The global and independent platform for the SAP community.
IT Management, MAG 17-09

Avert damage from WannaCry, Petya, & Co.

The SAP community is different from other software ecosystems and has been used to automatically receiving up-to-date and reliable information from Walldorf as "SAPnotes" on problems and risks in SAP systems for decades.
Ralf Meyer, Synomic
September 21, 2017
Content:
Avert damage from WannaCry, Petya, & Co.
avatar
This text has been automatically translated from German to English.

SAP HotNews, SAP TopNotes, SAP Security Notes and SAP Legal Change Notes help the tens of thousands of SAP customers proactively avoid problems and risks or resolve them as quickly as possible.

Even with mobile apps, users are usually automatically informed about new versions of applications that not only extend functionality, but also solve known problems and close security gaps. Unfortunately, this is not the case with most open source components!

Threats beyond the radar

Here, the trade and daily press usually only reports and warns about current threats when hundreds of thousands of systems have already been affected and/or major damage has been done.

Software developers have to inform themselves laboriously and time-consumingly about current and new versions and become active. This becomes even more difficult when open source components are themselves built into other components, which is often the case.

Therefore, unlike the "prominently" featured cases of WannaCry and Petya, most truly critical threats are not even on the radar of most IT managers.

Ralf Meyer

Current examples

"Spring" is one of the most widely used Java frameworks. Few companies in the SAP community are likely to use Java without Spring, and over 10,000 open source software packages are based on it. Version 4.3.4 was released only eight months ago, but it is vulnerable and thus a major gateway for potential attackers.

"Struts2" is also heavily used, for example with SAP CrystalReports, the SAP JCO, jQuery, and is highly vulnerable.

Hardly any Java application does not use Apache Common Beanutils, for example in the SAP Hana Cloud environment. Here, virtually every version before 1.9.2 is vulnerable and therefore risky for users.

The good news: There is an automatic and free monitoring solution. VersionEye from the Mannheim-based start-up of the same name offers a kind of "OpenSourceNotes" as a supplement to the well-established "SAPnotes" and is itself 100 percent open source (under MIT license).

Today, more than 1.4 million open source projects are already monitored, developed in 16 different programming languages, such as Java, Java-Script, PHP and "R" (the important language for Hana).

More than 45,000 registered users and 500,000 monthly visitors (worldwide) are already using this service to actively minimize risks from open source software.

VersionEye informs 24 x 7 automatically and actively about new versions of Open Source components ("Version Notes"), possible license problems ("License Notes") and security risks ("Security Notes").

And not according to the "shotgun principle", but specifically only for the open source components that are really affected and also used by the user.

Made in Germany and free of charge

In contrast to similar, expensive and proprietary US services, no customer code is transferred to servers in the USA either. Since VersionEye itself is 100 percent open source software, the solution is completely transparent and can be analyzed and also adapted if necessary.

Enterprise services are offered for the implementation of best practices in the use of open source in the SAP ecosystem, seamless integration in enterprise environments and service level agreements. Enterprise customers include Blinkist, Seeburger and Xing.

avatar
Ralf Meyer, Synomic

Ralf Meyer is Managing Director of Synomic and co-founder of IA4SP.


All articles of the author

Write a comment

The SAP CEO Alternate

Workday Illuminate Is the Next Generation of Workday AI

Workday Signs Agreement to Acquire Evisort

Working on the SAP basis is crucial for successful S/4 conversion. 

This gives the Competence Center strategic importance for existing SAP customers. Regardless of the S/4 Hana operating model, topics such as Automation, Monitoring, Security, Application Lifecycle Management and Data Management the basis for S/4 operations.

For the second time, E3 magazine is organizing a summit for the SAP community in Salzburg to provide comprehensive information on all aspects of S/4 Hana groundwork.

Venue

More information will follow shortly.

Event date

Wednesday, May 21, and
Thursday, May 22, 2025

Early Bird Ticket

Available until Friday, January 24, 2025
EUR 390 excl. VAT

Regular ticket

EUR 590 excl. VAT

Venue

Hotel Hilton Heidelberg
Kurfürstenanlage 1
D-69115 Heidelberg

Event date

Wednesday, March 5, and
Thursday, March 6, 2025

Tickets

Regular ticket
EUR 590 excl. VAT
Early Bird Ticket

Available until December 20, 2024

EUR 390 excl. VAT
The event is organized by the E3 magazine of the publishing house B4Bmedia.net AG. The presentations will be accompanied by an exhibition of selected SAP partners. The ticket price includes attendance at all presentations of the Steampunk and BTP Summit 2025, a visit to the exhibition area, participation in the evening event and catering during the official program. The lecture program and the list of exhibitors and sponsors (SAP partners) will be published on this website in due course.