Virtual Forge Security Advisory Service

The Virtual Forge Security Advisory Service aims to support you in establishing and running a SAP® Security Patch Management Lifecycle. The service follows a multi-level approach, ranging from a detailed investigation and prioritization of every security note published by SAP to a full impact analysis for each system within your system landscape, including implementation of notes on your system.

Many customers are overwhelmed by the vast amount of effort needed to install and handle SAP security patches: productive systems need to be restarted, applications are affected in their functionality and a lot of effort might be required for implementing security notes and to test their functional impact. Typically, these are unscheduled requirements; therefore, it’s important to properly understand the applicability and business risk of a security patch, i.e. not just the business risk according to SAP’s rating but according to the customer policies.

With our Security Advisory Service, Virtual Forge will help you with our expert knowledge establishing a SAP Security Patch Management Lifecycle. Our Security Advisory Services consist of two expansion stages and optional implementation support.

SAP® Security Notes Information Service

This level includes a detailed and system-independent investigation of each SAP security note published. Once a new SAP security patch note is released, Virtual Forge will review the content and provide guidance as soon as possible on a monthly basis. Not all security notes are properly classified and sometimes miss information. Where applicable, Virtual Forge will enrich or reclassify vulnerabilities according to our SAP security expertise and include notes which are not officially classified as a security note but are relevant for security.

SAP Security Notes Custom Impact Analysis

As a further step in the advisory service, Virtual Forge will assess the landscape together with the customer and classify all SAP systems according to their risk level based on existing policies, but also according to confidentiality, integrity, and availability. Each SAP system will then be linked to a security patch plan. The Security Notes Information will then be cross checked and implemented according to best practices. This lays the foundation for establishing transparency on the security patch level status across the defined SAP landscape.

SAP Security Notes Implementation Support

Optionally, the customer can also request support for implementing the relevant security patches. If the systems haven’t been patched for a long time, additional sub-projects might be necessary with additional effort. A few examples for such vulnerabilities are: gateway security, callback security, switchable authorization checks, etc. For more information on these services, please contact us directly.