Protect4S VM offers a mitigation menu that contains shortcuts to programs that assist in the mitigation of vulnerabilities:

Mitigation Plan

With this option one quickly generates a mitigation plan for a specific SAP system. After selection of this option a list of SAP system scans is shown:

From the list a specific scan can be selected, for which a mitigation plan will be generated as described here.

Mitigation of SAP Notes

This option starts the automated application of SAP Security Notes in a SAP (Development) system. Please note that:

• Protect4S VM can apply simple SAP Security Notes, the ones that have little pre-requisites and where no additional manual post-processing is necessary. This category of SAP Security Notes may constitute up to 70% of all applicable SAP Security notes.

• This option is available for ABAP type systems only.

• Protect4S VM has used standard SAP tools to build this functionality. The actual updates are consistent, because the SNOTE transaction is run in the background.

There are some preconditions for using such a mitigation system:

• The System ID for mitigation must first be created using the System menu. It is this system in which the missing SAP Security Notes are downloaded and applied in a single transport. Usually it is either a Sandbox or Development system.

• The RFC user in this satellite mitigation system needs a special security role: ESEC_SA_SATELLITE_MITIGATE. This role may be assigned automatically (using the wizard) or manually. This role should only be used when automated mitigation is used. When implementing SAP Security notes on a S/4HANA system, additionally the role ESEC_SA_SATELLITE_MITIGATE_S4 must be added.

• The RFC user in this mitigation system must be created as type SERVICE. When this conflicts with a security policy, the user may be changed to type DIALOG after creation. But keep in mind that this might introduce extra maintenance as the passwords for Dialog users may be subject to regular password changes

• The transaction SNOTE used to implement notes should work fine, so for example the RFC connection SAP-SUPPORT_NOTE_DOWNLOAD in the system chosen for mitigation should work OK.

• Also the transport mechanism must be setup correctly as for normal operations, this means for example that the field Target System in transports must not be empty:

Furthermore:

With reference to the applicable License Terms, this application is provided as-is. Protect4S VM cannot be held responsible for any complications that might arise from the use of this functionality. Customers must accept a disclaimer every time the automated SAP Security notes feature is used.

Process Flow

Select the "Mitigation of SAP notes" functionality. The starting point is the list of SAP system scans. After selecting a scan (best practice is to use one from a development system), a wizard is presented that will guide the user through the steps necessary to start the automated application of SAP Security notes.

The SAP system in which the scan has taken place does not necessarily need to be the system in which the SAP Security Notes are downloaded and implemented. If a scan of a Production system exists, then the missing SAP Security Notes may also be implemented in the SAP Development system that corresponds with it. But typically you will use a scan of a development system as Development and Production system are not always fully aligned.

An example:

After scanning a Development System (D30), the missing SAP Security Notes can be applied in the same system. In this case, the SAP Security Notes will be applied in the D30 development system and then moved further along the landscape via the regular transport mechanism to A30 (Acceptance) and P30 (Production) systems.

After verification of the system in which the SAP Security notes will be downloaded and applied, in step 2 of the wizard the specific SAP Security notes to be applied, may be selected:

In step 3 of the wizard, the Mitigation options may be selected:

It is possible to download and/or implement the SAP Security notes (provided these have been downloaded first). The client in which they are applied can be chosen provided:

• a Protect4S VM RFC connection exists

• the transaction SNOTE has been configured and the standard RFC connection to SAP OSS works correctly.

It is also possible to select a transport request (of type Workbench) that has already been created in advance via, for example, CHaRM functionality. All SAP Security Notes will be applied as part of this transport. If Request/Task field is left open, a new workbench transport will be created to hold all SAP Security notes implemented.

Step 4 of the wizard is a display of the disclaimer:

After pressing the button Confirm and Implement, a SAP GUI connection is started to the system that is selected for mitigation:

After pressing the button Open, the download and implementation of SAP Security notes in the system selected for mitigation will begin. Do not close this connection before all SAP Security notes have been applied.

Mitigation results of SAP Notes

The result of the SAP Security notes application can be displayed in the 3rd menu item labelled “Mitigation results of SAP Notes”. The starting screen contains a list of Scans for which SAP Security Notes mitigation has been executed:

After selection, the result of this mitigation run is shown:

The main overview graph shows the Run ID of the original system scan and the choices that were made for this specific scan. The Statistics tab shows how many Security notes were successfully implemented:

It is also possible to see which Security Notes could not be implemented, using the SAP Notes overview button:

It is also possible to see the implementation status of each Security Note using the SAP Notes overview button:

The Security Notes with the red status lights could not be implemented due to too many pre-requisites or manual pre- and/or post-processing steps. These must be manually implemented.

It is advised that when all notes have been applied in the DEV system and are transported until the PRD system, to then scan the systems in your landscape again and compare them with the Scan Comparison report to see if these systems are consistent and all notes are applied in all systems.