TT2 – SAP Security In-Depth

Trainer: Juan Pablo Perez Etchegoyen (Researcher, ONAPSIS)
Capacity: 14 pax
Seats Left: 6
Duration: 2 days
Cost: (per pax) MYR3999 (early bird) / MYR4699 (non early-bird)



Have you ever wondered whether your business-critical SAP implementation was secure? Do you know how to check it? Have you imagined which could be the impact of an attack to your core business platform? Do you know how to prevent it? This training is the answer to these questions.

For many years, SAP security has been a synonym of “segregation of duties” or “securing roles and profiles”. While this kind of security is mandatory and of absolute importance, there are many threats that have been so far overlooked and are even more dangerous, such as the possibility of taking remote control of the entire SAP landscape without having any user in any system.

This training will help you to fill this knowledge gap, allowing you to understand the involved threats and risks and how to mitigate them. You will review the whole picture, from the security of the Environment and the SAP application-level gateways (SAProuter, Webdispatcher), through the assessment and hardening of the Operating Systems and Databases and their interaction with the SAP systems up to the security of the SAP Application Layer: Authentication, User security, Password Policies, Authorization subsystem, Interface Security, Component Security, Auditing, Monitoring and more!

The training is organized with many hands-on exercises, which will help you grasp practical knowledge quickly. You will learn how to assess the security of an SAP implementation and then secure the critical security gaps you discovered. You will be able to learn how to use different SAP security tools, as well as the publicly- available SAP Penetration Testing Framework developed by the instructor.

The training also provides a quick introduction to basic SAP concepts, which allows non-SAP security professionals to follow the course smoothly.

Who Should Attend

- Information Security Managers, Consultants and Auditors.
- SAP Administrators, Project Leaders and Consultants.

Key Learning Objectives

- Understand the basic security concepts in SAP systems
- Learn which are the main risks that can affect the security of the platform.
- Learn how to perform technical security assessment of SAP systems.
- Understand how to protect the systems from detected vulnerabilities, decreasing fraud risk.
- Use specific software to evaluate the security of an SAP system.
- Grasp practical knowledge through hands-on exercises.

Class Equipment Requirements:

* Any modern laptop with a CD/DVD drive and network port
* Windows XP/Vista/7 (native or VMWare image)
* SSH client

Pre-requisite knowledge

The training provides a quick introduction to basic SAP concepts, which allows non-SAP security professionals to follow the course smoothly. General knowledge of networking and security concepts is recommended.

Day 1:

* Introduction to SAP
* Threats
* Security of the Environment
o Secure Architecture
o SAP Application Level Gateways
* The SAProuter
* The SAP Web Dispatcher
* Security of the OS & DB
o Security of SAP on Windows environments
o Security of SAP on UNIX environments
o Security of SAP with MS SQL Server databases
o Security of SAP with Oracle databases

Day 2:

* Security of the SAP Application Layer
o Authentication Mechanisms
o User Security
o Password Policies
o Authorization Concept
o Interface Security
o Securing the System Landscape
o Component and Application Security
* SAP Internet Transaction Server (ITS)
* SAP Internet Communication Manager (ICM)
* SAP Secure Network Communications (SNC)
* Secure Sockets Layer (SSL)
* Monitoring and Auditing
* Conclusions

Juan Pablo Perez Etchegoyen

Juan Pablo Perez Etchegoyen is a security consultant and researcher at Onapsis. His consulting experience comprise working in security assessments forworld-wide companies in Europe, US and Latin America. In the research field, he is specialized in SAP, Oracle and JD Edwards platforms, having discovered several security vulnerabilities in them. Juan Pablo is one of the core researchers and developers of the Onapsis X1 and Bizploit solutions. He also held several trainings regarding Penetration Testing, Database security and SAP security (BlackHat USA).