SAP Security Optimization Service Portfolio ensures smooth operation of your SAP solution by taking action proactively, before severe security problems occur.
Keeping the security and availability of your SAP solution high is a tremendous value to your business. Analysis will:
This SAP Security Optimization Services Portfolio topics:
This area is best if you are interested in general SAP Security Optimization Services and want an overview.
This area gives you an entry point into different topic areas such as “Security Patch Management” or “Security Configuration Analysis”.
provides you with an overview and links to further information on service offerings, including information and best practices, tools and self-services, remote and on-site service offerings, and more systematic engagement models.
To get an overview on the status of the security of your SAP solution, the recommended first steps are:
More information on our tools, services and recommendations can be found in our SAP CoE Security Services Master Slide Decks:
The tracks of the Secure Operations Map cover the following topics:
The “Environment” layer looks at the non-SAP technical environment of SAP cloud offerings, solutions and systems.
The “System” layer addresses the SAP platform layer which provides the foundation for all applications operated upon it. The integrity and robustness of this platform is key to ensure that application layer controls (e.g. the authorization systems) cannot be circumvented by lower level vulnerabilities (e.g. SQL injections made possible via insecure code).
The “Application” layer is about controls that are available in SAP standard applications and non-standard applications built by customers. Here, protective measures are discussed on users and privileges level as well as proper application design.
The “Process” layer extends the pure security view with compliance aspects. While security focuses on operating robust SAP applications preventing intentional and unintentional malfunctions and compromise of confidentiality, regulatory compliance deals with the correct behavior of applications with regards to policies and legal demands coming from the various jurisdictions SAP systems are operated in.
Similar to the “Environment” layer, this “Organization” layer is also important to set the environment for SAP systems and SAP cloud solutions. It sets the stage and gives needs and requirements as input to be considered.
A SAP Security Engagement is a joint approach of SAP Active Global Support with a customer over a period of several months to improve and increase the security of the customers SAP landscape with focus on the most relevant security topic areas in the specific situation. It is an offering especially available to MaxAttention, Safeguarding and ActiveEmbedded customers.
Such a SAP Security Engagement typically starts with a Security Workshop to discuss the topic areas to be tackled during the engagement. During a subsequent engagement period SAP accompanies the customer to ensure that not only the Security Workshop delivered good results but during the engagement period also provable positive impact to the security of the customers SAP landscape gets achieved. Finally a Security Verification Workshop wraps-up the results of the engagement phase, verifies the achieved security impact and summarizes recommended next steps for the time after this SAP Security Engagement.
For Enterprise Support customers a lot of information and services including several Expert Guided Implementation Sessions (EGI) is available in our Enterprise Support Academy and our SAP Enterprise Support Value Map for Security.
Although SAP is investing a lot to deliver its products with secure code — see the white paper Secure Software Development at SAP — there still remains the need to also deliver security corrections to already released products due to new flaws identified or new attack patterns becoming known. The security maintenance of installed SAP software is therefore key to continuously protect also against new types of attacks or newly identified potential weaknesses.
Based on feedback from customers, partners and SAP user groups, SAP has launched a regular SAP Security Patch Day, scheduled for the second Tuesday of every month — which is by purpose synchronized with the Security Patch Day of other major software vendors. At these patch days, SAP publishes software corrections as Security Notes solely focused on security to protect against potential weaknesses or attacks. Use Security Notes in the Launchpad -> All Security Notes to get the complete list of all Security Notes. The recommendation is to implement these corrections as soon as possible. Several tools are available to help identifying, selecting and implementing those corrections.
You can find a document describing the recommended procedure for each patch day in the current presentation SAP CoE Security Services - Security Patch Process and in the older documents Arbeitspapier SAP Security Patch Day (German) respective Working Paper SAP Security Patch Day (English) within the Media Library.
There you find the latest version of the presentation from the Security Notes Webinar and the package with the SAP Security Notes Advisory as well. Both documents get updated monthly.
Overall the generally recommended procedure for each patch day is:
These services and tools ensure the maintenance of security configuration settings and changes by periodically reviewing security relevant configuration settings of all systems and installed software components.
You can find a document describing the features and recommended procedures in the presentation SAP CoE Security Services - Check Configuration & Authorization.
The well-known EarlyWatch Alert report displays the most critical recommendations from SAP on security. This enables SAP customers to identify problems and take the required measures quick and easily. See SAP Note 863362 for further details on security checks in the EWA.
The Security Optimization Service is designed to check the security of your SAP system. This service comprises a system analysis and the resulting recommendations for system settings. It addresses system and customizing settings that impact your system security. It focuses on internal and external system security. To improve the internal security, many critical authorizations of the basis are checked. Moreover, you can verify the findings in your system anytime as described in the document SAP Security Optimization Service – Verifying the Findings. External security is improved by checking the accessibility of your system and the authentication methods used.
The Configuration Validation enables you to determine whether the systems in your landscape are configured consistently and in accordance with your requirements. You can check the current configuration of a system in your landscape using a defined target state (target system) or compare it with an existing system.
The SOS covers topics presented in whitepapers like Secure Configuration SAP NetWeaver Application Server ABAP.
Scope of the Security Optimization Self Service for the SAP NetWeaver Application Server ABAP:
Find the complete list of checks in the following documents in the Media Library:
You can use these document to compare the checks of the SOS with the checklist wich you already use to validate security configuration.
For HANA you find a description of the available services and an overview about the checks in the presentation HANA Security Remote Service Content.
In addition you can view examples showing a formatted report:
In the Media Library you find the document How to run the SOS on SAP Solution Manager 7.2.
To prepare the session a questionnaire should be filled out. As part of the questionnaire you can add additional custom checks on critical authorizations. You will find an example of the questionnaire in this document Security Optimization Self-Service - Questionnaire in the Media Library.
The SAP Security Optimization Service is available as a Guided Self Service for ABAP based systems and as a remote service for ABAP and Java systems. In case of an "ABAP on HANA" installation you get the HANA checks automatically as a part of the SOS for ABAP. Currently we do not offer a separate SOS for HANA for a pure HANA database.
SAP Note 1484124 describes the prerequisites to run the Guided Self Service for ABAP based systems.
It can be used at any time. It is most recommended during the end of going live phase. The service is also very useful when preparing for internal and external audits. It can be rerun to make sure that the applied changes in the system configuration were successful and that no new vulnerabilities appeared.
You find the documentation including examples and best-practice on SCN:
You find the complete recording of the corresponding TechEd session from 2013 in the Media Library:
SAP enables its customers to protect their business processes through a comprehensive security portfolio turned into services. We take the security chapter of the EarlyWatch Alert as a starting point to offer detailed services mainly around the Security Optimization Service ant the Security Notes which are published on SAP Support Portal and shown in the application System Recommendations of the SAP Solution Manager.
Combining the results of these services with the existing Security Policy of the company we define the company's SAP Security Baseline. This document is then used do define Target Systems for the application Configuration Validation in the SAP Solution Manager. You can either use the cross-system BW reports of that application directly or you can pass results to another reporting infrastructure like a Management Dashboard within the SAP Solution Manager, to Business Objects, to GRC Process Control or any other reporting system.
Among others, following sources are used within the security services:
SAP Note 863362 - EarlyWatch Alert (EWA) report - Security chapter
SIS264 Securing Remote Access within SAP NetWeaver AS ABAP
Protecting SAP Applications Against Common Attacks
Secure Configuration SAP NetWeaver Application Server ABAP
SAP Security Recommendations: Securing Remote Function Calls (RFC)
Governance, Risk, and Compliance — Access Control