Practical Pentesting of ERPs and Business Applications

Presented at Black Hat USA 2013, July 31, 2013, 10:15 a.m. (60 minutes)

Today, the whole business of a company depends on enterprise business applications. They are big systems that store and process all the critical data of companies. Any information an attacker might want, be it a cybercriminal, industrial spy or competitor, is stored here. This information can include financial, customer or public relations, intellectual property, personally identifiable information, and more. Industrial espionage, sabotage and fraud or insider embezzlement may be very effective if targeted at the victim's business application and cause significant damage to the business. There are many types of those applications: ERPs, CRMs, SRMs, ESBs. Unfortunately, there is still very little information about the security of those systems, especially how to pentest them.

During our work on OWASP-EAS subproject, we gathered top 10 critical areas (similar to most of the business applications), so we will present a solid approach for pentesting those types of systems. We will look at 3 different systems from top business application vendors: SAP, Oracle and Microsoft, and show how to pentest them using our cheatsheets that will be released for BlackHat as well as a free tool: ERPScan Pentesting Tool.

Presenters:

• Alexey Tyurin - ERPScan   as Alexy Tyurin
  Dr. Alexey Tyurin is the Director of IS audit department in ERPScan. He holds a PHD in computer security. He works on SAP security, particularly on RFC and web services security. He has pen-testing experience of a wide range of enterprise system (Citrix, VMware, etc.). He is the leading programmer of ERPScan Pentesting tool (the penetration tool for SAP) and some other security tools. He leads the "Easy Hack" column and writes articles on security and reverse engineering for the XAKEP magazine.
• Alexander Polyakov
  A father of ERPScan Security Scanner for SAP. Organizer of ZeroNights deep-technical security conference. His expertise covers security of enterprise business-critical software like ERP, CRM, SRM, banking and processing software. He is the manager of OWASP-EAS (OWASP subproject), a well-known security expert of the enterprise applications of such vendors as SAP and Oracle, who published a significant number of the vulnerabilities found in the applications of these vendors with acknowledgements from SAP. He is the writer of multiple whitepapers and surveys devoted to information security research in SAP like award-winning "SAP Security in figures". Alexander were invited to speak and train at international conferences such as BlackHat, RSA, HITB and 30 others around globe as well as in internal workshops for SAP and fortune 500 companies.

Links:

• https://www.blackhat.com/us-13/archives.html#Polyakov
• https://media.blackhat.com/us-13/US-13-Polyakov-Practical-Pentesting-of-ERPs-and-Business-Applications-Slides.pdf
• https://media.blackhat.com/us-13/US-13-Polyakov-Practical-Pentesting-of-ERPs-and-Business-Applications-WP.pdf

Similar Presentations:

• DerbyCon 6.0 Recharge (2016) / Business Developement: The best non-four letter dirty word in infosec.
• BSidesLV 2019 / Duck and (Re)Cover - The missing link in the security evolution
• DeepSec 2014 „Do you want to know more?“ / SAP BusinessObjects Attacks: Espionage and Poisoning of Business Intelligence platforms