March 18, 2015 (at 1:30 p.m.) in Special Track: SAP Security

What you learned in school is that dinosaurs have been extinct for the last 65 billion years... but what you may not know is that you can still find a fearless and dangerous species in today's business critical applications. Join us in this talk to learn about products that you will find in every SAP implementation which are used for managing, searching and indexing sensitive business information. We will introduce you to SAP T-REX, which is an advanced search engine used to support all the text search processes on SAP products, such as ERP, Portal, Netweaver and Fiori and many others. Actually, in most cases companies are already running this engine, even though you don't know you have it installed. We will then get into further details about the internals (files, protocols, services, settings...) of how this product works, showing novel techniques that attackers could be using to access your most valuable business information. Finally, we will show you how to prevent the extinction of your business critical information by protecting all of your systems in a holistic way, end-to-end, preventing espionage and privilege escalation attacks.

Sergio Abraham

Sergio is an SAP Security Specialist and Researcher at Onapsis. As one of the first members of the Onapsis Research Labs, he is responsible for the research of diverse scenarios and configurations of SAP pplications, as well as the development and delivery of blog posts, SAP security in-depth publications, papers and webcasts, as well as Security Conference talks and trainings.

As a result of his experience in the industry, Sergio has discovered and published several SAP Security vulnerabilities affecting diverse SAP components. He has been invited to speak and host trainings at well recognized industry conferences such as Ekoparty, HubCon, ASUG and SANS, among others.

Additionally, Sergio was the main developer of Onapsis Bizploit (the first open-source SAP Penetration Testing Framework) and the architect of Onapsis X1 (the ERP Security Suite). He has generated new and innovative security checks for both products.

In terms of consultancy, Sergio has been involved in different projects related to the SAP security ecosystem, such as auditing SAP Implementations, defining and implementing SoD rules, performing SAP security assessments, SAP Penetration Tests, and also helping SAP customers during SAP incident responses.

Juan Perez-Etchegoyen

JP leads the Research teams that keeps Onapsis on the cutting-edge of the business-critical application security market. He is responsible for the design, research and development of Onapsis' innovative software solutions, and helps manage the development of new products as well as the SAP cyber-security research that has garnered critical acclaim for the Onapsis Research Labs. He is regularly invited to speak and host trainings at global industry conferences including Blackhat, HackInTheBox, Troopers, and SAP TechEd/DCODE. Prior to joining Onapsis, Juan Pablo led many Information Security consultancy projects for Companies in Latin America, EE.UU. and Europe. His strongest experience is in the field of Penetration Testing, Web Application Testing, Vulnerabilities Research, Information Security Auditing, and Standards.