Thomas Fritsch

The Onapsis Blog

The world of business-critical application security is dynamic, with new developments happening on a continuous basis. Check out our blog for recommendations, insights and observations on the latest news for securing your SAP®, Oracle® and Salesforce applications.

Thomas Fritsch has been working on SAP security research for over four years, after a longer career as an SAP expert. With a focus on vulnerabilities in SAP system configuration and SAP transport management, he is known as a publisher of various articles and a speaker at different SAP-related conferences. Previously to joining Onapsis, he worked for an SAP partner in Walldorf where he designed and realized customer-centric solutions for the SAP change and transport management.

09/12/2023 | By

Thomas Fritsch

|

SAP Patch Day

SAP Patch Day: September 2023

Critical Patches for SAP BusinessObjects and SAP CommonCryptoLib released

Read more about SAP Patch Day: September 2023

08/08/2023 | By

Thomas Fritsch

|

SAP Patch Day

SAP Patch Day: August 2023

New HotNews Note for SAP PowerDesigner and Important Update on July HotNews Note

Read more about SAP Patch Day: August 2023

07/11/2023 | By

Thomas Fritsch

|

SAP Patch Day

SAP Security Patch Day: July 2023

Important Patches for IS-OIL, Solution Manager, Web Dispatcher, and ICM

Read more about SAP Security Patch Day: July 2023

06/20/2023 | By

Thomas Fritsch

How to Securely Introduce Explicit AUTHORITY-CHECKS into Custom RFC-Enabled Function Modules

SAP customers often rely only on S_RFC authorizations to protect access to business data via RFC-enabled function modules (RFC FMs). This is risky because, due to the complexity of business scenarios, S_RFC authorizations are often assigned very generically (RFC_NAME = ‘*’ ). Another reason that S_RFC authorizations lack granularity is because in the past S_RFC authorizations could only be restricted on a function group level.

Read more about How to Securely Introduce Explicit AUTHORITY-CHECKS into Custom RFC-Enabled Function Modules

05/09/2023 | By

Thomas Fritsch

|

SAP Patch Day

SAP Security Patch Day: May 2023

Highlights of May SAP Security Notes analysis include twenty-five new and updated SAP security patches released, including three HotNews Notes and nine High Priority Notes. Several critical vulnerabilities in SAP 3D Visual Enterprise License Manager’s web interface should be paid close attention. This month also marks the fourth time in a row that Onapsis Research Labs has directly contributed to SAP Patch Tuesday.

Read more about SAP Security Patch Day: May 2023

04/11/2023 | By

Thomas Fritsch

|

SAP Patch Day

SAP Security Patch Day: April 2023

Critical Vulnerabilities in SAP Diagnostics Agent Poses Risk To All SAP Systems

Read more about SAP Security Patch Day: April 2023

03/14/2023 | By

Thomas Fritsch

|

SAP Patch Day

SAP Patch Day: March 2023

Critical Vulnerabilities patched in SAP NetWeaver AS ABAP / Java and in SAP BusinessObjects

Read more about SAP Patch Day: March 2023

02/21/2023 | By

Thomas Fritsch

|

SAP Security

Using Generic Application Access Rules in SAP Custom Development

SAP applications often require the need to restrict access for certain entities to a subset of all instances. In most scenarios, SAP’s authorization concept is sufficient for this purpose. However, there are some disadvantages using SAP authorizations: