{"id":455,"date":"2018-03-19T07:30:29","date_gmt":"2018-03-19T06:30:29","guid":{"rendered":"http:\/\/akquinet-security-en.blog\/?p=455"},"modified":"2020-07-07T14:57:16","modified_gmt":"2020-07-07T12:57:16","slug":"do-security-notes-live-up-to-their-name","status":"publish","type":"post","link":"https:\/\/sast-solutions.com\/blog-en\/2018\/03\/19\/do-security-notes-live-up-to-their-name\/","title":{"rendered":"Do Security Notes Live Up to Their Name?"},"content":{"rendered":"

\"SAST-Blog_SAPSecurityNotes\"<\/p>\n

On every second Tuesday of each month, SAP releases new Security Notes. Many SAP administrators install these patches relatively quickly \u2013 but are they putting too much faith in the security they provide?<\/span><\/p>\n

Very few customers know that security gaps can still be exploited.<\/span><\/p>\n

In OSS Note 1908870 \u2013 SACF | Workbench for Switchable Authorization Scenarios, SAP has developed a central solution for \u201cswitchable\u201d authorization verification that makes it possible to conduct authorization checks for adapted functions only after they are activated by the customer. The idea is to reduce the effect on established authorization concepts.<\/span><\/p>\n

Unfortunately, very few customers know that patches and enhancements designed in this way will remain inactive once this OSS Note is implemented. In other words, enhanced authorization checks that are meant to reduce risk can\u2019t perform their intended function. The result? The corresponding security hole can still be\u00a0exploited!<\/span><\/p>\n

Compatible with customer-specific programs<\/strong><\/span><\/p>\n

With transaction SUCC, customers can also define scenarios for the custom programs they use. Scenario-based authorization checking enables developers to enhance standard software with alternative checks for authorization objects in a variety of use cases.<\/span><\/p>\n

The use of switchable authorizations in customer-specific programs opens to door to intriguing possibilities with regard to developing and going live with ABAP modifications and authorization roles in separate environments.<\/span><\/p>\n

Further information is available here<\/a>.<\/span><\/p>\n

Don’t forget \u2013 switchable authorizations need to be activated!<\/strong><\/span><\/p>\n

Transaction SACF enables you to activate predefined authorization checks that include authorization tracing and Security Audit Log integration.<\/span><\/p>\n

For security reasons, customers are strongly advised to implement all the defined scenarios (except \u201cSACF_DEMO_SCENARIO\u201d) as live scenarios, as well. Here, auditors have to compare the amount of defined scenarios against the number of live scenarios and carry out rigorous evaluations.<\/span><\/p>\n

\"SAST-Blog_SecNotes_Abb01_1803\"
\n\"SAST-Blog_SecNotes_Abb02_1803\"<\/p>\n

Once the defined scenarios go live, the system performs an authorization check, which activates enhanced protection.<\/span><\/p>\n

Remember<\/strong>: Make sure that both header- and object-based verification are set to \u201cACTIVE\u201d. Otherwise, the system may not carry out its checks (or only perform logging).<\/span><\/p>\n

\"SAST-Blog_SecNotes_Abb03_1803\"<\/p>\n

Required authorizations<\/strong><\/span><\/p>\n

In order to use scenario-based authorizations, you\u2019ll need to assign your developers and admins corresponding privileges (S_TCODE).<\/span><\/p>\n

Start with the authorization object \u201cS_TCODE\u201d and the following Transactions:<\/span>
\n\"SAST-Blog_SecNotes_Tabelle01_1803_en\"<\/p>\n

Then proceed to the authorization object \u201cS_DEVELOP\u201d and the corresponding object types (available activities: 02 for changes, 03 for display mode, and 06 for deletion).<\/span>
\n\"SAST-Blog_SecNotes_Tabelle02_1803_en\"
\nRemember<\/strong>: Don\u2019t assign \u201cchange\u201d or \u201cdelete\u201d activities to users in live systems!<\/span><\/p>\n

\"ralfkempf_akquinet\"
\nRalf Kempf
\n<\/span>Technical Managing Director for SAST SOLUTIONS at AKQUINET<\/span><\/h6>\n

Are you looking forward to further tips and recommendations in the field of SAP security and compliance? There are plenty of opportunities to engage with us \u2013 in one of our webinars<\/a>, for example.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

On every second Tuesday of each month, SAP releases new Security Notes. Many SAP administrators install these patches relatively quickly \u2013 but are they putting too much faith in the security they provide?
\nVery few customers know that security gaps can still be exploited.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[68,80,114],"class_list":["post-455","post","type-post","status-publish","format-standard","hentry","category-general","tag-sap-authorizations","tag-sap-security","tag-threat-detection"],"yoast_head":"\nDo Security Notes Live Up to Their Name?<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/sast-solutions.com\/blog-en\/2018\/03\/19\/do-security-notes-live-up-to-their-name\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Do Security Notes Live Up to Their Name?\" \/>\n<meta property=\"og:description\" content=\"On every second Tuesday of each month, SAP releases new Security Notes. Many SAP administrators install these patches relatively quickly \u2013 but are they putting too much faith in the security they provide? Very few customers know that security gaps can still be exploited.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/sast-solutions.com\/blog-en\/2018\/03\/19\/do-security-notes-live-up-to-their-name\/\" \/>\n<meta property=\"og:site_name\" content=\"SAST BLOG\" \/>\n<meta property=\"article:published_time\" content=\"2018-03-19T06:30:29+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2020-07-07T12:57:16+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/sast-blog.akquinet.com\/wp-content\/uploads\/2018\/03\/sast-blog_sapsecuritynotes.jpg\" \/>\n<meta name=\"author\" content=\"securityblog\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"securityblog\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/2018\\\/03\\\/19\\\/do-security-notes-live-up-to-their-name\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/2018\\\/03\\\/19\\\/do-security-notes-live-up-to-their-name\\\/\"},\"author\":{\"name\":\"securityblog\",\"@id\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/#\\\/schema\\\/person\\\/cd70e3749cca136a7e8a37dc1d3cfc26\"},\"headline\":\"Do Security Notes Live Up to Their Name?\",\"datePublished\":\"2018-03-19T06:30:29+00:00\",\"dateModified\":\"2020-07-07T12:57:16+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/2018\\\/03\\\/19\\\/do-security-notes-live-up-to-their-name\\\/\"},\"wordCount\":447,\"publisher\":{\"@id\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/2018\\\/03\\\/19\\\/do-security-notes-live-up-to-their-name\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/sast-blog.akquinet.com\\\/wp-content\\\/uploads\\\/2018\\\/03\\\/sast-blog_sapsecuritynotes.jpg\",\"keywords\":[\"SAP Authorizations\",\"SAP Security\",\"Threat Detection\"],\"articleSection\":[\"General\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/2018\\\/03\\\/19\\\/do-security-notes-live-up-to-their-name\\\/\",\"url\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/2018\\\/03\\\/19\\\/do-security-notes-live-up-to-their-name\\\/\",\"name\":\"Do Security Notes Live Up to Their Name?\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/2018\\\/03\\\/19\\\/do-security-notes-live-up-to-their-name\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/2018\\\/03\\\/19\\\/do-security-notes-live-up-to-their-name\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/sast-blog.akquinet.com\\\/wp-content\\\/uploads\\\/2018\\\/03\\\/sast-blog_sapsecuritynotes.jpg\",\"datePublished\":\"2018-03-19T06:30:29+00:00\",\"dateModified\":\"2020-07-07T12:57:16+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/2018\\\/03\\\/19\\\/do-security-notes-live-up-to-their-name\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/2018\\\/03\\\/19\\\/do-security-notes-live-up-to-their-name\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/2018\\\/03\\\/19\\\/do-security-notes-live-up-to-their-name\\\/#primaryimage\",\"url\":\"https:\\\/\\\/sast-blog.akquinet.com\\\/wp-content\\\/uploads\\\/2018\\\/03\\\/sast-blog_sapsecuritynotes.jpg\",\"contentUrl\":\"https:\\\/\\\/sast-blog.akquinet.com\\\/wp-content\\\/uploads\\\/2018\\\/03\\\/sast-blog_sapsecuritynotes.jpg\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/2018\\\/03\\\/19\\\/do-security-notes-live-up-to-their-name\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Do Security Notes Live Up to Their Name?\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/#website\",\"url\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/\",\"name\":\"SAST BLOG\",\"description\":\"SAP Security & Compliance\",\"publisher\":{\"@id\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/#organization\",\"name\":\"SAST BLOG\",\"url\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/wp-content\\\/uploads\\\/2021\\\/03\\\/sast-solutions-logo.png\",\"contentUrl\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/wp-content\\\/uploads\\\/2021\\\/03\\\/sast-solutions-logo.png\",\"width\":358,\"height\":155,\"caption\":\"SAST BLOG\"},\"image\":{\"@id\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/#\\\/schema\\\/person\\\/cd70e3749cca136a7e8a37dc1d3cfc26\",\"name\":\"securityblog\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Do Security Notes Live Up to Their Name?","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/sast-solutions.com\/blog-en\/2018\/03\/19\/do-security-notes-live-up-to-their-name\/","og_locale":"en_US","og_type":"article","og_title":"Do Security Notes Live Up to Their Name?","og_description":"On every second Tuesday of each month, SAP releases new Security Notes. Many SAP administrators install these patches relatively quickly \u2013 but are they putting too much faith in the security they provide? Very few customers know that security gaps can still be exploited.","og_url":"https:\/\/sast-solutions.com\/blog-en\/2018\/03\/19\/do-security-notes-live-up-to-their-name\/","og_site_name":"SAST BLOG","article_published_time":"2018-03-19T06:30:29+00:00","article_modified_time":"2020-07-07T12:57:16+00:00","og_image":[{"url":"https:\/\/sast-blog.akquinet.com\/wp-content\/uploads\/2018\/03\/sast-blog_sapsecuritynotes.jpg","type":"","width":"","height":""}],"author":"securityblog","twitter_card":"summary_large_image","twitter_misc":{"Written by":"securityblog","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/sast-solutions.com\/blog-en\/2018\/03\/19\/do-security-notes-live-up-to-their-name\/#article","isPartOf":{"@id":"https:\/\/sast-solutions.com\/blog-en\/2018\/03\/19\/do-security-notes-live-up-to-their-name\/"},"author":{"name":"securityblog","@id":"https:\/\/sast-solutions.com\/blog-en\/#\/schema\/person\/cd70e3749cca136a7e8a37dc1d3cfc26"},"headline":"Do Security Notes Live Up to Their Name?","datePublished":"2018-03-19T06:30:29+00:00","dateModified":"2020-07-07T12:57:16+00:00","mainEntityOfPage":{"@id":"https:\/\/sast-solutions.com\/blog-en\/2018\/03\/19\/do-security-notes-live-up-to-their-name\/"},"wordCount":447,"publisher":{"@id":"https:\/\/sast-solutions.com\/blog-en\/#organization"},"image":{"@id":"https:\/\/sast-solutions.com\/blog-en\/2018\/03\/19\/do-security-notes-live-up-to-their-name\/#primaryimage"},"thumbnailUrl":"https:\/\/sast-blog.akquinet.com\/wp-content\/uploads\/2018\/03\/sast-blog_sapsecuritynotes.jpg","keywords":["SAP Authorizations","SAP Security","Threat Detection"],"articleSection":["General"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/sast-solutions.com\/blog-en\/2018\/03\/19\/do-security-notes-live-up-to-their-name\/","url":"https:\/\/sast-solutions.com\/blog-en\/2018\/03\/19\/do-security-notes-live-up-to-their-name\/","name":"Do Security Notes Live Up to Their Name?","isPartOf":{"@id":"https:\/\/sast-solutions.com\/blog-en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/sast-solutions.com\/blog-en\/2018\/03\/19\/do-security-notes-live-up-to-their-name\/#primaryimage"},"image":{"@id":"https:\/\/sast-solutions.com\/blog-en\/2018\/03\/19\/do-security-notes-live-up-to-their-name\/#primaryimage"},"thumbnailUrl":"https:\/\/sast-blog.akquinet.com\/wp-content\/uploads\/2018\/03\/sast-blog_sapsecuritynotes.jpg","datePublished":"2018-03-19T06:30:29+00:00","dateModified":"2020-07-07T12:57:16+00:00","breadcrumb":{"@id":"https:\/\/sast-solutions.com\/blog-en\/2018\/03\/19\/do-security-notes-live-up-to-their-name\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/sast-solutions.com\/blog-en\/2018\/03\/19\/do-security-notes-live-up-to-their-name\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/sast-solutions.com\/blog-en\/2018\/03\/19\/do-security-notes-live-up-to-their-name\/#primaryimage","url":"https:\/\/sast-blog.akquinet.com\/wp-content\/uploads\/2018\/03\/sast-blog_sapsecuritynotes.jpg","contentUrl":"https:\/\/sast-blog.akquinet.com\/wp-content\/uploads\/2018\/03\/sast-blog_sapsecuritynotes.jpg"},{"@type":"BreadcrumbList","@id":"https:\/\/sast-solutions.com\/blog-en\/2018\/03\/19\/do-security-notes-live-up-to-their-name\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/sast-solutions.com\/blog-en\/"},{"@type":"ListItem","position":2,"name":"Do Security Notes Live Up to Their Name?"}]},{"@type":"WebSite","@id":"https:\/\/sast-solutions.com\/blog-en\/#website","url":"https:\/\/sast-solutions.com\/blog-en\/","name":"SAST BLOG","description":"SAP Security & Compliance","publisher":{"@id":"https:\/\/sast-solutions.com\/blog-en\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/sast-solutions.com\/blog-en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/sast-solutions.com\/blog-en\/#organization","name":"SAST BLOG","url":"https:\/\/sast-solutions.com\/blog-en\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/sast-solutions.com\/blog-en\/#\/schema\/logo\/image\/","url":"https:\/\/sast-solutions.com\/blog-en\/wp-content\/uploads\/2021\/03\/sast-solutions-logo.png","contentUrl":"https:\/\/sast-solutions.com\/blog-en\/wp-content\/uploads\/2021\/03\/sast-solutions-logo.png","width":358,"height":155,"caption":"SAST BLOG"},"image":{"@id":"https:\/\/sast-solutions.com\/blog-en\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/sast-solutions.com\/blog-en\/#\/schema\/person\/cd70e3749cca136a7e8a37dc1d3cfc26","name":"securityblog"}]}},"_links":{"self":[{"href":"https:\/\/sast-solutions.com\/blog-en\/wp-json\/wp\/v2\/posts\/455","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sast-solutions.com\/blog-en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sast-solutions.com\/blog-en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sast-solutions.com\/blog-en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/sast-solutions.com\/blog-en\/wp-json\/wp\/v2\/comments?post=455"}],"version-history":[{"count":3,"href":"https:\/\/sast-solutions.com\/blog-en\/wp-json\/wp\/v2\/posts\/455\/revisions"}],"predecessor-version":[{"id":1286,"href":"https:\/\/sast-solutions.com\/blog-en\/wp-json\/wp\/v2\/posts\/455\/revisions\/1286"}],"wp:attachment":[{"href":"https:\/\/sast-solutions.com\/blog-en\/wp-json\/wp\/v2\/media?parent=455"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sast-solutions.com\/blog-en\/wp-json\/wp\/v2\/categories?post=455"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sast-solutions.com\/blog-en\/wp-json\/wp\/v2\/tags?post=455"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}