SAP Security Trainings

Interest in SAP security is growing exponentially and the numerous attacks play a significant role in driving this interest. Take, for example, recent breaches revealed in SAP system of a government contractor USIS.

Big Four companies such as Deloitte, PWC, KPMG and EY together with managed security providers offer multiple SAP cyber security services, penetration testing and security assessment are the most widespread among them.

It became a common practice among Fortune 100 companies to include SAP security services in their budget plans.

“There is an increasing focus on ERP systems as weak points to hack into firms’ supply chain.” Bob Tarzey, Analyst and Director, Quocirca – UK based analysis firm.

Program overview

Introduction to SAP

  • Why should we care;
  • History of SAP security;
  • SAP Security Features;
  • SAP Risks;
  • Current situation in SAP security;
  • SAP attacks and Incidents;
  • Methodologies for ERP/SAP security assessment (EAS-SEC).

Client-Side Security

  • History;
  • Security overview;
  • Attacking ActiveX components;
  • GUI scripting attacks;
  • Collecting critical data;
  • Advanced attack combinations and Trojans;
  • Latest issues;
  • Defense.

Authorizations and SOD

  • Authorization concept;
  • Problems of SAP tools for checking authorizations;
  • Critical transactions;
  • Critical reports;
  • Access to OS;
  • Access to tables;
  • Segregation of Duties (SoD).

SAP Mobile Platform

    History; Security overview; SAP Mobile Platform (SMP); SAP Afaria; Latest issues; Defense.

Network level SAP Security

  • Open ports;
  • Protocol security;
  • Trusted systems;
  • Securing network.


  • History;
  • Security overview;
  • HANA Database;
  • HANA XS application server;
  • Latest issues;
  • Defense.

SAP Business Objects

  • History;
  • Security overview;
  • Latest issues;
  • Defense.

Securing SAP

  • Penetration testing and audit;
  • Compliance (SAP Guides, DSAG, PCI, EAS-SEC….);
  • Access control and SOD;
  • Code security;
  • Log management and threat protection.

ABAP Code Security

  • ABAP Intro;
  • Introduction to ABAP code security;
  • EAS-SEC for code issued (TOP-9 Code issues);
  • Secure development;
  • Improper authorization;
  • ABAP/SQL injections;
  • Access to OS/traversals;
  • Generic calls;
  • Backdoors;
  • Defense.

NetWeaver Application Server JAVA

  • History;
  • Security overview;
  • Visual Admin;
  • Web applications;
  • SAP Portal;
  • SAP SDM;
  • SAP Logviewer;
  • Latest issues;
  • Defense.

JAVA Code Security

  • JAVA Intro;
  • Introduction to JAVA code security;
  • EAS-SEC for code issued (TOP-9 Code issues);
  • Secure development;
  • SQL injections;
  • Access to OS/traversals;
  • WEB.XML issues;
  • Defense.

NetWeaver Application Server ABAP

  • History;
  • Security overview;
  • SAP Gateway;
  • SAP Message Server;
  • SAP Dispatcher;
  • SAP ICM;
  • SAP ITS;
  • SAProuter;
  • SAP HostControl;
  • Other services;
  • Latest issues;
  • Defense.

OS Level SAP Security

  • SAP-specific OS vulnerabilities;
  • Critical SAP data in OS;
  • From OS to SAP;
  • From SAP to OS;
  • Securing OS.

Database Level SAP Security

  • Critical database data;
  • Attacking database;
  • From database to SAP;
  • From SAP to database;
  • Securing database.

Our speakers

Dimitry Chastuhin

Dmitry is a head of security consulting at ERPScan. He works with SAP security, particularly with web applications: JAVA, HANA and Mobile solutions. He started his career as a security engineer in a leading IT security company in 2010. He regularly receives official acknowledgements from SAP for the vulnerabilities he discovers. Dmitry is also a WEB 2.0 and social network security geek and a bug researcher who found several critical bugs in Google, Nokia, Badoo. He is a contributor to the EAS-SEC project. He spoke at the following conferences: BlackHat, Hack in the Box, DeepSec, and BruCON. He started his work as a security engineer in a leading IT security company in 2010.

Mathieu Geli

Mathieu Geli is a former IT security consultant. He was in charge in the past with forensics tasks, malware detection, and analysis and has a strong background on log analysis in heterogeneous environments. He is now focusing on SAP security research and Threat Intelligence at ERPscan.

How can we help?

These Industry-renowned experts will give you clear insights into the current posture of SAP security and teach you everything you need to know about penetration testing, security assessment and any other related services.

Our trainings are customizable in accordance with our clients’ needs, we would normally adjust to the level of details and technical aspects you want to go into. The course includes live demos and hands-on experience to provide you with in-depth understanding of a typical SAP system architecture and its components.

It covers SAP Gateway, Message Server, RFC security, ITS, ABAP code vulnerabilities, JAVA engine attacks, authorizations, database security, SAP GUI security.

We will show you how to assess SAP system security from a 360-degree perspective and delve into the steps to be taken to remediate and secure your system.

You will learn:

  • How to secure SAP systems from cyber attacks and internal fraud;
  • How to develop the action plan for your organization;
  • Practical experience from world renowned experts;


  • Half-a-day of introduction to SAP systems;
  • 2-day in-depth hands-on training.