SAP Penetration Testing & Defense In-Depth presented at SEC-T 2008

by Mariano Croce (Cybsec),

Tags: SAP Security

Summary : While there is plenty of publicly available information on how to assess and sec ure operating systems, databases, wireless devices and Web applications, the security of Enterprise applications is still taking baby steps .
If you are a professional pentester and are required to run an SAP security asse ssment, where would you start? nmap? Nessus? And after that? SAP systems are complex, running many applications and interfaces. Therefore, the as sessment of these systems requires specific techniques and tools.
In this talk you will learn how to start an SAP pentest, what and where to look for. You will look into the whole process, from the information discovery stage to the exploitation phase, live demos included! Moreover, you wi ll learn how to use sapyto, the first opensource SAP Pentesting framework, which will help you with your SAP security assessments.
On the other hand, if you are a security administrator you *MUST* know how to pr otect the systems storing and processing your critical business information, being aware of unsecure default configurations that will render you r systems vulnerable, as well as the current and future attacks that will try to exploit them.
The talk will detail the ways in which you can protect yourself against potentia l attackers, helping you to increase the security level of your SAP installation and protecting your business.

Mariano Croce: Security consultant