Back to Archives Menu

BIZEC SAP Security Workshop

2 Days of TROOPERS Trainings

All Inclusive

  • Save (compared to regular pricing for training, conference and roundtables)
  • 2 days of exclusive TROOPERS trainings
  • 2 days of TROOPERS conference
  • Roundtable discussions with ERNW staff and TROOPERS speakers
  • Special events during the conference

Conference Package

About this Event

Due to the great feedback in the last years, the 6th BIZEC SAP® security workshop focuses again on hot and relevant topics in the SAP security community: Detecting and mitigating threats against SAP systems. Not just in your regular ABAP systems, but also in more recent SAP solutions like SAP HANA.

In past workshops, there was a lot of attention for offensive topics. This year’s focus is on the defensive side of SAP Security as the importance of this topic is more important than ever. If you are involved in protecting SAP systems, you know this topic needs more attention so this workshop is a must-attend!

Focus topics

SAP Hardening
SAP Security monitoring
Content-based threat vectors in SAP applications
Automation in mitigation
HANA TEC/11 & HANA APP/11

The benefits for you and your company

  • Learn about the latest developments in SAP system security from recognized SAP security experts.
  • Bring back actionable insights to help protect your company’s SAP systems against hackers and industrial espionage.
  • Gain an overview of new SAP security research on the horizon.
  • Network with industry peers and get in touch with leading security experts.
BIZEC Logo

The Business Application Security Initiative (https://info.virtualforge.com/bizec) is a non-profit organization with a focus on security defects in business applications, in particular in the SAP space. Their protection is a key subject for private, governmental and defense organizations around the globe. Our presenters are from the renowned SAP security companies Akquinet, Bowbridge, ERP-SEC, Onapsis and Virtual Forge (in alphabetical order).

Agenda Day 1 (12th March)

  • Arrival - Light Breakfast provided

  • Welcome

    all together

  • Mission Possible: „SAP Hardening and Security Monitoring being implemented in time and in budget"

    Most institutions running SAP tend to back away when it is about consequently performing SAP system hardening and security monitoring. Using successfully conducted project with Linde AG as an example, the contributor will show necessary steps do’s as well as don’ts from the practice. This example is suitable to work as a good example in order to provide an orientation for similar projects of other institutions running SAP.

    akquinet

  • Coffee Break

  • Probing SAP E-Recruiting: Learnings from 120 implementations tested for content-related threats

    SAP E-Recruiting is only exemplary for many Internet-accessible SAP applications. Bowbridge probed 120 randomly picked E-Recruiting implementations. In this session, you will learn how attackers can leverage content to attempt to compromize SAP applications or their users.

    Bowbridge

  • 50 ways to start and recover; A recap of 7 years of SAP Security research

    ERP-SEC

  • Lunch Break

  • Protecting SAP HANA: Implementing BIZEC TEC/11

    During this workshop the attendees will review the SAP HANA Platform; its main components, architecture and concepts. Additionally, they will learn the main risks that could affect SAP HANA platforms, aligned with the latest SAP HANA Security standard: BIZEC HANA/TEC11, which provides guidance about the most critical technical risks that could affect systems running on top of SAP HANA. Finally, we will present practical exercises showing the actual risks with examples of exploitation along with how to mitigate them.

    Onapsis

  • HANA APP/11

    This talk will introduce the new BIZEC HANA APP/11. The new BIZEC HANA APP/11 standard comprises the most critical and the most common security defects in SAP HANA applications. You will get an overview how to prioritize a HANA code audit and get guidance which types of security defects should be covered at minimum by an audit.

    Virtual Forge

  • Coffee Break

  • Q&A

    all together

  • Dinner

Agenda Day 2 (13th March)

  • Arrival - Light Breakfast provided

  • Welcome

    all together

  • Exploiting HANA APP/11 custom code vulnerabilities

    This session will help you to understand the risk of the top HANA APP/11 vulnerabilities. Attend to learn how to detect and exploit related custom code defects on the HANA database.

    Frederik Weidemann

  • Coffee Break

  • SAP Content – the immutable threat vector and how to control it: Understanding SAP content-scanning and Virus Scanning interfaces and how to configure them to maximize protection.

    SAP is well aware of security threats related to vectors into the SAP application that cannot be closed - user input and data input. In this session, you will learn about the interfaces and integration options to secure your applications from content-based threats. You’ll discover configuration and policy settings allowing you to ensure only legitimate and secure content is processed by your application and relayed to your users.

    Bowbridge

  • Protecting SAP from one of the most critical risks: Unrestricted Network Access

    SAP Applications are built on top of multiple different (and complex) components. Many of these components do not implement authentication and only rely on network information to authorize the access. Join us on this presentation to learn about the different ACL (Access Control Lists) that are implemented in SAP and how to configure them to properly restrict access and ultimately protect your crown jewels.

    Onapsis

  • Lunch Break

  • SAP Security; Automation in mitigation

    It should be a no-brainer; Today SAP running organizations shouldn’t ask themselves IF they should secure their business-critical SAP systems, but HOW. Risk has increased by internet-connecting SAP landscapes and new laws have been introduced like the EU GDPR. The necessity to improve SAP Security is increased, but hardening SAP landscapes is a tough and time-consuming job that often involves lots of manual labor. Automation is key here. In this presentation we want to demonstrate how the time spend on installing SAP Security notes can be drastically reduced.

    ERP-SEC

  • SSL Hardening of SAP Systems

    • How to implement SSL/TLS based on highest Standards
    • Required systems settings
    • Pitfalls and mitigations

    Akquinet

  • Coffee Break

  • Q&A

    all together

  • End

Speakers

Nahuel D. Sanchez

Security Researcher at Onapsis

Nahuel D. Sanchez is as a security researcher at Onapsis. Being a member of Onapsis Research Labs, his work focuses on performing extensive research of SAP products and components, identifying and reporting security vulnerabilities, attack vectors and advanced exploitation techniques that are applicable to different platforms. Nahuel is one of the most frequent reporter of vulnerabilities in SAP products and is a frequent author of the publication "SAP Security In-Depth". He previously worked as a security consultant, evaluating the security of Web applications and participating of Penetration Testing projects. His areas of interest include Web security, reverse engineering, and the security of Business-Critical applications.

Frederik Weidemann

Head of Consulting at Virtual Forge GmbH

Frederik Weidemann is Head of Consulting at Virtual Forge GmbH with a focus on SAP Security for eight years. He is co-author of the first book on ABAP Security “Sichere-ABAP Programmierung”, by SAP Press and spoke at several SAP and Security related conferences like RSA, OWASP and DSAG. Frederik frequently teaches on secure ABAP programming (course WDESA3) at SAP University in Walldorf and on SAP security for Virtual Forge’s customers. He also writes articles on SAP Security on a regular basis and has found numerous Zero Day defects in Business Software. Frederik holds a German Diploma in Computer Science and scored several Capture-The- Flag hacking contests first or second place during his time in university.

Joerg Schneider-Simon

Chief Technology Officer at bowbridge

With over 20 years of experience in the IT-Security field and over 10 years in the SAP security space, Joerg combines two areas of expertise crucial to securing internet-facing SAP applications from content-based cyber-attacks.

Joris van de Vis

co-founder of ERP-SEC

Joris is co-founder of ERP-SEC, a SAP security focused company based in the Netherlands. He has got extensive experience in the technical and security field of SAP systems. Next to his interest in SAP Coding and SAP Technology, his main interest lies in the field of SAP platform security. He finds challenge in helping business secure their SAP systems and perform SAP security research in his spare time. He reported over 70 vulnerabilities in SAP applications. Joris has got 17 years of experience working for large SAP running companies and government departments.

Ralf Kempf

Managing Director akquinet enterprise solutions GmbH

Ralf has more than 25 years of experience in SAP security , SAP operations and SAP software development.

He is an expert for SAP security analysis, auditing of complex SAP system landscapes incl. penetration tests and has advised numerous companies across Europe on various SAP security and compliance initiatives.

Furthermore, he is the lead architect of akquinet’s SAP Security solutions.

Ralf has a Masters Degree in Computer Science from the University of Applied Sciences in Lüneburg, Germany and is a SAP Certified Technology Consultant.

Frequently Asked Questions

How to get to TROOPERS?
Is there a timetable?
Where can I check my ticket order?
All FAQs