Enterprise Business Application Security: Attack and Defense

ERPScan | August 2-3

On This Page


Today all the companies business lays on Enterprise Business applications. It is a big systems that store and process all the companies critical data. Any information an attacker might want, be it a cybercriminal, industrial spy or competitor, is stored here. This information can include financial, customer or public relations, intellectual property, personally identifiable information and more. Industrial espionage, sabotage and fraud or insider embezzlement may be very effective if targeted at the victim’s Business application system and cause significant damage to the business. There are many types of those applications like ERP’s CRM’s SRM’s ESB’s and others. Some of them store data and some of them like Enterprise Service Bus is for transferring critical data.

Unfortunately there is still very low information about Security of those systems like how to bleak them during penetration tests and how to securely configure them. Most of public research was focused on SAP ERP applications but here we will cover also other other software like Service Buses, CRM, Process Integration, SRM, and also software from other vendors like: SAP HANA, SAP BusinessObjects, Oracle Peoplesoft, Oracle EBS, Oracle JD Edwards, MS Dynamics and some of the less popular and custom business applications.

Who Should Take This Course

This class is for the 2 categories of people. First category is penetration testers who want to learn how to break Business applications during pentests and another category is CISO’s of large companies that use Business Applications and at least some of listed applications you can find in every company worldwide.

Student Requirements

Basic IT Security knowledge.

What Students Should Bring

• Laptop with at least 4 GIG of RAM
• Wifi on board
• Windows 7 on laptop or in Virtual machine because all software for connecting to systems and attacking them will be for Windows.
• Software:
• SAPGui 7.2
• Firefox with TamperData
• Burp Proxy
• Perl
• Python

What Students Will Be Provided With

Awesome USB flash card with all latest tools and materials.


Alexander Polyakov - CTO at ERPScanA father of ERPScan Security Scanner for SAP. Organizer of ZeroNights deep-technical security conference. His expertise covers security of enterprise business-critical software like ERP, CRM, SRM, banking and processing software. He is the manager of OWASP-EAS (OWASP subproject), a well known security expert of the enterprise applications of such vendors as SAP and Oracle, who published a significant number of the vulnerabilities found in the applications of these vendors with acknowledgements from SAP. He is the writer of multiple whitepapers and surveys devoted to information security research in SAP. Alexander were invited to speak and train at international conferences such as Black Hat, RSA, HITB and 30 others around globe as well as in internal workshops for SAP and fortune 500 companies.

My colleague:

Sergey Belov - Senior Security Auditor at ERPScan
7 years in IT SecurityHas master's degree in "Computer Aided Design (CAD)."For 2 years works as security in USA startup “Mojiva"in which clients are very famous companies, for example Microsoft, RIM, NBC.Since 2009 conducting Business Application Security training for web-developers, QA Staff, team leads of various IT companies. From 2013 actively participate in Business Application security research and EAS-SEC project.Participate in various competitions in Information Security - Capture The Flag. Took a part in the final of CTF DEF CON 2012 (Las Vegas, USA), winner of Chaos Constructions 2013. # 1 for a contribution to the blog "Information Security" on the resource "Habrahabr"Found a lot of vulnerabilities on various famous portals, added to hall of fame of Google, Yandex.