ERP Security: Assess, Exploit and Defend SAP Platforms

Onapsis Inc. | August 4-5

On This Page


Your SAP platform contains the business crown jewels of your company. However, while leading organizations are protecting their systems from new types of SAP threats, still many are prone to SAP-specific vulnerabilities that are exposing their business to espionage, sabotage and financial fraud risks. This course empowers Security Managers, Internal/External Auditors and InfoSec Professionals to assess their SAP platforms for platform-specific vulnerabilities, exploit them to better understand the involved business risk and mitigate them holistically.

This course provides the latest information on SAP-specific attacks and protection techniques. After an introduction to the SAP world (previous SAP expertise is NOT required), you will learn through several hands-on exercises how to perform your own vulnerability assessments and penetration tests of your SAP platform to identify existing security gaps.

You will understand why even strict user roles and profiles are not enough to protect an SAP system, and how malicious attackers could break into the systems anonymously, even without having a valid user. With a strong focus on the SAP application layer, you will learn they key security aspects of several proprietary components and technologies, such as the SAProuter, SAP Web Dispatcher, SAP Gateway, SAP Message Server, SAP Web Applications (Enterprise Portal, Web Application Server), the SAP RFC and P4 interfaces, SAP Solution Manager, SAP Management Console, SAP-specific backdoors and rootkits, SAP forensics, SAP malware, ABAP vulnerabilities and much more!

You will watch numerous live demonstrations of the most critical attack vectors, and even replicate them yourself in our labs using opensource and free tools, such as Bizploit - the first opensource ERP Penetration Testing framework.

After this intense training, you will be very well equipped to understand the critical risks your SAP platform may be facing and how to assess them. More importantly, you will know which are the best-practices to effectively mitigate them, proactively protecting your business-critical platform. Previous SAP expertise is NOT required!

Who Should Take This Course

Information Security Managers, Internal/External Auditors and InfoSec Professionals that would like to learn how to manage the increased security risks affecting their SAP platforms.

Student Requirements

• General knowledge on Information Security
• Basic knowledge on Networking
• Previous SAP expertise is NOT required!

What Students Should Bring

• Personal laptop (with ethernet port for class wired network)
• SSH client (Putty / native ssh client)
• Note: Rights to install additional applications is recommended

What Students Will Be Provided With

• Slides handouts
• SAP security cheatsheets
• DVD with the latest white-papers and presentations on SAP security
• DVD with free tools


Juan Perez-Etchegoyen is the CTO at Onapsis, leading the Research & Development teams that keep the company on the cutting-edge of the ERP security industry. As a renowned thought-leader in the SAP cyber security field, Juan is responsible for the architecture of the innovative software solutions Onapsis X1 and Onapsis IPS.

Being the founder of the Onapsis Research Labs, Juan is actively involved in the coordination and research of critical security vulnerabilities in ERP systems and business-critical applications, such as SAP and Oracle. He has discovered and helped SAP AG fix several critical vulnerabilities. Juan also held the first presentation on advanced threats affecting Oracle's JD Edwards applications.

As a result of his innovative research work, Juan has been invited to lecture at several of the most renowned security conferences in the world, such as Black Hat, SANS, OWASP AppSec, HackInTheBox, NoSuchCon and Ekoparty. He also holds private trainings for SAP AG and Global Fortune-100 organizations and is frequently quoted and interviewed by leading publications, such as IDG, DarkReading and PC World.

Julian Rapisardi is a Senior SAP Security Consultant at Onapsis. As a member of the Professional Services team, he is responsible for performing SAP Security Assessments, understanding the evolving regulatory landscape affecting SAP systems and delivering trainings about the latest risks affecting SAP platforms.

With 7+ years of experience in business consulting, information technology and systems auditing, he has assisted numerous large companies from various industries including Oil & Gas, Manufacturing and Telecommunications, covering a wide variety of SAP modules and solutions. Julian has been also involved in several SAP GRC projects, including SAP GRC 10.0 Access Control four components: Access Risk Analysis (ARA), Emergency Access Management (EAM), Access Request Management (ARM) and Business Role Management (BRM) administration and maintenance, as well as SAP GRC Risk Management.

Julian has delivered trainings on SAP security at SANS Network Security, SANS Sydney and at several large organizations.