Black Hat USA 2009 Weekday Training Session

July 27-28

SAP (In)Security

Mariano Nunez Di Croce

Overview

How to secure an SAP system? How to perform a security assessment of an SAP system? These are the two questions that this course tries to answer.

SAP security is still an unexplored world for many security professionals. In this course you will learn the different security aspects of this giant, covering from the basics steps to the high-profile attacks and defenses. We will cover the full landscape, from the security of the operating system and the database server up to the security at the SAP layer: Transport System, User Management and Administration, Communication Security, Interface Security, Application Security (SAPRouter, Web Dispatcher, ITS, ICM, SNC, SSL), Logs and Auditing, Intrusion Detection.

Through many hands-on exercises, you will learn to use different SAP security products to secure your SAP deployments, as well as novel techniques and tools to perform assessments on these systems.

Even more, we will master you in using sapyto, the open-source framework for performing SAP penetration-tests. You will learn how to use it, configure it and extend its functionality developing your own plugins.

Trainer:

Mariano Nunez Di Croce is a senior security researcher working at CYBSEC, mainly involved in Penetration Testing and Vulnerability Research. In the research field, he has discovered critical vulnerabilities in Microsoft, Oracle and Watchfire products as well as more than 40 vulnerabilities in SAP systems, many of which have been disclosed to the public. Mariano is now leading CYBSEC's SAP Security Team, where he has worked securing and assessing many critical SAP implementations. He is the developer of sapyto, the first SAP Penetration Testing Framework, and has also published white-papers and tools about this subject.

Mariano has been invited to hold presentations and trainings in many international security conferences such as Black Hat, Sec-T, Hack.lu, Ekoparty, DeepSec, CIBSI as well as to host private trainings for Fortune-100 companies and defense contractors. Mariano has a degree in Computer Science Engineering from the UTN and in his free time he enjoys staying away from his computer.

Super Early: Ends Mar 15	Early: Ends May 1	Regular: Ends Jul 1	Late: Ends Jul 22	Onsite:
$2000	$2100	$2300	$2500	$2800