Skip to Content
0

Access to security notes without SAP Contract

Aug 24, 2017 at 04:32 PM

44

avatar image
Former Member

Hi community,

I work in a french Computer Emergency Response Team. We have some customers with SAP products ; and in a part of our job we send to them information related to vulnerabilities affecting their SAP products. For that, we need to access SAP Security Notes.

Do you know if there is a specific program or a specific request to SAP in order to access these Security Notes ?

Many thanks

Regards,

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

1 Answer

avatar image
Former Member
Sep 08, 2017 at 10:29 PM
1

This is a hornets nest...

I have also reported security SAP notes and was then bugged by service providers of information about the details.

SAP now only provides recognition for notes if the researcher agrees and does not provide the note number.

Customers have access to the notes and SAP tools to find them.

Evaluating them is a process... but if you do not have access to SAP Notes then you have no insight into it. Not only because you do not have access, but also because you have never had access before so you will have no idea about the issue and can only regurgitate the information further without adding any value. Worst case you create panic and pressure from the non-SAP security gallery and important business systems are impacted by untested changes.

These things are best left up to the SAP security team as long as they are also technically fit to manage it. You certainly cannot leave it up to a GRC consultant in the same way that you cannot leave it up to a general security service provider... for that SAP is too proprietary and the corrections are too close to the applications.

Additionally, as I have considered this before, providing a service to customers about SAP Security Notes is a very small market. They consider bug fixing to be included in the SAP maintenance fee of the licenses and the information service for it to be included as well. THey are not willing to pay for it.

Some cyber security units might be willing to pay for it for a while until they realize that it is for free and what they get is regurgitated and not really expert information.

So I suspect that next you will be asking for the expert information for each note...?

And after that you will ask why the customer does not want to upgrade and apply all support packages every month...?

Just some infos about how the SAP world works... ;-)

Cheers,

Julius

Share
10 |10000 characters needed characters left characters exceeded