Avert damage from WannaCry, Petya, & Co.

SAP HotNews, SAP TopNotes, SAP Security Notes and SAP Legal Change Notes help the tens of thousands of SAP customers proactively avoid problems and risks or resolve them as quickly as possible.

Even with mobile apps, users are usually automatically informed about new versions of applications that not only extend functionality, but also solve known problems and close security gaps. Unfortunately, this is not the case with most open source components!

Threats beyond the radar

Here, the trade and daily press usually only reports and warns about current threats when hundreds of thousands of systems have already been affected and/or major damage has been done.

Software developers have to inform themselves laboriously and time-consumingly about current and new versions and become active. This becomes even more difficult when open source components are themselves built into other components, which is often the case.

Therefore, unlike the "prominently" featured cases of WannaCry and Petya, most truly critical threats are not even on the radar of most IT managers.

Current examples

"Spring" is one of the most widely used Java frameworks. Few companies in the SAP community are likely to use Java without Spring, and over 10,000 open source software packages are based on it. Version 4.3.4 was released only eight months ago, but it is vulnerable and thus a major gateway for potential attackers.

"Struts2" is also heavily used, for example with SAP CrystalReports, the SAP JCO, jQuery, and is highly vulnerable.

Hardly any Java application does not use Apache Common Beanutils, for example in the SAP Hana Cloud environment. Here, virtually every version before 1.9.2 is vulnerable and therefore risky for users.

The good news: There is an automatic and free monitoring solution. VersionEye from the Mannheim-based start-up of the same name offers a kind of "OpenSourceNotes" as a supplement to the well-established "SAPnotes" and is itself 100 percent open source (under MIT license).

Today, more than 1.4 million open source projects are already monitored, developed in 16 different programming languages, such as Java, Java-Script, PHP and "R" (the important language for Hana).

More than 45,000 registered users and 500,000 monthly visitors (worldwide) are already using this service to actively minimize risks from open source software.

VersionEye informs 24 x 7 automatically and actively about new versions of Open Source components ("Version Notes"), possible license problems ("License Notes") and security risks ("Security Notes").

And not according to the "shotgun principle", but specifically only for the open source components that are really affected and also used by the user.

Made in Germany and free of charge

In contrast to similar, expensive and proprietary US services, no customer code is transferred to servers in the USA either. Since VersionEye itself is 100 percent open source software, the solution is completely transparent and can be analyzed and also adapted if necessary.

Enterprise services are offered for the implementation of best practices in the use of open source in the SAP ecosystem, seamless integration in enterprise environments and service level agreements. Enterprise customers include Blinkist, Seeburger and Xing.