Nicolas Schickert and Tobias Hamann
As organizations increasingly rely on SAP systems to manage critical business processes, the security of these environments is an increasing challenge for companies and has also been recognized by the OWASP Core Business Application Security (CBAS) project. This talk will explore the security of SAP systems from an attacker's perspective, uncovering common vulnerabilities and pitfalls and their respective impact. Drawing from extensive penetration testing experience, this presentation will provide a deep dive into how attackers might exploit SAP vulnerabilities and offer practical guidance on mitigating these threats.
We will begin by highlighting prevalent SAP vulnerabilities discovered during real-world pentesting engagements, covering key attack techniques used against SAP systems that exploit misconfigurations, insecure coding practices, and authentication flaws.
As an example, we will illustrate the configuration options of SNC, the proprietary protocol for transport layer encryption in SAP environments. Using the open-source tool sncscan, security professionals and administrators alike can assess the encryption and signing settings of SAP systems, ensuring the confidentiality and integrity of sensitive data.
The session will also provide actionable guidance on mitigating these vulnerabilities, focusing on best practices and tools that can significantly enhance the security posture of SAP systems. By raising awareness of common vulnerabilities and pitfalls we aim to empower security professionals and SAP administrators to better protect their systems against potential exploitation.
Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/