The Onapsis Blog

The world of business-critical application security and compliance is dynamic, with new developments happening on a continuous basis. Read our blog posts for recommendations, insights and observations on the latest news for safeguarding your SAP® and Oracle® applications.

How to Setup a Policy to Automate an Audit of SAP Security Notes

How to Setup a Policy to Automate an Audit of SAP Security Notes

In my last post, Automating Everyday Tasks with The Onapsis Platform Saves Costs and Frees Up Resources, I described how you can realize real-time savings using The Onapsis Platform to audit your SAP systems during the installation, audit and maintenance phases. One of the most common tasks an SAP Basis administrator must do is confirm their SAP systems are not missing SAP Security Notes to ensure their systems are not exposed to known vulnerabilities.

SAP releases new notes on the second Tuesday of every month, so your Basis team must be always monitoring the SAP Security Notes portal to download the new notes and compare them to their systems. This can be a very time-consuming process, especially when you have multiple systems to check. Most Fortune 1000 companies have well over 50 SAP systems, so performing a notes audit manually can take days to weeks. Using The Onapsis Platform, you can create a policy to audit your SAP systems for missing notes in a matter of minutes. The Onapsis Platform updates the OP Notes Database from SAP, compares the notes to what notes are installed on your system and creates a report so you begin remediation immediately, freeing up your Basis team. In other words, it saves your team–and your company–many hours of the manual labor required to perform this task without The Onapsis Platform.

Below, I will show you how to create a policy to audit for missing SAP Security Notes using the “Comply” capabilities of The Onapsis Platform to demonstrate how easy it is to get up and running with this functionality.

  • Under “Comply” goto “Policies”, click “Add Policy” and “Create New”
OSS 1
  • Provide a “Name” and “Description” for your new policy. We are naming this policy “Missing OSS Notes Audit”
OSS 2
  • Add a “Control Point” (Control points are like “buckets” of common modules)
OSS 3
  • Click on your new “Control Point” and then click “Add/Remove Modules”
OSS 4
  • We are going to check for Missing ABAP, JAVA and BOBJ Security notes in this scan so filter on “check missing” and select the appropriate modules.
OSS 5
  • See your modules added on the right and click “Add/Remove Modules”
OSS 6
  • You have now created a new policy to check for missing ABAP, BOBJ and JAVA security notes! Click “Save and Exit”
OSS 7

Let’s now create an audit using the new policy we created. Go to “Comply”, “Audits” and click “Add Compliance Audit".

OSS 8
  • Select Asset Type “SAP”
  • Provide a name of the audit “Missing OSS Notes”
  • Select your new policy “Missing OSS Notes Audit”
  • Type in your appropriate ABAP, JAVA, and BOBJ target systems. Under “Target by” select “Assets”
  • Choose “Run Now” under execution. We recommend you run monthly to keep up to date with the latest notes
  • Click “Save”
OSS 9
  • Audit will run automatically and take a couple of minutes. When complete click on the audit and choose “View Report”
OSS 11
  • Select “Vulnerability by Issue” to see the different reports for each system (BOBJ, ABAP, and JAVA)
  • In the view below notice the ABAP system has 144 missing Security Notes, listed by note number, description, CVE, CVSS score, and SAP Priority. HotNews notes are the highest priority.
  • Choose “Export All” to see the entire list.
  • See below a sample of the exported missing notes found for the ABAP system.
OSS 12


From the screenshots above, you can see how easy it is to create a custom policy and audit for missing OSS notes. The total time it took to create the missing notes policy and run the audit was around 5 minutes. You could run this audit on your entire SAP landscape saving hours on a month to month basis. Hours that you can use for other projects and not manual tasks.

The ease of use and flexibility of The Onapsis Platform allows any user to be up and running in short time to create policies for a variety of maintenance tasks like in this example (scanning for missing security notes) to client locked status to checking SAP Gui login parameters and more. See my previous post for an expanded list of tasks Basis administrators perform, you’ll see The Onapsis Platform can be used for a variety of everyday operational tasks to save your organization time and money. Learn more about The Onapsis Platform here.
 

View All SAP Security Notes

Request a
Business Risk Illustration

OPERATIONAL RESILIENCY ASSESSMENT

Prevent application downtime and costly business disruption

Request an assesment
AUDIT EFFICIENCY ASSESSMENT

Eliminate resource consuming manual audit processes

Request an assesment
CYBER RISK 
ASSESSMENT

Reduce vulnerabilities and misconfiguration to protect the business

Request an assesment