This blog will explain more on the SAP security patch day.
Questions that will be answered are:
- What is security patch day?
- Where can I find the recently released security OSS notes?
- Where can I find more background information on security patch day?
- Where to find more information on the CVSS scoring mechanism?
- What is a practical approach to security patch day and security OSS notes?
Security patch day
Security patch day is every second Tuesday of each month (for more on security patch day itself, you can read the FAQ). The actual OSS notes as summary can be found at the Security response at SAP wiki page.
The wiki pages also include a suggested process for dealing with the security patch day OSS notes.
SAP uses the CVSS scoring mechanism to determine the risk a security leak. The scoring mechanism is explained in this blog.
SAP solution manager system recommendations
If you setup SAP solution manager system recommendations, than you will get an always current overview of security notes. With the system recommendations you can mark notes as reviewed, so they don’t appear any more. Applied ABAP notes will be automatically be removed by the tool. Newly released security notes and updated are added to the overview. For setup information on SAP solution manager system recommendations, read this blog.
Practical approach to security notes
A pragmatic approach for security notes is the following:
- Every 6 to 12 months update your SAP kernel
- Apply every 3 month the ABAP OSS notes which can be done automatically (don’t look at the score, just apply them). Leave them on your test and/or acceptance system. This will normally make sure you have no negative side effects. Then move them to production.
- Apply every 3 month the ABAP OSS notes with manual actions for the processes you use and for CVSS score you deem high enough to justify the effort of the manual actions
Feel free to increase the frequency of the above proposal.