Patching Vulnerabilities

Imagine you were notified that an aspect of your home security wasn’t operating as it should – could be a lock, a window, an alarm system, maybe even a secret passage. If you were given the ability to correct this issue would you fix it?

Would you leave it unaddressed if burglaries were increasing in your neighbourhood?

Security for your SAP landscape is no different from that home security – when vulnerabilities are known and identified, they should be corrected.

SAP releases security-related software corrections (or Security Notes) on the second Tuesday of each month, known as SAP Security Patch Day, to identify and help resolve vulnerabilities identified in SAP applications. These Security Notes are assigned a priority and include the CVSS scores for each note. Last Patch Day’s release, for example, included 17 Security Notes, 5 of which were marked as High Priority or Hot News, and had CVSS scores of 7.5 or greater.


It’s also worth noting that if you spot a potential security vulnerability in SAP Software, it can be reported here.


Why does such a mundane, manual task matter?

It may not be very glamourous or exciting, but Patch Management is a basic cornerstone of SAP Security. It’s up to every SAP client to review the list of Security Notes released, check whether each one applies to their system, and take the necessary next steps.

Why does it matter? It comes down to three words: cyber criminals exploit vulnerabilities.

That’s how they gain access, which can lead to data breaches, fraud, compliance issues, data/systems offline… Headline-grabbing cyber attacks are the result of a threat actor spotting an opportunity and making the most of it. Many of those opportunities can come from human activity, which by nature is harder to control, but you have control over your system’s patch management – why wouldn’t you make it a priority and do everything in your power to ensure that you can report with confidence that your system is up to date?

Just this week…

  • Some 500 Coop supermarket stores in Sweden were forced to close due to an ongoing “colossal” cyber attack affecting organisations around the world. Cyber researchers report about 200 businesses have been hit by this ransomware attack.

Last month

  • Scotland’s environmental watchdog has said it could take years to fully recover from a cyber attack. The Scottish Environment Protection Agency (SEPA) had more than 4,000 digital files stolen by hackers.

How can Winterhawk help?

We’ve worked in SAP landscapes with as many as 300 missing patches, relating to Information Disclosure, Remote Command Execution, Denial of Service, Architectural Vulnerabilities and more.

In assigning staff to the more manual, time-consuming – yet vitally important – tasks required for patch management, that staff is not available to contribute to the strategic goals of your business. Winterhawk’s SAP Security Experts can support your organisation in a variety of ways, depending on your specific needs and requirements, to deliver savings in terms of cost, time and effort while strengthening security:

  • Assess your SAP System for missing Security Notes + a library of over 2000 vulnerability checks
  • Help you understand SAP Cyber Security threats in your SAP landscape, with recommendations and action plans including prioritisation in terms of risk and mitigation effort
  • Automate your SAP Security – gain the functionality for missing notes to be applied automatically
  • Provide SAP Security/Audit Assessments, giving your organisation a baseline position regarding SAP Security weaknesses and gaps

We also offer Support and Managed Service for SAP Security to allow you to focus on your business while our experts manage your day-to-day support needs as well as delivering continuous process improvement. Get in touch to learn how our experts can work with you to protect your SAP landscape.