SAP Security Notes policies for other components than ABAP or HANA

[atoskostecki]

Hi @ManfredAch, hi @ReneMuth!

Thank you so much for maintaining this project. Although I'm wondering why this is focused only on ABAP and HANA. I do think we should also have possibility to check security notes against other systems/components like:

• BC-CCM
• BC-CST
• BC-CTS-TLS
• BC-DB
• BC-FES-ITS
• BC-JAS
• BC-JVM
• BC-MID-RFC
• BC-SEC
• BC-VCM-LVM
• BC-XS-ADM
• SV-FRN
• SV-SMG
• XX-PART-WILY

Are there any near future plans to extend the scope? Thanks again.

[ManfredAch]

Hello, we will not provide policies for other areas. We can only guarantee the will publish a Secuirty Patch Day policy for ABAP and HANA (if there is security note) this year. There is no decision for the future.

The ABAP policy is supposed to check Security notes published during the last month which have coding corrections. This includes also security notes related to SAP kernel. Thus, some of the components you had listed are covered.

But we will not publish in GitHub Security patch Day policies related to other software components other than ABAP and HANA.

Best regards Manfred

[atoskostecki]

Hi @ManfredAch,

Thanks for your quick response. I understand. I hope then FRUN will get a nice interface between Policy Catalog and Security Notes area someday. As far as I remember good old Solution Manager had checking the system against security notes and that was not only limited to ABAP components (HANA was not a thing back then). Seems FRUN is missing this.

Take care! Konrad

[Lennart303]

Hi Manfred,

What is the rationale behind only providing policies for ABAP and HANA?

We also have the wish to extend the scope to JAVA, WebDispatchers, content servers etc. Focussed Run is already aware of these component versions so checking them just like the ABAP/HANA SNOTES with a policy should be possible. We now have to manually check each SNOTE against the landscape which is a lot of work for big customers.

Security is an important topic and the Security SNOTE check with policies in Focussed Run is a good idea but in practice the scope is to narrow which feels like software that not mature enough and still depends on a lot of manual intervention/labor. The lack of future plans and commitment to extend and improve on the policies/features is a bit shocking and alarming and can be taken as a sign that SAP does not take security serious and does not facilitate good tooling to monitor which security SNOTE is applicable for each system and leaves customers on their own with the followup after an Security patch Day drop.

We also have the wish to provide the CVSS in a separate attribute so we can filter and sort on CVSS in Focussed Run. We already made this work in a POC by changing the DESC attribute in only the CVSS score, can you add this to the feature wish list?

Best Regards, Lennart

[muellerhen]

Hi Lennart, the rationale for providing just ABAP and HANA is, that these are a bit more complex: ABAP because of the combination of Corrections/SP-levels/SNote Implementation Status ABAP Kernel and HANA because the syntax for capturing the version properly used to be a bit complicated.

Today, FRUN can typically cover around 80% of all Security Notes published on a PatchDay. Most of them are easy to implement, e.g.: Versions of AS JAVA, WebDispatcher, Cloud Connector, SAP HostAgent, ... even the JAVA Kernel.

Your comments reflect what is the strength and weakness of FRUN at the same time: The ability - and need - to create custom tailored security validations on a very diverse set of relevant configurations.

We'd love to have System Recommendations functionality integrated into FRUN or provide automatically generated PatchDay Policies to customers. We don't have this. However, we are able to support the adoption of our use case with services that deliver such policies or to share our best practice in consuming the product functionality for security and compliance. As security is an ever-evolving topic, this typically leads then to a continual collaboration with our services collegues that also involves a scope beyond just patchday. Note: The recommended way to implement Security Notes of priority low and medium is the regular version update of the software component. The remainder is quite low in number.

We added your feature wish to our list. When the ask for priority and CVSS score had been initially raised, it was suitable to have them added to our description. As needs may evolve over time also at other customers, we will reconsider. Feel free to share more details of your approach and process via email to me personally.

Best regards, Hendrik hendrik mueller@sap.com

[muellerhen]

sorry for typo. Correct is: hendrik.mueller@sap.com

[ManfredAch]

.