Insight on SAP Patch day release, applying it and some methods based on my opinion.
Normally in any organization there will be a policy governance to apply security notes supplied by SAP. Sometimes a threshold is being set to only apply CVSS level 9 and above. While other organization will apply all of it.
You can click the CVSS below to find out the scores and why some organization set to certain standard. --> Common Vulnerability Scoring System Version 3.0 Calculator
The last time its always difficult to match if the note is applicable, however now SAP patch day states the product version as well. That eases the entire thinking of applying patch.
Just to share there are two ways or more in applying security notes in an easier way.
1 . Using the conventional way that is by DEV -> snote t-code and follow with the standards
2. Using solution manager
3. It's also highlighted in your EWA or TPO that some security notes that are required but not highlighted in SAP patch day, yet those on TPO or EWA report are mainly not for threats but more of a fix DB and SAP or OS related fix.
But there are more towards it. What if you miss the August Patch and then review somewhere in Dec Patch day release.
Few options as well,
1. Mostly minor kernel update will overcome almost 50 - 60% secuity patches and some support package update might populate the rest of the released security notes.
2. If you have missed security note for more than a yeear then the easy way out is by quarterly support package update, database update.
3. OR if you are lucky and if your organization practices limited CVSS level patch update for example 9 and obove then its even easier but becomes complicated as testing need to be done if the system is 24/7 and run critical operations.
Well folks thats all - enjoy with you SAP notes and methods and ways to handle it.
No comments:
Post a Comment