This website is not affiliated with, sponsored by, or approved by SAP AG.

SAP Security Patching

SAP Security

Moderators: Snowy, thx4allthefish, jurjen

SAP Security Patching

Postby Blossom » Mon Jan 30, 2012 5:16 am

HI,

Has anybody had experience of implementing processes around Security Related Patch notes? (Patches that fix security vulnerabilities) There is a requirement to implement these after the 'Patch Tuesday' and we are trying to develop an internal process to implement these.

We have found that it is difficult to identify anybody with the relevant skillset to analyse each SAP Note in relevance to the fix impact, functional impact, and devise if and what testing will be required for each note. Therefore, we are struggling to devise a simple definitive process.

If anybody has implemented a process to manage patch notes please, can they share their approach, suggested responsibilities and experiences.

Many thanks
Blossom
 
Posts: 4
Joined: Tue Mar 23, 2004 6:18 am

Re: SAP Security Patching

Postby fgranadoss » Tue Jan 31, 2012 3:16 am

Hi Blossom,

We are facing the same problem in my environment. I don´t find too hard to implement the most relevant security notes but the problem is how to test that all the processes in our SAPs will still work. Since last year thinking on it but still no idea how to face it.

Regards,

Félix
fgranadoss
 
Posts: 1
Joined: Tue Jan 31, 2012 3:06 am

Re: SAP Security Patching

Postby Al. » Tue Jan 31, 2012 10:52 am

Hi,

What works for my clients is:

ID priority & frequency of application e.g.
- Prio 1 HotNews should be within 1 month of publication
- Prio 2 Correction w/high prio = quarterly
- Prio 3/4 wait for service pack unless there is anything that is obvious problem

The list of P1 & P2 won't be huge on a monthly basis (at least not often). ID the components that relate to what you have implemented and you will be left with a much smaller list. In 99% of cases between a security & basis resource you can ID the impact & make an appropriate decision.

If you have a defined release cycle (e.g. quarterly) then you can time your deployment of the (P2) notes to fit in with the regression testing cycles that support the quarterly releases.
http://www.turnkeyconsulting.com/
Al.
 
Posts: 3050
Joined: Tue Feb 25, 2003 5:35 am
Location: London


Return to SAP Security

Who is online

Users browsing this forum: No registered users and 3 guests





loading...


This website is not affiliated with, sponsored by, or approved by SAP AG.