SAP Security In-Depth

Mariano Nuñez Di Croce and Juan Pablo Perez Etchegoyen

july 23-24


Ends February 1


Ends June 1


Ends July 20


July 21-24


Have you ever wondered whether your business-critical SAP implementation was secure? Do you know how to check it? Have you imagined which could be the impact of an attack to your core business platform? Do you know how to prevent it? This training is the answer to these questions.

For many years, SAP security has been a synonym of "segregation of duties" or "securing roles and profiles". While this kind of security is mandatory and of absolute importance, there are many threats that have been so far overlooked and are even more dangerous, such as the possibility of taking remote control of the entire SAP landscape without having any user in any system.

This training will help you to fill this knowledge gap, allowing you to understand the involved threats and risks and how to mitigate them. You will review the whole picture, from the security of the Environment and the SAP application-level gateways (SAProuter, Webdispatcher), through the assessment and hardening of the Operating Systems and Databases and their interaction with the SAP systems up to the security of the SAP Application Layer: Authentication, User security, Password Policies, Authorization subsystem, Interface Security, Web applications Security, Backdoors, ABAP (in)security, Auditing, Monitoring and more!

The training is organized with many hands-on exercises, which will help you grasp practical knowledge quickly. You will learn how to assess the security of an SAP implementation and then secure the critical security gaps you discovered. You will be able to learn how to use different SAP security tools, as well as Bizploit, the first opensource ERP Penetration Testing framework, developed by the instructor.

The training also provides a quick introduction to basic SAP concepts, which allows non-SAP security professionals to follow the course smoothly.

Required Equipment


Mariano Nunez is the CEO at Onapsis. Mariano is an active researcher in the ERP Security field, having been the first to present on real-world security attacks on SAP platforms in 2007. Since then, he has been invited to lecture in several security conferences, such as BlackHat DC/USA/EU, RSA, SAP, HITB Dubai/EU, Troopers, Source, Ekoparty, HackerHalted, DeepSec, Sec-T, and, as well as in Fortune-100 companies and military organizations.

Mariano has discovered more than 50 vulnerabilities in SAP, Microsoft, Oracle and IBM applications and has several years of experience performing SAP Penetration Tests. He leads the strategic development of Onapsis X1, has been the developer of the first open-source SAP & ERP Penetration Testing Frameworks (sapyto/bizploit) and leads the "SAP Security In-Depth" publication. Mariano is also a founding member of, the Business Security Community.

Because of his research work, he has been interviewed and featured in mainstream media such as CNN, Reuters, IDG, New York Times, eWeek, PCWorld, Darkreading and others.

Juan Pablo Perez-Etchegoyen is CTO at Onapsis. His research and consulting experience comprise working in SAP security assessments for world-wide companies in Europe, US and Latin America. In the research field, he is specialized in SAP, Oracle and JD Edwards platforms, having discovered several security vulnerabilities in them.

Juan Pablo is in charge of Onapsis X1 development, being actively involved in its evolution and innovative features. He was also invited to hold several trainings and talks regarding Penetration Testing, Database security and specially SAP security in security conferences such as BlackHat, Source, HITB and Ekoparty.