DURATION: 2 DAYS
CAPACITY: 20 pax
SEATS AVAILABLE: ONLINE REGISTRATION IS CLOSED
PRICE: EUR1499 (early bird)
EUR1999 (normal)
Early bird registration rate ends on the 14th of February
REGISTER NOW
Overview
In the present, all the big business have come to depend greatly on SAP’s Enterprise Business applications. These systems store and process all of the companies’ critical data. Unfortunately, there exists very little information about security of these systems, how to break them during penetration tests, and how to configure them securely to prevent cyber attacks. This training will help you to learn a new topic – SAP Cyber Security.
Who Should Attend
This class can essentially benefit two categories of people. First one is penetration testers and security consultants who want to learn how to assess SAP Applications. Another category consists of Security engineers, administrators who are responsible for the security of business-critical SAP applications such as ERP systems.
Key Learning Objectives
Participants will learn:
How to provide security assessment of SAP systems
How to Secure SAP systems from attackers
Practical experience from world-known experts
Prerequisite knowledge
Basic IT Security knowledge
Hardware / Software requirements
Laptop with at least 4 GIGs of RAM
Wi-Fi on board
Windows 7 or higher on laptop or in Virtual machine
Software:
SAPGui 7.3
Firefox with TamperData
Burp Proxy
Perl
Python
Nmap
Agenda (day 1 / day 2) including topics covered
Introduction to SAP Security
Why we should care;
History of SAP security;
Current situation in SAP security;
SAP attack features;
SAP defense features;
Methodologies for ERP/SAP security (EAS-SEC);
Network level;
Open ports;
Protocol security;
Trusted systems;
Securing network;
OS level SAP Security
SAP-specific OS vulnerabilities;
Critical SAP data in OS;
From OS to SAP;
From SAP to OS;
Securing OS;
Database level Security
Critical database data;
Attacking database;
From database to SAP;
From SAP to database;
Securing database;
Client-side security
Attacking ActiveX components;
GUI scripting attacks;
Collecting critical data;
Advanced attack combinations and Trojans;
NetWeaver Application Server ABAP – Services
SAP Gateway;
SAP Message Server;
SAP Dispatcher;
SAP ICM;
SAP ITS;
SAProuter;
SAP HostControl;
Other services;
NetWeaver Application Server ABAP – Authorization Model
Authorization concept
Problems of SAP tools for checking authorizations
Critical Transactions
Critical Reports
Access to OS
Access to Tables
Segregation of Duties (SoD)
NetWeaver Application Server ABAP – ABAP Code security
Secure development
Improper Authorization
Injections ABAP/SQL
Access to OS/Traversals
Generic calls
Backdoors
NetWeaver Application Server JAVA
Visual Admin;
Web applications;
SAP Portal;
SAP SDM;
SAP Log Viewer;
SAP Business Objects
Apache Tomcat
Web application Container
CMS (Central Management Server)
SIA (Server Intelligence Agent)
Version Management
Database
SAP HANA
Database
XS Engine
Trexnet
Encryption
SAP Mobile Platform
SAP Control Center
SAP SQL Anywhere (can be any other database)
SAP Mobile server services
SAP Afaria
Administrator console
XcListener
AfariaIphoneServer
Afaria API (http)
Securing SAP Systems
Penetration testing
Security Assessment
Compliance
SAP Security Guidelines
ISACA Guidelines
DSAG Guidelines
EAS-SEC Guidelines
Code Security
SoD
Forensics