ERP Security: Assess, Exploit and Defend SAP Platforms

Presented at DeepSec 2018 „I like to mov &6974,%bx“, Unknown date/time (Unknown duration).

Your SAP platform contains the business crown jewels of your company. However, while leading organizations are protecting their systems from new types of SAP threats, still many are prone to SAP-specific vulnerabilities that are exposing their business to espionage, sabotage and financial fraud risks. This course empowers Security Managers, Internal/External Auditors and InfoSec Professionals to assess their SAP platforms for platform-specific vulnerabilities, exploit them to better understand the involved business risk and mitigate them holistically. It provides the latest information on SAP-specific attacks and protection techniques. After an introduction to the SAP world (previous SAP expertise is NOT required), you will learn through several hands-on exercises how to perform your own vulnerability assessments and penetration tests of your SAP platform to identify existing security gaps. You will understand why even strict user roles and profiles are not enough to protect a SAP system, and how malicious attackers could break into the system anonymously, even without having a valid user. With a strong focus on the SAP application layer, you will learn the key security aspects of several proprietary components and technologies, such as the SAProuter, SAP Web Dispatcher, SAP Gateway, SAP Message Server, SAPWeb Applications (Enterprise Portal, Web Application Server), the SAP RFC and P4 interfaces, SAP Solution Manager, SAP Management Console, SAP-specific backdoors and rootkits, SAP forensics, SAP malware, ABAP vulnerabilities, the new SAP HANA Database, SAP Cloud solutions and much more! You will watch numerous live demonstrations of the most critical attack vectors, and even replicate them yourself in our labs using opensource and free tools, such as Bizploit - the first opensource ERP Penetration Testing framework. After this intense training, you will be very well equipped to understand the critical risks your SAP platform may be facing and how to assess them. More importantly, you will know which are the best-practices to effectively mitigate them, proactively protecting your business-critical platforms. Previous SAP expertise is NOT required!

Presenters:

  • Pablo Artuso - Onapsis
    Pablo Artuso is a security researcher at the Onapsis Research Labs. His work is focused on the research and detection of vulnerabilities in SAP systems. As a result of his research, he has reported and published several vulnerabilities in different SAP solutions such as HANA, Netweaver, etc. Moreover, Pablo works closely with the Innovation team contributing to the development of cutting-edge technologies to boost Onapsis products. Yvan has 16 years of experience in SAP, now working as a security researcher at Onapsis. He received official acknowledgements from SAP AG for vulnerabilities he's reported. Furthermore, he has conducted trainings and talks at HIP, Hack.lu, Troopers and SSTIC.
  • Yvan Genuer - Onapsis
    Pablo Artuso is a security researcher at the Onapsis Research Labs. His work is focused on the research and detection of vulnerabilities in SAP systems. As a result of his research, he has reported and published several vulnerabilities in different SAP solutions such as HANA, Netweaver, etc. Moreover, Pablo works closely with the Innovation team contributing to the development of cutting-edge technologies to boost Onapsis products. Yvan has 16 years of experience in SAP, now working as a security researcher at Onapsis. He received official acknowledgements from SAP AG for vulnerabilities he's reported. Furthermore, he has conducted trainings and talks at HIP, Hack.lu, Troopers and SSTIC.

Links:

Similar Presentations: