DeepSec 2018 Training: ERP Security: Assess, Exploit and Defend SAP Platforms – Pablo Artuso & Yvan Genuer

Sanna/ September 27, 2018/ Conference, Security, Training

Your SAP platform contains the business crown jewels of your company. However, while leading organizations are protecting their systems from new types of SAP threats, still many are prone to SAP-specific vulnerabilities that are exposing their business to espionage, sabotage and financial fraud risks.

Gaston’s and Pablo’s training empowers Security Managers, Internal/External Auditors and InfoSec Professionals to assess their SAP platforms for platform-specific vulnerabilities, exploit them to better understand the involved business risk and mitigate them holistically.
It provides the latest information on SAP-specific attacks and protection techniques. After an introduction to the SAP world (previous SAP expertise is NOT required), you will learn through several hands-on exercises how to perform your own vulnerability assessments and penetration tests of your SAP platform to identify existing security gaps. You will understand why even strict user roles and profiles are not enough to protect a SAP system, and how malicious attackers could break into the system anonymously, even without having a valid user. With a strong focus on the SAP application layer, you will learn the key security aspects of several proprietary components and technologies, such as the SAProuter, SAP Web Dispatcher, SAP Gateway, SAP Message Server, SAPWeb Applications (Enterprise Portal, Web Application Server), the SAP RFC and P4 interfaces, SAP Solution Manager, SAP Management Console, SAP-specific backdoors and rootkits, SAP forensics, SAP malware, ABAP vulnerabilities, the new SAP HANA Database, SAP Cloud solutions and much more! You will watch numerous live demonstrations of the most critical attack vectors, and even replicate them yourself in our labs using opensource and free tools, such as Bizploit – the first opensource ERP Penetration Testing framework.

After this intense training, you will be very well equipped to understand the critical risks your SAP platform may be facing and how to assess them. More importantly, you will know which are the best-practices to effectively mitigate them, pro-actively protecting your business-critical platforms. Previous SAP expertise is NOT required!

We asked Pablo and Gaston a few more questions about their training.

Please tell us the top 5 facts about your training.

  • Hands-on training (25+ exercises)
  • One of a kind (there’s no other training about ERP security)
  • 0 SAP knowledge is required
  • Open source penetration testing framework will be used
  • Let’s think like an attacker… latest exploits related to SAP will be covered

How did you come up with it? Was there something like an initial spark that set your mind on creating this course?

We started giving this training almost 10 years ago, when nobody was talking about this topic. At that time, speaking about security in SAP systems was basically speaking about SoD. Since then, we started not only to deliver this training at security conferences, but also to give talks, doing webcasts, research, and more, with the goal of raising awareness and spreading knowledge. A couple of years ago (and still) people didn’t know how to interact with this type of systems. That’s why, one of the main goals of this training, is to get yourself acquainted with the different layers of security inside the SAP world, get to know the most important vulnerabilities, the most critical configurations, how they can be abused and how they should be protected.

Why do you think this is an important topic?

ERP security has been growing during the last years. In 2016, the Department of Homeland Security (DHS) released the first-ever alert related to SAP security, which was the outcome of a combined project with Onapsis. In 2018, they came up again with another news story, stressing that companies are still under attack and they must take care of it. Based on our experience, attacks on ERP platforms, which hold the most important assets of companies, are increasing year by year. Due to the complexity of SAP system, administrators don’t realize that sometimes their own systems are exposed to the internet. Knowing how to properly secure and defend your systems from these kind of attacks is definitely a must.

Is there something you want everybody to know – some good advice for our readers maybe?

How much do you know about ERP security? Have you ever heard of it? Let’s think about it for a second. How critical is the data that is actually stored in these systems? Do you know how to protect it? Attackers are starting to realise that people are not protecting them, which opens a huge window of opportunities. Exploits and techniques to abuse misconfigurations are going public faster each time. Don’t you think it’s time to take action?

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your training in particular?

Year by year, ERP security is gaining more respect, as the amount of attacks keep increasing. Companies can’t keep overlooking it, cause their most important assets are at risk. On the other hand, attackers are getting more into the world of SAP and they’re starting to exploit and abuse vulnerabilities and misconfigurations which are publicly known. The time of ERP security has come, and everybody needs to be aware of it.


Pablo Artuso is a security researcher at the Onapsis Research Labs. His work is focused on the research and detection of vulnerabilities in SAP systems. As a result of his research, he has reported and published several vulnerabilities in different SAP solutions such as HANA, Netweaver, etc. Moreover, Pablo works closely with the Innovation team contributing to the development of cutting-edge technologies to boost Onapsis products. 





Yvan Genuer has 16 years of experience in SAP, now working as a security researcher at Onapsis. He received official acknowledgements from SAP AG for vulnerabilities he’s reported. Furthermore, he has conducted training or talks at HIP,, Troopers and SSTIC.

Share this Post