soon as one ABAP program was executed, we increase only the execution
counter. From our experience the needed DB space is between 2-10 MB for 14 days of data. But this depends on the real
usage of different programs.
There is an error message "Data collection was not performed" in monitor of SCOV.
Ensure settings and server are correct. If not please use report /SDF/UPL_CONTROL to stop UPL mode. Start transaction
SCOV and correct the server settings. Then reactivate the UPL again.
In case of technical issues open a customer message on component SV-SMG-CCM-CDM

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 126

Data Flow in Managed System

Report /SDF/SHOW_UPL
Work processes
Reports
Functions ABAP
Methods Code
Inspector
Procedures

Every 45 min* Once a day* Daily housekeeping*

Buffer in Collector Procedure Day Solution

Memory Job Daily Job Manager
Usage Extract

* Default setting
© 2019 SAP SE or an SAP affiliate company. All rights reserved. 127
SAP Usage and Procedure Logging (UPL)
Usage Analysis (local in managed system)

How to read the UPL data in the managed system?

Use the report /SDF/SHOW_UPL to show the UPL data on the managed system. This includes viewing of
existing time slices and also the current UPL collection in progress. In most cases the usage information is
instantly available.

Output format (selection of most important ones)

Date All entries with the same UPL date were executed at this date (no time available).
Object Type Describes the transport type of objects. PROG for programs, FUGR for function groups,
etc.
Object Name in Object Directory Name of the ABAP repository object (TADIR).
Tcode/Program Name of the ABAP include containing the ABAP procedure.
Type Type of ABAP processing block. You are able to distinct between executions of function
modules (FUNC), class methods (METH), selection screens, report events, user exits,
etc.
Processing Block Name of the ABAP processing block
Accumulated Executions Number of executions

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 128

SAP Usage and Procedure Logging (UPL)
Usage Analysis (local in managed system)

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 129

Dataflow in Solution Manager

Solution Manager 7.1

Solman Applications
Extractor
Framework Custom Code Lifecycle
Management

Solution Documentation
Once a day Assistant

RFC APIs on Business Process Change

Managed to Managed BW BW Analyzer
System System Cube queries
Scope & Effort Estimator

System Recommendations
Week Month
etc.

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 130

SAP Usage and Procedure Logging (UPL)
Central Analysis using BW in SAP Solution Manager

BW Query 0SM_CCL_UPL_MONTH

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 131

Analysis of Object Usage in System Recommendations
Data Collection of Usage Procedure Logging (UPL)

SAP ERP UPL Data Consolidated UPL analysis

DEV BW for main programs (transport
Load to SAP
TST
Solution object), and detailed counts for
PRD Manager functions and methods

System Recommendations

SAP CRM
DEV

TST UPL
1200
PRD 80
0
0
0
30
0
© 2019 SAP SE or an SAP affiliate company. All rights reserved. 132
System Recommendations in SAP Solution Manager 7.2
Note Details: Integration with Usage Procedure Logging (UPL)

The information about the usage count comes from UPL

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 135

Analysis of Object Usage in System Recommendations
Best practice
Preparation
• Connect DEV, TEST, and PROD Systems to System Recommendations
• Use DEV system to view notes which should be added to work lists for implementation
• Use PROD system to validate that selected important notes have reached production after given time
• Activate UPL for TEST and PROD systems
• You can skip DEV systems as these will not show useful usage data

Analysis of Results
• Zero count in PROD system
• No explicit testing required as you are not using the programs (but you still should implement the notes)
• High count in PROD system and high count in TEST system
• No explicit testing required as you are executing the programs with normal activities in test environment
• High count in PROD system and zero count in TEST system
• You might need explicit testing

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 136

Analysis of Object Usage in System Recommendations
Best practice
Personalization
SysRec loads UPL data for the previous and current month by default (= 4 to 8 weeks). This seems
to be reasonable for TEST systems because you do not want to see very old usage data from test
systems.
However, you might want to increase the time period for PROD systems to catch rare execution of
programs, too.
In SolMan 7.1 you can personalize the time range via transaction SU3 using user parameter
SYSREC_UPL_MONTH

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 137

SAP Usage and Procedure Logging (UPL)
Prerequisites for the monitored system

▪ SAP NetWeaver SAP_BASIS 7.01 SP10 or 7.02 SP9 (= SAP ERP 6.0 EHP4 or SAP ERP 6.0 EHP5)
▪ ST-PI 2008_1_700 SP4 or SP5 & Note 1683134 or ST-PI 2008_1_700 SP6 or higher
▪ Kernel 720 Patch 94 or higher according to …
▪ SAP Note 1785251 - SCOV/UPL: Error messages in monitor (Kernel 720 Patch 410 / 721 Patch 112)
▪ SAP Note 1822227 (to allow changing the data retention time using report /SDF/UPL_CONTROL )
▪ SAP Note 1906451 - Technical Preparation for Custom Code Management
▪ Based on our experience the space requirements are 2-10 MB for 14 days of data. So even data collection of
one year won´t massively affect space requirements. Nevertheless verify your individual storage settings /
database free space for a higher retention time value.
▪ Report /SDF/CONTROL shows the status of UPL:

▪ Tipp: use System Recommendations to search for latest

correction notes of application component SV-SMG-CCM-CDM
for the managed system and for the SAP Solution Manager

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 138

SAP Usage and Procedure Logging (UPL)
Activation via SAP Solution Manager

The UPL activation procedure was subject of continuous enhancements in the SAP Solution
Manager infrastructure. Starting with many manual steps in SAP Solution Manager 7.1 SP5 it has
finally reached a fully guided and system supported version in SAP Solution Manager 7.1 SP 11.

The SOLMAN_SETUP scenario for Custom Code Management contains all necessary steps and
UIs to handle UPL configuration end to end including job scheduling of related UPL jobs.

See
Note 1955847 - UPL: Activation Procedure and Authorization Handling in SAP Solution Manager

Additional authorizations:
• S_COV_ADM with change activity
• S_RFC for function group /SDF/SCOV_LITE

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 139

SAP Usage and Procedure Logging (UPL)
Guided Procedure as of SAP Solution Manager 7.1 SP 11

System specific part

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 140

Analysis of Object Usage in System Recommendations
Troubleshooting
If you do not see the additional column in System Recommendations or if you get zero results only:

• Check if UPL is active in managed system

• Report /SDF/UPL_CONTROL should show
• Report /SDF/SHOW_UPL should show some data (run it for a previous day to get results faster)

• Check if SolMan gets usage data

• BW-Query 0SM_UPL_DATE_RANGE_BPCA respective 0SM_CCL_UPL_MONTH should show some data
Keep in mind that it takes some time (up to 2 days) to replicate usage data into this query
• Note 2077995 describes new report AGS_CC_INFRASTRUC_CHECK for SolMan 7.1 SP 12 which checks the UPL setup

• Check notes of application component SV-SMG-SR

• Note 2099728 - SysRec: Object list for ABAP notes does not show Usage Procedure Logging data (UPL)
from 02.12.2014 for SolMan 7.1 SP 9 - 12

➢ If UPL is not working ask for advice via application component SV-SMG-CCM-CDM
➢ If SysRec does not show existing usage data, create a ticket on application component SV-SMG-SR
➢ If report ZSYSREC_NOTELIST does not show existing usage data, send me a mail or comment on
https://scn.sap.com/community/security/blog/2011/07/18/report-zsysrecnotelist--show-results-of-system-recommendation
© 2019 SAP SE or an SAP affiliate company. All rights reserved. 141
System Recommendations and UPL

Combined value
 Retrieve affected objects from System Recommendations
 Retrieve used objects via UPL
 Compare both lists
 If objects from a Security Note are not in UPL list:
Note will not affect running processes
 Implement Security Note without testing

Effortless implementation of Security Notes

for unused components

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 142

Agenda

➔ SAP Security Notes and SAP Security Patch Day

What they are, when they’re published

Security Tools and Services EWA

?
?
Which process is
affected, where to
test for side effects?

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 144

Business Process Change Analyzer (BPCA)
Motivation and Approach

Motivation SAP Solution updates occur frequently

◼ SAP triggered: Support Packages, Enhancement Packages, SAP Security Notes
◼ Customer triggered: Customizing changes, Custom code development

Pain Point Which critical business processes are affected by planned changes?

SAP Solution
Approach Update Change Impact Analysis Test Planning Test Execution

◼ Identification of ◼ Test Case review ◼ Regression Tests

business processes and creation of ➢ Manual Tests
affected by change missing test cases
➢ Automated Tests
◼ Risk-based Test ◼ Test Plan
Recommendation generation

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 145

BPCA: Change Impact Analysis at an early stage

Solution Architect
impacted processes
A BPCA Change
Impact Analysis is
performed using the
top objects of the
planned development
against the business
processes for risk
assessment

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 147

BPCA – Preparation
Business Process Documentation

Lean Process Documentation

BPCA requires a process hierarchy, system information and executables to be documented in a
project or a solution.
System Transactions, custom
information development

Process
hierarchy
◼ Business scenario
◼ Business
processes
◼ Business steps

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 149

BPCA TBOM Generation
TBOM Creation during Manual Testing

Sales
Quotation Delivery Billing
Business Scenario “Order to Cash” Order

Process Step „Sales Order“ Business Blueprint

execute

Customer SAP Landscape (SAP ERP, …)

Tester starts Tester executes the process step in SAP Generated TBOM is assigned
manual test case managed System to Process Step / Business
from Tester Worklist while BPCA traces all SAP objects Process
used by the Process Step in the background

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 150

BPCA - TBOM Generation
Current Alternatives plus new Approach

Static TBOM generation approach Dynamic TBOM generation approach

▪ Positive: background job to generate all TBOMs 1. Manual execution of business transaction by user
without manual effort with TBOM generation in the background

▪ Disadvantage: less precision compared to 2. Initial: Work-Item for Business User in PRD system
dynamic TBOMs due to limit to 4 branching levels Update: Manual Testers in TST system
3. Automatic generation via automated tests (eCATT,
SAP TAO, HP QTP, …)

Semi-dynamic TBOM generation approach

Semi-dynamic TBOM
BPCA
UPL Data in PRD
UPL Filter
✓ No manual effort through
system background processing (overnight)
TBOM
Background (Usage and Procedure
Logging of ABAP
for BPCA TBOM ✓ High precision
generation
Job objects at Kernel level) ✓ Repeatable at any time
© 2019 SAP SE or an SAP affiliate company. All rights reserved. 154
Don’t have documented processes yet?
Automatic generation of Business Blueprint / Process Step Library
Process Step Library
• List of Process Steps by any grouping, e.g. by SAP Modules
• Assigned entities like Executables (e.g. transaction codes)
and documentation

Example:
Process Steps and Transactions for SD

Automatic generation of Process Step Library

• Programm RUTILITY_BLUEPRINT_GENERATION via SAP Note 2061626 for SAP Solution
Manager SP10 - see next pages for details
• Application „Scope and Effort Analyzer“ (SEA) – available with SAP Solution Manager SP11
© 2019 SAP SE or an SAP affiliate company. All rights reserved. 155
Extended Functions in System Recommendations
Integration with Business Process Change Analyzer

Execute Business Process

Change Analyzer (BPCA) to
identify business processes
which should be tested

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 159

System Recommendations and BPCA

Combined value
 Run BPCA to know which technical objects are used
in which process
 Hand over objects affected by SAP Security Notes
from System Recommendations to BPCA
 Determine affected processes
 Develop suitable test cases for side effects

Efficient testing after SAP Security Note

implementation

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 160

Agenda

➔ SAP Security Notes and SAP Security Patch Day

What they are, when they’re published

Security Tools and Services EWA

➔ System Recommendations
Tool to find the applicability of notes to systems
➔ Usage And Procedure Logging (UPL)
Tool to find unused code notes address
➔ Business Process Change Analyzer (BPCA)
Tool to find the spots to test after note implementation
➔ Configuration Validation Configuration
Security Notes Report
Tool to run cross-system validation and System Validation
Recommendations
➔ SAP Security Patch Process
How to put all into a working mechanism SOS
© 2019 SAP SE or an SAP affiliate company. All rights reserved. 161
Consider Customers Situation of Today …
Have we applied SAP
Have we imported
Are the OS, DB, Note xxxxx on all
Transport request xxxx
Software and Kernel on systems? …please report
(with important
the certain / latest level? implementation status for all
performance changes) on
… on all Systems? .. Please systems?
all systems? … could I have a
show me? list of the systems where it is still
missing?

Are all our CRM systems

compliant with the new
Configuration Baseline ?.. not Are security settings
compliant.. which systems? what applied? …on all systems? …
exactly? could you please confirm and
report?

Challenges
 A large number of systems… Complex SAP Landscape …
 … Need to perform comparison of current configuration status against a defined target or
standard configuration baselines
 … with minimum efforts and ASAP
© 2019 SAP SE or an SAP affiliate company. All rights reserved. 162
What is Configuration Validation?
The Idea behind Configuration Validation
A reporting to understand how homogeneous the configuration of systems is
Reference System Compared Systems
System 1 System N
Configuration Items

Software Packages
Configuration Items ... Configuration Items

ABAP Notes Configuration ABAP Notes ABAP Notes

Kernel level Validation Software Packages Software Packages
Transports Transports Transports
Parameters
... Parameters
... Parameters
...
Compliance with
Reference System
... Typical questions are:
System 1 System 2 System N  All systems on a certain OS level or DB level?
Software Packages  Template configuration (SAP or DB parameter) applied on
all systems?
ABAP Notes
 No kernel older than 6 month on all systems?
Transports  Security policy settings applied? Security defaults in place?
...  Have certain transports arrvied in the systems?

Configuration Validation
Options to report about SAP Notes
A) Configuration Validation using a Target System which is based on EarlyWatch online
recommendations (RSECNOTE)
• Use this option to produce a cross-system analysis comparable to RSECNOTE (ABAP only)
• The target system defines which notes should be checked. The note list and the check
conditions are loaded from EarlyWatch online recommendations.

B) Configuration Validation using a Target System which is based on Notes

• Use this option to produce a cross-system analysis on selected notes (ABAP and Java)
• The target system defines which notes should be checked. The initial note list is loaded from
System Recommendations, and can be reduced or extended.
• The check conditions are loaded from note definition available at the SAPNet.

C) System Recommendations Reporting

• Use this option to produce a cross-system analysis for System Recommendations

Configuration Validation
B) Configuration Validation using a Target System based on Notes
Option b) all notes based on System Recommendations

The SAP Notes relevant for the source system can

be restricted via
 Data Range
 Note Group – for example only Security and
Hotnews SAP Notes can be inserted
x

Configuration Validation
C) System Recommendations Reporting
Using the predefined report
0TPL_0SMD_VCA2_SYS_RECOM_NOTES
of the application “Configuration
Validation” you can define arbitrary
selections, filters and views for a cross-
system report based on the results of the
application “System Recommendations”

Select note area ..

.. or select notes which have been

classified as being ‘important’ by
your CERT department

CERT = Computer Emergency Response Team

© 2019 SAP SE or an SAP affiliate company. All rights reserved. 167
Configuration Validation
C) System Recommendations Reporting
New option to paste note numbers into the
selection screen of the reporting as of
SolMan 7.1 SP 9 for the query showing
results of System Recommendations.
1. Step: Activate the new option
2. Step: Paste the system names or the
note numbers into the new popup

Configuration Validation
Result

Cross-System reporting about System Recommendations

Combined value
 Run cross-system BW reporting about System
Recommendations
 Validate if selected notes have reached production systems
 Determine quality of patch processes

Efficient validation after SAP Security Note

implementation

Agenda

➔ SAP Security Notes and SAP Security Patch Day

What they are, when they’re published

Security Tools and Services EWA

?
?
Whether to patch,
or not to patch?

Security Patch Day:
How to implement which note in which system?
Unfortunately the tools reduce the mass and effort issue only partially:

➢ Depending on the age of the system very ➢ The effort to analyze and to implement security
many Security Notes (up to hundreds) are notes, to identity the test requirements and to
relevant per system document all activities is quite high

➢ You don‘t get any guarantee that there are no

➢ The priority of the notes is not a strong, notes which produce massive issues during
selective criteria as approximately 80% of all implementation or usage in production systems
notes have priority „HotNews“ or „high“
➢ Different technologies (especially ABAP,
Kernel, Java, HANA) require special patch
➢ Depending on the size of the system processes
landscape you have to patch many systems.
You have to align exceptional security ➢ and in case of other products like Business
patches with regular maintenance activities. Objects or Mobile it’s even difficult to find
relevant notes

The 5 Stages of a Security Patch Process

List of Security Notes

support.sap.com/securitynotes Reduction of test
effort using UPL or BPCA
Monthly execution of
„System Recommendations“ 4 5
1
3
2 Continuous
Security Monitoring using
Check Security Notes „Configuration Validation“
within
„Maintenance Planner “
Useful Documentation:
SAP Security Patch Day Working Paper support.sap.com/sos → Media Library (Deutsch/Englisch)
Security Patch Process FAQ scn.sap.com/community/security/blog/2012/03/27/security-patch-process-faq
Details about System Recommendations:support.sap.com/sysrec
Demo of System Recommendations: Link
* UPL – Usage Procedure Logging, BPCA – Business Process Change Analyzer (support.sap.com/testing)
© 2019 SAP SE or an SAP affiliate company. All rights reserved. 178
Most Important: SAP Security (Patch) Policy

The best support to bring a patch process to live:

➢Describes organization (responsibilities) and processes relevant for implementing security patches

➢Defines the mandatory timelines for published security patches and implementation of SPs

➢Often dependent on security classification of systems or applications

➢Should provide hard targets but should also allow for documented, approved exceptions

➢Goal: Make patching mandatory but balance security risk against operational risk

Trivial SAP Security Patch Policies

Business first
No patching at all. Only exceptions are SPs
every 2 years (or less) or one or two “Hot
News” notes a year for severe vulnerabilities

Security first
No discriminating patching policy, no
assessments, trade-offs. Security Notes are
implemented immediately regardless of priority
© 2019 SAP SE or an SAP affiliate company. All rights reserved. 180
Non-Trivial SAP Security Patch Policies

Business first
No patching at all. Only exceptions are SPs
every 2 years (or less) or one or two “Hot
News” notes a year for severe vulnerabilities

Patch with reason

Assess security and implementation risk,
weigh trade-off to determine best approach
for SAP Security Note implementation.

1. Find the notes. Use SAP Support Portal and System Recommendations.

a) Ongoing project: Monthly patch process to catch new notes

b) Special project to cover the backlog of old notes once the monthly patch process works fine

2. Classify the notes for the patching policy: Assess the security risk (i.e. priority & CVSS).

3. Classify the notes for the patching policy: Assess the implementation risk (UPL, BPCA).

4. Apply patching policy. Results in timeline until when to patch.

5. Communicate targets. Follow up on implementation progress / patching compliance.

Classification of Security Notes by Type

1. ABAP Correction Instructions

Use Note Assistant (transaction SNOTE) to implement the correction or apply the Support Package

2. ABAP Software-like manual corrections

Implement the correction manually, e.g. deactivate a web-based service, and use normal transports

3. Kernel Notes Install a new Kernel

Java Notes Install Java Support Packages or Patches
HANA Notes Install new revision

4. Notes about other components

Individual procedure to find notes and to update the CryptoLibrary, other Databases, SAPGUI, RFC Library,
Business Objects, Sybase, ..

5. Other manual instructions

1. Implementation as part of a monthly standard patch process

e.g. for ABAP Correction Instructions or ABAP software-like manual
corrections

2. Implementation as part of a project

e.g. for notes about other components or other manual instructions

3. Implementation as part of maintenance activities

e.g. Support Package upgrade, Kernel upgrade, Java upgrade

4. Implementation after maintenance activities

e.g. manual instructions which require a Support Package upgrade or
Kernel upgrade as a prerequisite
© 2019 SAP SE or an SAP affiliate company. All rights reserved. 185
Sample SAP Security Patch Policy

1. Every system / application has to be put into a security category / classification

[Very High, High, Medium, Low]

2. No SP level must be older than 1,5yrs

3. Security Notes published by SAP must be assessed and classified by priority [Very High, High,
Medium, Low] and implementation process [Monthly, Maintenance, Project]

4. The following timelines System Class [Max] Note Priority Impl Process Deadline
apply (excerpt): Very High Very High <any> 30 days
Very High High Monthly 30 days
Very High High Maintenance 90 days
High High Project 180 days
……….

5. Exceptions are allowed for good reason but must be documented and approved by IT Security
© 2019 SAP SE or an SAP affiliate company. All rights reserved. 186
Sample patch process
Integrated approach with policy adoption and checks
Monthly on 2nd Within one month, three
The week after the Patch Day During next maintenance cycle
Tuesday months…

WORKFLOW: Apply within X Apply

SAP Security days (policy)
Patch Day Security Notes
Apply additional manual
configuration of SAP
Perform individual Security Notes
regression test if necessary

Check Support Portal Apply

WORKFLOW: Scheduled
/securitynotes Apply Kernel Patches, Complete test
implementation
patch Java Patches and
Check System policy ABAP Support
Recommendations Packages
in Solution Manager Document
exception
Check SAP Security
Notes Advisory
/sos → Media Library WORKFLOW: Check in X days Check
status

What’s happening at the customer side?
Customers Demonstrate an Increasing Adoption of SAP Security Patches as a Corporate Policy

“ Trade-off tips to the patching side

“We apply SAP security patches immediately and move them to our productive systems after a
1 month cooling time whether or not we've had the time to test them.” ExxonMobil, October 2014

“ Time to patch follows priority

“We decided to apply all security notes (immediately after every patch day) and our operations
managers have to do it within the decided processing times per note priority.” BMW, October 2014

“ Negligible critical side effects

“From a security patching perspective we can confirm that we have had no impact on the
productivity of the systems in the last 6 months.” ExxonMobil, October 2014

Hosts of the Security Notes Webinar

ASUG Security SIG English Wednesday 18:00-19:00 CEST = 12:00 EST = 9:00 PST
Calendar: https://www.asug.com/events#!/events/cal?keyword=Security&categories=webinar&period=month

DSAG AG SAP Security Vulnerability Management German Thursday 14:00-15:00 CET

Calendar: https://www.dsag.de/arbeitsgremien/ag-sap-security-notes/veranstaltungen

SAP Enterprise Support Value Map Security / SAP Enterprise Support Academy
English Thursday 10:00-11:00 CET
To access the SAP Learning Hub, edition for SAP Enterprise Support, a one-time registration via an s-user is required. The registration triggers an
automatic eligibility check. Access is included in SAP Enterprise Support and SAP Enterprise Support, Cloud Edition as well as in SAP Product
Support for Large Enterprises.

You can find the latest version of the presentation on

SAP Support Portal /sos
https://support.sap.com/sos
→ Advisories → Security Notes Webinar

How to register via
SAP Enterprise Support Value Map Security
SAP Enterprise Support Value Map Security

→ Forums (via Drop-down selector)

→ Subscribe (to get updates about the webinar

series) and enter the forum “SAP Security Patch
Days”

→ Open the latest “SAP Security Patch Day” blog

→ Scroll up, find and click on the link to register

→ Click the “Calendar view” for fast registration

→ Register all scheduled sessions of the series

When publishing Security Notes on https://support.sap.com/securitynotes, SAP also publishes a prioritization.

This prioritization is based on certain criteria from a development / product point of view, also incorporating
CVSS scores where applicable.
With the SAP Security Notes Advisory, SAP Global Service & Support offers an additional prioritization.
This prioritization is no contradiction to the original priorities given by the SAP product development. It
supplements these priorities with a field view, adding experiences from both practical security and
implementation of SAP applications and operation of systems by SAP Global Service & Support. The Advisory
also gives hints on side-effects to expect and recommends an implementation approach for the Security Notes
published each month.
Important note: This service is delivered by the SAP Consulting (part of SAP Global Service & Support).
Please address any questions about this Advisory to [email protected]
If you have issues with individual SAP Note implementation You can find the latest version of the Advisory on
steps, please open a message on the component of the SAP Support Portal /sos
SAP Note. https://support.sap.com/sos
→ Media Library → SAP Security Notes Advisory
© 2019 SAP SE or an SAP affiliate company. All rights reserved. 200
SAP Security Notes Advisory by SAP Consulting
Example

Information is contained in Excel download

of Security Notes from SAP Support Portal

Information is contained inside Security

Notes text

Additional Information and

Recommendations from SAP Services

Core elements of the advisory

The advisory is a simple Excel workbook with several data sheets

 Cover sheet  Notes list (month)

 Summary / Howto  Notes chart (all)
 Legend (color coding)  Notes statistics (all)
 Advisory sheet (main content)  Notes list (all)

Color coding of the advisory sheet columns

The colors indicate the source of the information

 Grey: Original information from SAP Security Notes publication

(https://support.sap.com/securitynotes)

 Olive: Original information from individual SAP Security Note

(https://service.sap.com/sap/support/notes/<note number>)

 Blue: Additional information from SAP Services

Header data from SAP Security Note

Basic information indicating applicability and severity of the issue

 Category: Programm error, Customing, Consulting

 System type: derived from affected compontent (Java, ABAP, HANA…)
 CVSS data
 External attention
 SPIN or PD note

CVSS data from SAP Security Note

CVSS vector details

 Open additional columns with “+” at column H

 Automatically derived from vector spec
 Gives additional hints on
attack complexity
 Also has indicators on
damage (confidentiality,
integrity, availability)

Note assessment (1/2)

Additional information on priority and risk (field point of view)

 Priority recommendation  Vulnerability type

 (Changed) Priority  Risk details
 Reason for deviation from product  Solution type
development priority

Note assessment (2/2)

Additional information on implementation risk and approach

 Type of correction  Side effects, note dependencies

 Implementation recommendation  Additional topics to consider
 Effort indicators  Possible workarounds

Correction data from SAP Security Note

Additional information on applicability

 SPs containing the correction

 ABAP objects affected
 Java components

SAP Security Notes Advisory by SAP Consulting
Impact Analysis for ABAP Security Notes

The Patch Day Security Notes with ABAP corrections are supported by an impact analysis which will provide
information on which end user applications might be impacted by a given note.

This information enables customers to perform regression testing before patching the productive systems thereby
taking informed decisions and ensuring continuity of their processes.

The impact analysis is based on static analysis of dependencies performed internally at SAP on a standard
SAP system which is on the latest release. Custom coding is not supported.

The analysis currently supports dependencies related to Reports, Transactions, Remote-Enabled Functions (RFC)
and WebDynpro ABAP applications.

Security Notes assessment: monthly steps

1. Receive the advisory via mail

2. Refine the advisory on a global (system independent) level

– Add company specific details and handling recommendations
– Add timeline-to-patch from company policy
– Remove irrelevant data

3. Either globally or per system owner:

Download list of applicable notes for each system from System Recommendations application

4. Merge Excels of applicable notes with refined recommendations from advisory

5. Send result to system owner / application manager to handle

On application level, exception might be necessary

Handling best practices

If you are looking for an EWA / RSECNOTE like information:

▪ Filter “Correction type” for “SNOTE” (no manual steps)
▪ Filter “Recommended implementation process” for “Monthly patch process”
▪ Filter “Priority” to be at least “High”
▪ This will result in all notes that are important and easy to implement (which was the aim of RSECNOTES)

Testing recommendations
▪ Obsolete code: “Solution” columns
− When code is removed, it shouldn’t have been there right from the start
− High probability that this code had never been used in customer production either
▪ ABAP: Use UPL to measure object usage
− Performance impact negligible
− Reports /SDF/UPL_CONTROL, /SDF/SHOW_UPL
− UPL functionality is contained in ST-PI components
− Compare results with affected objects from advisory
▪ Objects that are not used might be used by an attacker. But patching is easy because no testing required.

Handling best practices

By vulnerability type:
▪ Directory traversals: very often difficult to implement
A project approach is advisable for non-recent SP levels
Security risk depends highly on “read” vs. “write”
▪ Missing authorization: very often fairly easy to implement
(but watch out for objects that might be missing in roles)
▪ XSS: very often fairly easy to implement and test
▪ Code / SQL (write) / Command injection: dangerous! – and often easy to implement
▪ Information disclosure / SQL (read) injection:
No imminent danger to system integrity

Check “Additional comments” for implementation issues (dependent notes) and side effects

Some customers calculate time-to-patch on both implementation approach and security risk.

Three key messages as take away!

Applying SAP Security Notes is a challenging

topic.

SAP provides tools for an efficient matching of

notes to systems and processes.

The setup of a proper patch process is key in

keeping important business systems secure.

SAP CERT / Vulnerability Advisory Service

Key Message:
 Absolute baseline security / first and most effective security measure against exploits and attacks.
 The advisory team screens timely commercial as well as public security sources and filters relevant vulnerabilities.
 All components used within SAP are in scope incl. SAP NetWeaver or SAP HANA patches.

Monitor + Analyze Rate Vulnerability Create SAP CERT Advisory

 Monitor vulnerability advisory  Rate vulnerabilities by using  Timely and effective
service channels the Common Vulnerability dissemination of vulnerability
 Prioritise vulnerability advisory Scoring System (CVSS). information to actively
service channel based on  Steer and coordinate SAP subscribed users
criticality of assets and risk Threat Round Table meetings  Provide patch notification for
 Analyse and research fixing vulnerability incl.
vulnerabilities for applications  Threat Level
and infrastructure components  Severity rating / CVSS score
 Recommendation
 Patch Timeframe
© 2019 SAP SE or an SAP affiliate company. All rights reserved. 214
SAP CERT / Vulnerability Advisory Service - Examples

Standard approach for SAP Business Systems

Step • SAP Vulnerability Advisory Service provides SAP Security Note details on SAP Patch Day
1

Step • Central operation team in SAP IT reviews Advisory and related SAP Security Notes
2

Step • Creation of task list via application System Recommendations respective FRUN CSA Validation
3

Step • System Owner verifies task list and confirms list of to-be-implemented notes
4
• Implementation of Notes in Bugfixing Systems using the standard change management process incl.
Step creation of relevant master change tickets
5
• Import and testing is done based on criticality and rating of notes either via monthly release delivery
Step or via Emergency Change / Fast Track for Very Critical Patches.
6

Step • Tracking and reporting is done via FRUN CSA Validation (which is similar to Configuration Validation)
7

Approach for Kernel and Support Package Upgrade

➢ Kernel upgrades are done as part of planned

downtime activates at least every quarter. For
critical fixes emergency changes process
applies.

➢ Security Patches available only as part of

Support Package Updates are done on a
regular basis, but at least 2 times a year.

➢ Only remaining Security Notes need to be

implemented as part of monthly patch processes

Contact information:

Frank Buchholz
SAP CoE Security Services
[email protected]

Security Patch Process FAQ

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.

The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its distributors contain proprietary software
components
of other software vendors. National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its
affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are
those that are
set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or
release any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future
developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for
any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-
looking statements are subject to various
risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking
statements, and they should not be relied upon in making purchasing decisions.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate
company)
in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies.
See https://global.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices.

SAP System Security
No ratings yet
SAP System Security
1,255 pages
SAP Security Baseline Template V1.9
75% (4)
SAP Security Baseline Template V1.9
149 pages
Sap Security
100% (2)
Sap Security
50 pages
AGS Security Patch Process
No ratings yet
AGS Security Patch Process
164 pages
Dbs Security Patch Process
No ratings yet
Dbs Security Patch Process
133 pages
ASUG82900 - Securing SAP Software Systems From Cyberattacks
No ratings yet
ASUG82900 - Securing SAP Software Systems From Cyberattacks
38 pages
SECCD Col11
No ratings yet
SECCD Col11
96 pages
Seccd en Col11
No ratings yet
Seccd en Col11
104 pages
SAP Security Notes February
0% (2)
SAP Security Notes February
4 pages
Protecting Sap Apps
No ratings yet
Protecting Sap Apps
24 pages
Security: - . or How Best To Protect Your Data and Keep The Availability of Your SAP Solutions
No ratings yet
Security: - . or How Best To Protect Your Data and Keep The Availability of Your SAP Solutions
54 pages
Top 10 SAP Audit and Security Risks: 2. Insecure Configuration
No ratings yet
Top 10 SAP Audit and Security Risks: 2. Insecure Configuration
3 pages
OpenSAP Frun1 Week 3 All Slides
No ratings yet
OpenSAP Frun1 Week 3 All Slides
116 pages
SAP Security Patch Day
No ratings yet
SAP Security Patch Day
14 pages
SAP Security Notes Webinar-6
No ratings yet
SAP Security Notes Webinar-6
1,645 pages
SAP Security Patches Scanner Whitepaper
No ratings yet
SAP Security Patches Scanner Whitepaper
8 pages
Mis Project Phase3
No ratings yet
Mis Project Phase3
5 pages
SAP Note
No ratings yet
SAP Note
6 pages
SAP OSS Notes Series
No ratings yet
SAP OSS Notes Series
9 pages
SAP Patch Day Blog
No ratings yet
SAP Patch Day Blog
17 pages
Code Vulnerability Analyzer
No ratings yet
Code Vulnerability Analyzer
26 pages
SEC261
No ratings yet
SEC261
76 pages
Sap Note
No ratings yet
Sap Note
3 pages
SAP Patch Day Blog
No ratings yet
SAP Patch Day Blog
16 pages
Oracle
No ratings yet
Oracle
11 pages
OpenSAP Mobile1 Week 02 Enterprise Mobility
No ratings yet
OpenSAP Mobile1 Week 02 Enterprise Mobility
66 pages
SAP Hardening and Patch Management Guide For Windows Server
No ratings yet
SAP Hardening and Patch Management Guide For Windows Server
101 pages
Security Guide For ABAP Developers
No ratings yet
Security Guide For ABAP Developers
12 pages
SAP Portal Hacking and Forensics at Confidence 2013
No ratings yet
SAP Portal Hacking and Forensics at Confidence 2013
88 pages
Red-Blue Team-Tips and Tricks Handout Public v4
No ratings yet
Red-Blue Team-Tips and Tricks Handout Public v4
4 pages
How To Check and Implement OSS Notes
No ratings yet
How To Check and Implement OSS Notes
12 pages
Cyber Security Unit 2 Notes
No ratings yet
Cyber Security Unit 2 Notes
32 pages
OSS
No ratings yet
OSS
2 pages
Unit 4 ISF
No ratings yet
Unit 4 ISF
27 pages
01 2010 Feature Greenberg SAP
No ratings yet
01 2010 Feature Greenberg SAP
2 pages
2025 - LV - The Definitive Plan For SAP Cyber Security and Transitioning To SAP RISE
No ratings yet
2025 - LV - The Definitive Plan For SAP Cyber Security and Transitioning To SAP RISE
23 pages
SAP - BPC - 70 - SP01 - NW - Sec PDF
No ratings yet
SAP - BPC - 70 - SP01 - NW - Sec PDF
40 pages
Vulnerabilities and Thier Controls-V1
No ratings yet
Vulnerabilities and Thier Controls-V1
4 pages
OSS Note
No ratings yet
OSS Note
6 pages
What Is DevSecOps
No ratings yet
What Is DevSecOps
9 pages
Application Security - Buyers Guide
No ratings yet
Application Security - Buyers Guide
22 pages
Interview Questions For SAP Basis
No ratings yet
Interview Questions For SAP Basis
9 pages
Security Bugs Ebookggggfffg
No ratings yet
Security Bugs Ebookggggfffg
12 pages
SAP Security Administration
No ratings yet
SAP Security Administration
18 pages
OWASP 20th - Software Security Engineering (Learnings From The Past To Fix The Future)
No ratings yet
OWASP 20th - Software Security Engineering (Learnings From The Past To Fix The Future)
37 pages
SAP Security Administration
No ratings yet
SAP Security Administration
18 pages
Sap Portal Hacking and Forensics
No ratings yet
Sap Portal Hacking and Forensics
87 pages
Tools: Week 1 Unit 5: Your Development
No ratings yet
Tools: Week 1 Unit 5: Your Development
11 pages
System Recommendations in SAP Solution Manager 7.2 PDF
No ratings yet
System Recommendations in SAP Solution Manager 7.2 PDF
44 pages
SAP Penetration Test Framework
100% (1)
SAP Penetration Test Framework
62 pages
CSD - Budapest - IBP Security Best Practices
No ratings yet
CSD - Budapest - IBP Security Best Practices
31 pages
Asset Optimization With SAP Enterprise Asset Management
No ratings yet
Asset Optimization With SAP Enterprise Asset Management
44 pages
Solution
No ratings yet
Solution
5 pages
Module 2 - Vulnerabilities and Cyber Security Safeguards
No ratings yet
Module 2 - Vulnerabilities and Cyber Security Safeguards
33 pages
The 10 Most Common Database Vulnerabilities
No ratings yet
The 10 Most Common Database Vulnerabilities
1 page
SAP Vulnerabilies SCAN
No ratings yet
SAP Vulnerabilies SCAN
58 pages
SAP Cybersecurity 2018
No ratings yet
SAP Cybersecurity 2018
78 pages
SAP Solution Manager L1
No ratings yet
SAP Solution Manager L1
43 pages
VA02
No ratings yet
VA02
4 pages
VA01
No ratings yet
VA01
3 pages
VA03
No ratings yet
VA03
3 pages
Soss Report
No ratings yet
Soss Report
126 pages
Sos Summary
No ratings yet
Sos Summary
1 page
FS Security Eng Service
No ratings yet
FS Security Eng Service
28 pages
Vulnerability Management
100% (1)
Vulnerability Management
12 pages
Scenario7 Sabbina
No ratings yet
Scenario7 Sabbina
2 pages
Siinqee Bank IT Procedure V1.0 Final Draft
No ratings yet
Siinqee Bank IT Procedure V1.0 Final Draft
148 pages
The Role of Artificial Intelligence in Enhancing Data Security
No ratings yet
The Role of Artificial Intelligence in Enhancing Data Security
24 pages
SANS Institute SEC760 Brochure
No ratings yet
SANS Institute SEC760 Brochure
2 pages
Dragos 2025 OT Cybersecurity Report A Year in Review
No ratings yet
Dragos 2025 OT Cybersecurity Report A Year in Review
56 pages
Cybersecurity ????????-????? Interview Questions
No ratings yet
Cybersecurity ????????-????? Interview Questions
12 pages
Module One
No ratings yet
Module One
37 pages
Heartland Report
No ratings yet
Heartland Report
10 pages
Sy0-701 8
No ratings yet
Sy0-701 8
13 pages
CSIT136 Module 1
No ratings yet
CSIT136 Module 1
54 pages
Wiz Spotlight 2025
No ratings yet
Wiz Spotlight 2025
2 pages
Sop PPP
No ratings yet
Sop PPP
25 pages
Volkis - Anonymous Client - Red Team Exercise May 2024
No ratings yet
Volkis - Anonymous Client - Red Team Exercise May 2024
75 pages
Risk Analysis Lab Manual
No ratings yet
Risk Analysis Lab Manual
44 pages
Cyber Threats Playbook For Soc Analyst 1748846018
No ratings yet
Cyber Threats Playbook For Soc Analyst 1748846018
10 pages
Cybersecurity Risk Assessment Specialist
No ratings yet
Cybersecurity Risk Assessment Specialist
12 pages
Advanced Penetration Testing Training Course Craw
No ratings yet
Advanced Penetration Testing Training Course Craw
7 pages
Machinery Directive and CRA
No ratings yet
Machinery Directive and CRA
4 pages
Lookout Chrome Android TG Us
No ratings yet
Lookout Chrome Android TG Us
1 page
Information Assurance and Security 2 - Pimentel
No ratings yet
Information Assurance and Security 2 - Pimentel
12 pages
HTB Academy Report Template
No ratings yet
HTB Academy Report Template
12 pages
Cyber Security - Zero To Mastery
No ratings yet
Cyber Security - Zero To Mastery
3 pages
Scratch Programming Key Terms Answers
No ratings yet
Scratch Programming Key Terms Answers
15 pages
Hackercools 5th Free Gift
No ratings yet
Hackercools 5th Free Gift
8 pages
Internet Security Fundamentals
No ratings yet
Internet Security Fundamentals
231 pages
Lintasarta ComPro 2025
No ratings yet
Lintasarta ComPro 2025
50 pages
Py Driller
No ratings yet
Py Driller
27 pages
Practical Vulnerability Management A Strategic Approach To Managing Cyber Risk 1st Edition Andrew Magnusson
100% (1)
Practical Vulnerability Management A Strategic Approach To Managing Cyber Risk 1st Edition Andrew Magnusson
59 pages