Symptom
A third-party tool such as WebInspect or AppScan has been pointed at a deployment of an SAP Business Objects product, (XI R2, XI 3.1, BI 4.x etc) and the resulting report shows a number of security vulnerabilities (such as Cross Site Scripting). How are these issues addressed by SAP Support? What are the responsibilities of the customer? What are the responsibilities of SAP engineers?
Environment
Any SAP BusinessObjects XI / BI deployment.
Reproducing the Issue
Employ a third-party tool such as WebInspect or AppScan to point to an XI deployment and run the application. The resulting report will list categorized security vulnerabilities (Critical, High, Medium, Low, Informational), and details on each one. Product Support will only address vulnerabilities of Critical categories. Please provide evidence that your vulnerability is critical.
Cause
The individual items identified in the report may have resolutions that require configuration or changes made to products in use that are not SAP products (such as the application server in use), or they may point to specific BI 4.0 or XI 3.1 pages as being vulnerable to specific types of attacks.
Resolution
Third-party scan reports cannot be raised wholesale as a support case. These third-party tools scan in an non-discriminatory way, bringing up results for high, low and negligible security threats for a particular environment.
Each issue that a customer would like to have considered must be raised as a separate issue/support ticket as a full scan report contains too many disparate, unqualified and negligible results.
For a support ticket to be usefully processed, the customer would first have to show that a specific result has critical security implications in their particular deployment and provide a reproducible workflow for the issue to be considered.
Given a successful reproduction, the issue can then be raised to development for possible inclusion in a later version of the product.
The following is how SAP Support addresses these issues. The first three items are customer responsibilities:
1. The customer scans the product with the latest Service Pack/Fix Pack that is available.
2. The customer manually tests each URL reported that they believe to be a significant vulnerability. Different security scan products may categorize the same issue at different levels. Generally speaking, SAP Support will only evaluate issues that your business considers critical - these will usually be categorized in the scan report as Critical.
3. For each unique URL that reveals a reproducible vulnerability, customer opens a separate ticket identifying the URL and documenting how to reproduce the issue manually (proof of concept). Typically, this is just the URL and an example script injection. This is necessary to track each XSS/CSS/CRLF/CSRF vulnerability, as each unique URL is going to require a different fix. It is possible a scan tool may report the same URL multiple times, with the only difference being perhaps different variables within the page used when injecting a script. If the same URL shows up several times in the scan, only one ticket needs to be opened for this unique URL. Within the ticket, document the individual variables identified.
4. The engineer assigned has several responsibilities in their investigation:
Each issue that a customer would like to have considered must be raised as a separate issue/support ticket as a full scan report contains too many disparate, unqualified and negligible results.
For a support ticket to be usefully processed, the customer would first have to show that a specific result has critical security implications in their particular deployment and provide a reproducible workflow for the issue to be considered.
Given a successful reproduction, the issue can then be raised to development for possible inclusion in a later version of the product.
The following is how SAP Support addresses these issues. The first three items are customer responsibilities:
1. The customer scans the product with the latest Service Pack/Fix Pack that is available.
2. The customer manually tests each URL reported that they believe to be a significant vulnerability. Different security scan products may categorize the same issue at different levels. Generally speaking, SAP Support will only evaluate issues that your business considers critical - these will usually be categorized in the scan report as Critical.
3. For each unique URL that reveals a reproducible vulnerability, customer opens a separate ticket identifying the URL and documenting how to reproduce the issue manually (proof of concept). Typically, this is just the URL and an example script injection. This is necessary to track each XSS/CSS/CRLF/CSRF vulnerability, as each unique URL is going to require a different fix. It is possible a scan tool may report the same URL multiple times, with the only difference being perhaps different variables within the page used when injecting a script. If the same URL shows up several times in the scan, only one ticket needs to be opened for this unique URL. Within the ticket, document the individual variables identified.
4. The engineer assigned has several responsibilities in their investigation:
- Verify the vulnerability against the latest release (Fix pack level or internal build).
- If the issue is something that can be resolved with an application server or other product configuration change, this is when this would be identified and proposed.
- The engineer identifies if any open fix requests that have already identified the same issue, and the status of the fix request.
- If the issue is reproducible and has not already been identified, document it and submit a fix request to the Product Group for a resolution (patch).
- When the patch is released, test and verify it fixes the issue, then notify the customer of the patch release.
Keywords
security vulnerability vulnerabilities cross site scripting xss webinspect appscan policy
1 comment:
Its important and useful blog to us.
SAP BO Online Training in Hyderabad
Best SAP BO online training
Post a Comment