Mitigation menu

Protect4S offers a mitigation menu that contains shortcuts to programs that assist in the mitigation of vulnerabilities:

Mitigation Plan

With this option one quickly generates a mitigation plan for a specific SAP system. After selection of this option a list of SAP system scans is shown:

From the list a specific scan can be selected, for which a mitigation plan will be generated as described here.

Mitigation of SAP Notes

This option starts the automated application of SAP Security Notes in a SAP (Development) system. Please note that:

  • Protect4S can apply simple SAP Security Notes, the ones that have little pre-requisites and where no additional manual post-processing is necessary. This category of SAP Security Notes may constitute up to 70% of all applicable SAP Security notes.

  • This option is available for ABAP type systems only.

  • Protect4S has used standard SAP tools to build this functionality. The actual updates are consistent, because the SNOTE transaction is run in the background.

There are 3 preconditions for using such a mitigation system:

  • The System ID for mitigation must first be created using the System menu.

  • The RFC user in this satellite mitigation system needs a special security role: ESEC_SA_SATELLITE_MITIGATE. This role may be assigned automatically (using the wizard) or manually. This role should only be used when automated mitigation is used.

  • The RFC user in this mitigation system will be created as type SERVICE. When this conflicts with a security policy, the user may be changed to type DIALOG after creation. But keep in mind that this might introduce extra maintenance as the passwords for Dialog users may be subject to regular password changes

Furthermore:

With reference to the applicable License Terms, this application is provided as-is. ERP-SEC cannot be held responsible for any complications that might arise from the use of this functionality. Customers must accept a disclaimer every time the automated SAP Security notes feature is used.

The starting point is the list of SAP system scans. After selecting a specific SAP system scan, a wizard is presented that will guide the user through the steps necessary to start the automated application of SAP Security notes.

The SAP system in which the scan has taken place does not necessarily need to be the system in which the SAP Security Notes are downloaded and implemented. If a scan of a Production system exists, then the missing SAP Security Notes may also be implemented in the SAP Development system that corresponds with it:

After scanning a Production System (P30), the missing SAP Security Notes can be applied in the corresponding Development system (D30). In this case, the SAP Security Notes will be applied in the D30 development system using the SAP transport and this transport can be used to apply these Notes in the A30 (Acceptance) and P30 (Production) systems.

The default choice of the System ID for mitigation depends on a setting in the System menu:

After verification of the system in which the SAP Security notes will be downloaded and applied, in step 2 of the wizard the specific SAP Security notes to be applied, may be selected:

In step 3 of the wizard, the Mitigation options may be selected:

It is possible to download and/or implement the SAP Security notes (provided these have been downloaded first). The client in which they are applied can be chosen provided:

  • a Protect4S RFC connection exists

  • the transaction SNOTE has been configured and the standard RFC connection to SAP OSS works correctly.

It is also possible to select a transport request (of type Workbench) that has already been created in advance via, for example, CHaRM functionality. All SAP Security Notes will be applied as part of this transport. If Request/Task field is left open, a new workbench transport will be created to hold all SAP Security notes implemented.

Step 4 of the wizard is a display of the disclaimer:

After pressing the button Confirm and Implement, a SAP GUI connection is started to the system that is selected for mitigation:

After pressing the button Open, the download and implementation of SAP Security notes in the system selected for mitigation will begin. Do not close this connection before all SAP Security notes have been applied.

Result of the mitigation of SAP Notes

The result of the SAP Security notes application can be displayed in the 3rd menu item labelled “result of the mitigation of SAP Notes”. The starting screen contains a list of Scans for which SAP Security Notes mitigation has been executed:

After selection, the result of this mitigation run is shown:

The main overview graph shows the Run ID of the original system scan and the choices that were made for this specific scan. The Statistics tab shows how many Security notes were successfully implemented:

It is also possible to see which Security Notes could not be implemented, using the SAP Notes overview button:

It is also possible to see the implementation status of each Security Note using the SAP Notes overview button:

The Security Notes with the red status lights could not be implemented due to too many pre-requisites or manual pre- and/or post-processing steps. These must be manually implemented.