Protect4S - VM User Guide
  • Protect4S - VM User Guide
  • Introduction
    • Quick setup
    • Support
    • Protect4S VM place in SAP system landscape
  • Pre-conditions and installation
    • Supported operating system and database types
    • Software version requirements
    • Recommendations
    • Heterogeneous database connections
  • Protect4S VM Software Installation
    • Add-On Installation, import support packages and upgrade
    • Installation post-processing
  • Create Protect4S VM users and roles
    • Distribution of satellite roles
    • satellite system ABAP RFC user using wizard
    • satellite system ABAP RFC user MANUAL SETUP
    • satellite system JAVA user
    • satellite system database user
    • satellite system operating system user
    • Operating system user other than <sid>adm
    • Satellite system BusinessObjects user
  • Check and set Application settings
  • Protect4S VM Menu
  • Execute the Quick setup
    • Company
    • Systems
      • Creating an ABAP system
      • Creating a JAVA system
      • Creating a BusinessObjects BI system
      • Creating a HANA standalone system
      • Creating a SAP Web Dispatcher system
      • Creating a SAProuter system
      • Creating a SAP Cloud Connector system
      • SAPControl security settings
  • Create a project
    • New project
    • New Scan
  • Check Template
  • Contact persons and Scan subscription
    • Contact persons
    • Scan subscriptions
  • Reports
    • Scan result
    • Scan results information
    • System tab
    • Company tab
    • Scan statistics tab
    • Check overview
    • Risk history
    • Scan statistics
    • Scan export
    • Mitigation report
    • Scan comparison
    • Management overview
    • Connection map
  • Mitigation of Vulnerabilities
    • Mitigation menu
  • Check exemptions
  • SIEM Interface
  • Integration
    • Incident Management
  • Information and support
    • Welcome menu
    • Product information
    • Check information
    • Change log
    • User Guide
    • Report a software defect
    • Feature request
  • Deinstallation
  • Appendix A: Troubleshooting Satellite System connection issues
    • SAPControl connections
    • Database connection
    • JAVA connection
    • HTTPS certificate errors
  • Appendix B: Installation database libraries
    • IBM DB2
    • MSSQL
    • MaxDB
    • Oracle
    • SAP Sybase
    • SAP HANA
  • Appendix C: satellite system Communication Ports
  • Appendix D: Protect4S VM SICF Services
  • Appendix E: using a server group
  • Appendix F System context
  • Appendix G DNS resolving
  • Appendix H Dump in Scan subsciptions
  • Appendix I HTTPURLLOC table
  • Appendix J - Risk Matrix
  • Appendix K - Short dump function module "PFL_GET_SINGLE_PARAMETER" not found
  • FAQs
    • General
    • Installation
    • Configuration
    • Projects and scans
  • Contact us
Powered by GitBook
On this page
  • Mitigation effort
  • Mitigation efficiency
  • Best practice mitigation measures

Was this helpful?

Mitigation of Vulnerabilities

PreviousConnection mapNextMitigation menu

Last updated 1 year ago

Was this helpful?

According to the Cambridge dictionary, the word “Mitigation” means:

“a reduction in how harmful, unpleasant, or bad something is”.

In the context of vulnerability management, the word “Mitigation” means the elimination of vulnerabilities, thereby preventing the possible exploitation of them. Once a vulnerability has been mitigated, the risk associated with this exploitation is eliminated and the total risk associated with the SAP infrastructure is reduced.

The “art of mitigation” lies in:

  • preventing exploitation of a vulnerability, while at the same time allowing business processes to function as normal

  • reducing the most amount of risk whilst staying inside your security budget

Mitigation effort

Since there are many different types of vulnerabilities, their corresponding mitigation measures also widely vary. An example of a simple mitigation measure is resetting the default password of a default SAP user while a more complicated mitigation measure could involve the definition of an ACL (Access Control List) file like the secinfo file that protects the SAP gateway.

We classify the mitigation effort in the following terms:

In general, a higher mitigation effort means higher costs. Since security budgets are not unlimited, a smart selection of vulnerabilities to be mitigated is the key to achieve the highest reduction of risk.

Mitigation efficiency

This heat map shows the risk levels of the checks plotted against mitigation effort. Quick wins for mitigation may can be found in the upper-left-hand side of the heat map (for mitigation effort values Very Low and Low). This way users may identify, select and concentrate on solving the easy-to-fix vulnerabilities first.

When starting out with vulnerability management, it is recommended to start with the ones that are easy to fix (the least mitigation effort) and that have a (Very) High Risk. After this has been done, the more complex vulnerabilities can be tackled.

Best practice mitigation measures

SAP has published an enormous amount of information on vulnerabilities and the best ways to get rid of them. This information contains specific recommendations for a wide variety of SAP system types and versions. For someone starting out with vulnerability management, finding the right information can be a challenge.

Fortunately, Protect4S VM provides the best-practice recommendations from SAP for the mitigation of each vulnerability. These recommendations come from OSS Notes, SAP help, SAP Whitepapers and SAP blogs from SAP Developer Network (SDN). This may save you many hours searching.

In general, it is recommended to stick with these best-practice from SAP. This ensures that your SAP systems will always be supported by SAP.

To get the most reduction of risk out of your budget, Protect4S VM enables a smart selection of vulnerabilities to be mitigated by presenting a of all vulnerabilities found according to their mitigation effort:

heat map
Mitigation effort scale
Selecting (Very) High risk vulnerabilities that are relatively easy to solve