ERP SECURITY: ASSESS, EXPLOIT AND DEFEND SAP PLATFORMS

Onapsis Inc | July 24-25



Overview

Your SAP platform contains the business crown jewels of your company. However, while leading organizations are protecting their systems from new types of SAP threats, still many are prone to SAP-specific vulnerabilities that are exposing their business to espionage, sabotage and financial fraud risks.

This course empowers Security Managers, Internal/External Auditors and InfoSec Professionals to assess their SAP platforms for platform-specific vulnerabilities, exploit them to better understand the involved business risk and mitigate them holistically.

This course provides the latest information on SAP-specific attacks and protection techniques. After an introduction to the SAP world (previous SAP expertise is NOT required), you will learn through several hands-on exercises how to perform your own vulnerability assessments and penetration tests of your SAP platform to identify existing security gaps.

You will understand why even strict user roles and profiles are not enough to protect an SAP system, and how malicious attackers could break into the systems anonymously, even without having a valid user. With a strong focus on the SAP application layer, you will learn they key security aspects of several proprietary components and technologies, such as the SAProuter, SAP Web Dispatcher, SAP Gateway, SAP Message Server, SAP Web Applications (Enterprise Portal, Web Application Server), the SAP RFC and P4 interfaces, SAP Solution Manager, SAP Management Console, SAP-specific backdoors and rootkits, SAP forensics, SAP malware, ABAP vulnerabilities, the new SAP HANA Database, SAP Cloud solutions and much more!

You will watch numerous live demonstrations of the most critical attack vectors, and even replicate them yourself in our labs using opensource and free tools, such as Bizploit - the first opensource ERP Penetration Testing framework.

After this intense training, you will be very well equipped to understand the critical risks your SAP platform may be facing and how to assess them. More importantly, you will know which are the best-practices to effectively mitigate them, proactively protecting your business-critical platform. Previous SAP expertise is NOT required!

Who Should Take this Course

Information Security Managers, Internal/External Auditors, BASIS team members and InfoSec Professionals that would like to learn how to manage the increased security risks affecting their SAP platforms.

Student Requirements

- General knowledge on Information Security
- Basic knowledge on Networking
- Previous SAP expertise is NOT required!

What Students Should Bring

Personal laptop (with Ethernet port for class wired network)

- SSH client (Putty / native ssh client)
- SAP GUI installed on the laptop and with permission to add systems
- Web Browser

Note: Rights to install additional applications is recommended

What Students Will Be Provided With

- Slides handouts
- SAP security cheatsheet
- Pen Drive with the latest white-papers, presentations and free tools for SAP security

Trainers

JP leads the Product teams that keeps Onapsis on the cutting-edge of the business-critical application security market. He is responsible for the design, research and development of Onapsis' innovative software solutions, and helps manage the development of new products as well as the SAP cyber-security research that has garnered critical acclaim for the Onapsis Research Labs. He is regularly invited to speak and host trainings at global industry conferences including Blackhat, HackInTheBox, Troopers, and SAP TechEd/DCODE. Prior to joining Onapsis, Juan Pablo led many Information Security consultancy projects for Companies in Latin America, EE.UU. and Europe. His strongest experience is in the field of Penetration Testing, Web Application Testing, Vulnerabilities Research, Information Security Auditing's and Standards.

Julian Rapisardi is a Senior SAP Security Specialist at Onapsis. As a former member of the Research Labs team, he was responsible for performing SAP Security Assessments, understanding the evolving regulatory landscape affecting SAP systems and delivering trainings about the latest risks affecting SAP platforms. Julian is now focused in Product, defining the directions of Onapsis Security Platform as it is implemented across the biggest organizations in the world. With seven plus years of experience in business consulting, information technology and systems auditing, he has assisted numerous large companies from various industries including Oil & Gas, Manufacturing and Telecommunications, covering a wide variety of SAP modules and solutions. He has also been involved in several SAP GRC projects. Julian has delivered talks and trainings on SAP security at SANS Network Security, ASUG and at Black Hat among others.