Black Hat USA Registration Black Hat USA Registration Black Hat USA Briefings Black Hat USA Briefings Black Hat USA Training Black Hat USA Training Black Hat USA Schedule Black Hat USA Schedule Black Hat USA Sponsors Black Hat USA Sponsors Black Hat  USA Special Events Black Hat  USA Special Events Black Hat USA Venue Black Hat USA Venue

On This Page

Cyber-threats on SAP Platforms: Assess, Exploit and Defend

Onapsis, Inc. | July 29-30



Ends May 31



Ends July 24



Ends July 30


Your SAP platform probably contains the business crown jewels of your company. However, while leading organizations are protecting their systems from new types of SAP threats, still many are prone to SAP-specific vulnerabilities that are exposing their business to espionage, sabotage and financial fraud risks. This course empowers Security Managers, Internal Auditors and InfoSec Professionals to assess their SAP platforms for vulnerabilities, exploit them to better understand the involved business risk and mitigate them holistically.

Based on BlackHat’s renowned “SAP Security In-Depth” training, this new course provides the latest information on SAP-specific attacks and protection techniques. After a quick introduction to the SAP world, you will learn through several hands-on exercises how to perform your own vulnerability assessments and penetration tests of your SAP platform to identify existing security gaps.

You will understand why even strict user roles and profiles are not enough to protect an SAP system, and how malicious attackers could break into the systems anonymously, even without having a valid user. With a strong focus on the SAP application layer, you will learn they key security aspects of several proprietary components and technologies, such as the SAProuter, SAP Web Dispatcher, SAP Gateway, SAP Message Server, SAP Web Applications (Enterprise Portal, WebAS and ITS), the SAP RFC and P4 interfaces, SAP Solution Manager, SAP Management Console, SAP-specific backdoors and rootkits, SAP forensics, ABAP vulnerabilities and much more!

You will watch numerous live demonstrations of the most critical attack vectors, and even replicate them yourself in our SAP labs using opensource and free tools, such as Bizploit – the first opensource ERP Penetration Testing framework.

After this intense training, you will be very well equipped to understand the critical risks your SAP platform may be facing and how to assess them. More importantly, you will know which are the best approaches to effectively mitigate them, proactively protecting your business-critical platform. Previous SAP expertise is NOT required!

What Will Be Provided

Slides handouts, cheatsheets, DVD with free tools.

What Students Should Bring


General Information Security knowledge. No SAP experience is required.


Mariano Nunez is the CEO at Onapsis. Mariano is an active researcher in the ERP Security field, having been the first to present on real-world security attacks on SAP platforms in 2007. Since then, he has been invited to lecture in several security conferences, such as BlackHat DC/USA/EU, RSA, SAP, HITB Dubai/EU, Troopers, Source, Ekoparty, HackerHalted, DeepSec, Sec-T, and, as well as in Fortune-100 companies and military organizations.

Mariano has discovered more than 50 vulnerabilities in SAP, Microsoft, Oracle and IBM applications and has several years of experience performing SAP Penetration Tests. He leads the strategic development of Onapsis X1, has been the developer of the first open-source SAP & ERP Penetration Testing Frameworks (sapyto/bizploit) and leads the "SAP Security In-Depth" publication. Mariano is also a founding member of, the Business Security Community.

Because of his research work, he has been interviewed and featured in mainstream media such as CNN, Reuters, IDG, New York Times, eWeek, PCWorld, Darkreading and others.

Juan Pablo Perez-Etchegoyen is CTO at Onapsis. His research and consulting experience comprise working in SAP security assessments for world-wide companies in Europe, US and Latin America. In the research field, he is specialized in SAP, Oracle and JD Edwards platforms, having discovered several security vulnerabilities in them.

Juan Pablo is in charge of Onapsis X1 development, being actively involved in its evolution and innovative features. He was also invited to hold several trainings and talks regarding Penetration Testing, Database security and specially SAP security in security conferences such as BlackHat, Source, HITB and Ekoparty.