topic Re: Web GUI security precautions in Application Development and Automation Discussions

Web GUI security precautions

pakula123 — Tue, 17 May 2016 10:24:41 GMT

Hi SAP personas team, Security topic:Since Web GUI works on browser and we use Scripting (Via BAPI's) What are the security precautions one should consider? When i did some research i found this link https://erpscan.com/wp-content/uploads/presentations/2012-Kuwait-InfoSecurity-Top-10-most-interesting-vulnerabilities-and-attacks-in-SAP.pdf What steps did SAP take to avoid vulnerable attacks via Internet. Could you please send us the important notes that we can look in to if any Kindly suggest. Best regards, pradeep.

Re: Web GUI security precautions

cris_hansen — Tue, 17 May 2016 11:05:39 GMT

Hi Pradeep,

You probably read about the SAP Security Notes. Please go ahead and check the notes published at the SAP One Support Portal. You will need assistance from your Security team to assess whether a note is required in your system or not.

So, the SAP Security Notes will be updated as soon as a particular vulnerability is found and fixed. This is the resource you need to use to prevent risks.

Kind regards,

Cris

Re: Web GUI security precautions

pakula123 — Tue, 17 May 2016 11:13:52 GMT

Thank you Cristiano .Your reply was at the speed of HANA . Best regards, pradeep.

Re: Web GUI security precautions

cris_hansen — Tue, 17 May 2016 11:30:46 GMT

Hi Pradeep.

I am here to help. Not always as fast as HANA.

All the best,

Cris

Re: Web GUI security precautions

pakula123 — Tue, 17 May 2016 20:48:50 GMT

Hi Cristiano , I tried to open the link that you have sent.It took us to general place where we check the notes , Can you be more specific about the note numbers that we need to implement for Personas ? Best regards, pradeep.

Re: Web GUI security precautions

cris_hansen — Wed, 18 May 2016 16:51:13 GMT

Hi Pradeep,

You need to check the list from time to time, looking for BC-FES-ITS, BC-FES-WGU and BC-PER notes.

Kind regards,

Cris

Re: Web GUI security precautions

Tamas_Hoznek — Wed, 18 May 2016 17:10:19 GMT

If you have SP03 installed, the new Notes Checker feature makes it easy to verify whether the required notes are implemented. If there are any new notes identified as required regarding security and relevant for Personas, this tool will recognize that and tell you if anything is missing.

However this relies on the Personas team getting notified about such notes so that we can make sure the Notes Checker knows about them. We try our best to keep up with this of course but in some cases it is possible that a note only applies to certain situations therefore it cannot be made required for all customers. In such cases, the local basis team has to determine whether the note should be implemented.

Re: Web GUI security precautions

Former Member — Wed, 18 May 2016 18:08:55 GMT

Why not use Solution Manager to pull the available SAP Notes for any given system? See attached Screen Shot.

Cheers,

Dan Mead

Re: Web GUI security precautions

pakula123 — Thu, 19 May 2016 00:23:55 GMT

Thank you for you note Daniel. I forwarded this info to concerned team. Best regards, pradeep.

Re: Web GUI security precautions

former_member596519 — Thu, 30 Jun 2022 06:33:04 GMT

Dear Tamas,

I hope you are doing good! Though, this question seems to be old, but I have a similar request: I was told that SAP Security team is recommending to keep the ITS-WEBGUI node deactivated. But for Screen Personas to work, according to this link, it has to be active. Is this a known issue and already resolved with one of the mentioned notes?

Thank you for the support and a big hello to the rest of the team!

BR Aleks