Skip to main content

SAP Security and Risk acceptance in Protect4S

By 10 March 2021January 7th, 2022No Comments

New Check Exemptions functionality helps customers to manage risk

SAP Security Check Exemptions

Many of our SAP Security product improvements find their origin in our growing base of customers. This co-development together with our customers has proven to be very successful and is highly appreciated by our customers.

Some of our customers recently requested the functionality of “Check Exemptions”, which allows for the acceptance of specific findings to exclude them from future scans. We believed this would add value to the overall process of risk management and set about developing.

Often driven by regulations or compliance, customers typically scan their SAP landscape and focus on vulnerabilities with a High or Very High risk. That is where the mitigation or remediation efforts pay off the most in terms of reducing risk. 

This is rather commonly accepted as a best practice, but it might very well happen that a finding in Protect4S is: 

  • not applicable to a specific situation.
  • that the risk has been diverted or mitigated by other measures already implemented.
  • in the process of being mitigated or remediated.
  • or that there are other valid reasons why a specific risk would be acceptable. 

You would then no longer want to see that finding in the output of a scan.

For those specific cases, we have created the Check Exemptions functionality that lets you accept risks in a well-documented way, and if desired, limited to only a specific period and only if you have the authorisations to do so.

How does it work? It is really easy! The Protect4S solution offers several options to create exemptions via the exemption configuration application. This is linked to the scan output, the project configuration, or directly from the launchpad’s main screen.

In the exemption configuration application, you can exclude checks for a specific period. 

It is also possible to do so for different scopes like a specific scan, a specific project or for example, for all scans. In addition, you can document the reason why this check has been exempted, who approved it and provide references to other documentation.

exemption configuration application

This makes it easy to exclude these particular checks and vulnerability for future scans on the selected scope. Exempted vulnerabilities will no longer be shown by default in the output. However, if needed, all exempted vulnerabilities can still be shown in the output by selecting the ‘include exemptions’ option. The exempted vulnerabilities will then be shown in blue, as shown below.

exempted vulnerabilities

We believe this is a great new functionality that adds value to Protect4S and help customers even more in doing their risk assessments for their business-critical SAP assets.

Want to know how you too can automate and simplify your SAP security? Try out Protect4S for 1 month for free or request a free demo! 

For more SAP security-related news, articles and whitepapers, please follow us on LinkedIn!