What is a SAP Security Patch Day? When should you do it?
Who are the main researchers reporting security problems to SAP?
SAP Security Patch Day, what is it?
It is a day, every month, where the main safety notes detected in SAP products are published, along with their mitigation.
The second Tuesday of each month SAP publishes on this website a list of critical notes.
SAP Security Patch Day, why is it important?
I find it critical that a supplier, in this case of software, pays attention to these issues. There are numerous, in the case of SAP, attentions being paid to the subject.
Starting from software development see this document, to certifications available on SAP's Trust Center, which you can visit with this link.
Right down to the reports that any independent researcher or company can make, via the "Disclosure Guidelines for SAP Security Advisories" page in this website. See also the Official SAP Product Security Response Space.
In fact, the website shows each month the main vulnerabilities detected and their type.
Read why it becomes critical to apply security security patches and how to do so.
Or even when it is critical to upgrade the system and why the security part is often underestimated.
SAP Security Day, what to do operationally?
Certainly, it is useful to see each month what has been published, but it is not always easy to evaluate note by note and system by system what to do.
For this reason, even though the process of patching systems at the moment is not always so straightforward, there is a specific tool that all SAP customers have (present in the SAP Solution Manager) available i.e., the System Recommendations we have discussed in the following articles:
Who are the researchers that help SAP?
I have tried to analyze the various reports that have come to SAP and are available in the links above.
Taking as the reference period from the beginning of 2014, that is, from when SAP started to record these reports and make them public until mid-2021.
Trying to answer the question, what are the main companies that help SAP? Are there more "free shooters" or organizations present? In the latter case for how long over the years?
These considerations may be useful if you want to consider adopting tools on the market that perform threat detection activities present in outdated or not properly configured SAP software.
Let's start from the first question: "Which companies and how much" vs "independent reports"?
In the below pie chart, you can see that:
- 56% of report come from independent companies or professionals
- Between them also some of ERP-SEC-Protect4S
- 24% from the Onapsis company
- 11% from the ERP Scan company
- 5% from the Virtual Forge company
- 4% from the ESNC company
It should also be noted that in mid-2019 Onapsis acquired Virtual Forge.
Adding up the numerics, of the two companies, we thus arrive at one third of the reports out of the total, which is no small feat. Specific resources and dedicated teams are needed to carry out these research activities so systematically and consistently.
But let's try to answer a further question. Regardless of the reports made, who has been the most consistent over time?
Looking at the graph, of the major reporting companies, above it is possible to see that over time:
- Onapsis has been the longest-lived one
- In recent years it has actually been in a monopoly situation on this issue
Read our recalls triggered by Onapsis research here:
Here you can take a look at our interview on the topic of the secure development done by Onapsis and Kiuwan.
Here you can take a look at Protect4S interview:
Finally, here are the number of reports received per year
Please note, it should be remembered that these are not the overall safety reports, but only those for which there have been public thanks from SAP, on the appropriate page below.