On This Page

ERP Security: Assess, Exploit and Defend SAP Platforms

Onapsis | August 1-2


Your SAP platform contains the business crown jewels of your company. However, while leading organizations are protecting their systems from new types of SAP threats, still many are prone to SAP-specific vulnerabilities that are exposing their business to espionage, sabotage and financial fraud risks.

This course empowers Security Managers, Internal/External Auditors and InfoSec Professionals to assess their SAP platforms for platform-specific vulnerabilities, exploit them to better understand the involved business risk and mitigate them holistically.

This course provides the latest information on SAP-specific attacks and protection techniques. After an introduction to the SAP world (previous SAP expertise is NOT required), you will learn through several hands-on exercises how to perform your own vulnerability assessments and penetration tests of your SAP platform to identify existing security gaps.

You will understand why even strict user roles and profiles are not enough to protect an SAP system, and how malicious attackers could break into the systems anonymously, even without having a valid user. With a strong focus on the SAP application layer, you will learn they key security aspects of several proprietary components and technologies, such as the SAProuter, SAP Web Dispatcher, SAP Gateway, SAP Message Server, SAP Web Applications (Enterprise Portal, Web Application Server), the SAP RFC and P4 interfaces, SAP Solution Manager, SAP Management Console, SAP-specific backdoors and rootkits, SAP forensics, SAP malware, ABAP vulnerabilities, the new SAP HANA Database, SAP Cloud solutions and much more!

You will watch numerous live demonstrations of the most critical attack vectors, and even replicate them yourself in our labs using opensource and free tools, such as Bizploit - the first opensource ERP Penetration Testing framework.

After this intense training, you will be very well equipped to understand the critical risks your SAP platform may be facing and how to assess them. More importantly, you will know which are the best-practices to effectively mitigate them, proactively protecting your business-critical platform. Previous SAP expertise is NOT required!

Who Should Take this Course

Information Security Managers, Internal/External Auditors and InfoSec Professionals that would like to learn how to manage the increased security risks affecting their SAP platforms.

Student Requirements

  • General knowledge on Information Security
  • Basic knowledge on Networking
  • Previous SAP expertise is NOT required!

What Students Should Bring

  • Personal laptop (with ethernet port for class wired network)
  • SSH client (Putty / native ssh client)
  • SAP GUI installed on the laptop
  • Note: Rights to install additional applications is recommended

What Students Will Be Provided With

Slides handouts
SAP security cheatsheets
Pen Drive with the latest white-papers, presentations and free tools for SAP security


Juan Pablo leads the Research teams that keeps Onapsis on the cutting-edge of the business-critical application security market. He is responsible for the design, research and development of Onapsis' innovative software solutions, and helps manage the development of new products as well as the SAP cyber-security research that has garnered critical acclaim for the Onapsis Research Labs. He is regularly invited to speak and host trainings at global industry conferences including Blackhat, HackInTheBox, Troopers, and SAP TechEd. Prior to joining Onapsis, Juan Pablo led many Information Security consultancy projects for Companies in Latin America, EE.UU. and Europe. His strongest experience is in the field of Penetration Testing, Web Application Testing, Vulnerabilities Research, Information Security Auditing's and Standards.

Pablo Müller is the Head of SAP Platform Security at Onapsis. As an active member of the Onapsis Research Labs team, he is responsible for performing SAP security assessments, defining SAP security guidelines and baselines, understanding the evolving regulatory landscape affecting SAP systems and delivering SAP cyber security trainings both in leading security conferences and in-company. With over 6 years of experience in business consulting, information technology and systems auditing, he has assisted numerous large companies from various industries including Oil & Gas, Banking and Tobacco. Pablo has been involved in numerous SAP security projects such as SAP penetration testings and SAP risk assessments, as well as product implementations such as Onapsis solutions for SAP cyber security assessment and protection, and Approva BizRights for Continuous Controls Monitoring: Segregation of Duties, Sensitive Transactions, Process Controls and IT Controls.