The scope of RISE is individual, making one precise answer covering all detailed aspects too broad. Therefore, it's advisable to have the total solution scope sorted and listed before continuing with the pentest. Architectural issues due to the broad variety of customer landscapes should optimally be avoided before initiating the pentest, therefore having a centralized Cybersecurity & Compliance perspective on your landscape is very advisable. Establishing clear requirements for deciding if to follow the white, grey or even black box test approach is essential as defining efforts and costs of the test execution.
Once all is cleared, one can check for typical vulnerabilities (patches, configuration, …), go through all system entry points or even through frameworks offered by various other vendors than SAP. RISE is in this context to be understood more as bundle of SAP products and services, whereas pentest cover the validation of security requirements per technological solution area being different wrt. of their type (SaaS, IaaS, ... ).
Please follow the SAP Customer Penetration Testing Request Process as described in note 3080379 for notifing the respective hosting organization.
Bluesky
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.