Meet Onapsis Executives

Mariano Nunez

Mariano Nunez

CEO & Co-Founder

JP Perez Etchegoyen

Juan Perez-Etchegoyen

Chief Technology Officer

Ashish Larivee

Ashish Larivee

Chief Product Officer


JULY 24-25

ERP Security:
Assess, Exploit and Defend SAP Platforms



Your SAP platform contains the business crown jewels of your company. However, while leading organizations are protecting their systems from new types of SAP threats, still many are prone to SAP-specific vulnerabilities that are exposing their business to espionage, sabotage and financial fraud risks.

This course empowers Security Managers, Internal/External Auditors and InfoSec Professionals to assess their SAP platforms for platform-specific vulnerabilities, exploit them to better understand the involved business risk and mitigate them holistically.

This course provides the latest information on SAP-specific attacks and protection techniques. After an introduction to the SAP world (previous SAP expertise is NOT required), you will learn through several hands-on exercises how to perform your own vulnerability assessments and penetration tests of your SAP platform to identify existing security gaps.

You will understand why even strict user roles and profiles are not enough to protect an SAP system, and how malicious attackers could break into the systems anonymously, even without having a valid user. With a strong focus on the SAP application layer, you will learn they key security aspects of several proprietary components and technologies, such as the SAProuter, SAP Web Dispatcher, SAP Gateway, SAP Message Server, SAP Web Applications (Enterprise Portal, Web Application Server), the SAP RFC and P4 interfaces, SAP Solution Manager, SAP Management Console, SAP-specific backdoors and rootkits, SAP forensics, SAP malware, ABAP vulnerabilities, the new SAP HANA Database, SAP Cloud solutions and much more!

You will watch numerous live demonstrations of the most critical attack vectors, and even replicate them yourself in our labs using opensource and free tools, such as Bizploit - the first opensource ERP Penetration Testing framework.

After this intense training, you will be very well equipped to understand the critical risks your SAP platform may be facing and how to assess them. More importantly, you will know which are the best-practices to effectively mitigate them, proactively protecting your business-critical platform. Previous SAP expertise is NOT required!


The Evolution of SAP HANA Security

Pablo Artuso

Pablo Artuso
Security Researcher - ONAPSIS


SAP HANA is considered by SAP to be the most important technology among its offerings including S/4 HANA, HANA Cloud Platform and other products, heavily relying on its power to process big data at a fast pace.

It has already been adapted by more than 7,200 customers worldwide including governments, aerospace and defense, automotive and healthcare companies to name a few. Conceived and designed to be the underlying database for every future SAP System, it stores all business-critical information that keeps a company running.

Over the past few years, SAP has included new features in SAP HANA to fulfill their customer’s business needs. However, as a result, these features have increased the platform's attack surface.

During this presentation, we'll analyze the evolution of SAP HANA security from its beginning to its latest version, 2.0, which was recently released. Attendees will understand how the platform evolved through architectural changes, and vulnerability patch management. This presentation will cover the process of vulnerability discovery and evaluation of fixes including some of the critical bugs uncovered by our research team.

Finally, we will share our recommendations for how organizations can protect their SAP HANA platform against attackers, and will provide guidelines for effectively auditing and assessing SAP HANA Systems