Assessing Business-Critical Systems: Attack & Secure SAP Platforms - 2019 Edition

77% of the world’s revenue transactions are processed by an SAP application. Even knowing that, organizations still rely on traditional SAP security methods like Segregation of Duties to secure these critical applications. During this training you’ll have the opportunity to role play to understand both the attacker and the defender’s point of view.. First, we’ll put ourselves in the shoes of an attacker who wants to gain access to the most critical systems of any company, its SAP applications. You’ll learn about the types of weaknesses that could affect these systems, potentially going from no access to full access, discovering, assessing, attacking and exploiting them in an guided Capture the Flag style. In parallel, you’ll play the defender’s role, understanding key concepts and learning how to properly protect and secure these applications from the most common and emerging threats attackers are using.

Have you ever considered how critical SAP applications are for your organization? These applications are typically connected to many other systems and therefore could be exploited or attacked in a number of different ways. Traditionally, most of these applications are out of scope of regular penetration tests. Have you ever wanted visibility into what’s stored in those complex systems that are so critical that no one wants to touch? Have you noticed SAP security patches are usually applied late and sometimes not at all? Do you want to illustrate the business risk of this to the organization? If so, this course is for you! During this training we’ll do a deep dive into the “business-critical applications” world of a typical company. You’ll learn the basic concepts needed to understand and test a variety of attacks against these systems and how to secure them. This course is designed to show you how an attacker could find, assess and exploit these systems. You’ll learn it in a hands-on way, playing the attacker’s role. Later, you’ll be in the defender’s trench, learning how to secure and protect the systems you previously exploited, in a guided Capture The Flag style activity. Additionally, this will include exercises and live demonstrations. After completing this training, you will be well equipped to understand the critical risks your SAP platform may be facing and how to assess them. More importantly, you will know the best practices to effectively mitigate them, proactively protecting your business-critical platforms.


  • General knowledge on Information Security

  • Basic knowledge on Networking

  • Previous SAP expertise is welcome but NOT required!


  • Laptop with permissions to install software

  • SAPgui should be installed on the laptop

  • SSH client should be installed on the laptop (such as putty)

About the Speakers