Welcome to the Fundamentals of Assessing Security Controls and the Security Posture of SAP Systems

Finally, a course to demystify SAP for security professionals! In this live online training, penetration testers and application security experts take a deep dive into the security traits of SAP technology and the organizations and processes running them in boot camp style. After an extensive four-days training, you can organize, plan and conduct assessments on critical SAP business applications in a gray-box approach resulting in a comprehensive description of the security posture of an SAP system. You will learn how to perform vulnerability assessments, code security reviews, access audits, penetration tests, and red-team engagements in an SAP landscape by providing crystal-clear findings and recommendations SAP organizations can relate to. This training is hands-on. structured with a mix of exercises, demonstrations and coaching. New knowledge and skills become directly applicable and easier to recall later. Access to a practice lab along with a ready-to-use set of SAP-specific and agnostic assessment tools provides you with a boilerplate for your future tool chain and SAP security intelligence sources.

A Taste of What You Will Learn:

  • Learn how to conduct a comprehensive reconnaissance for SAP software installations on the internet or in a corporate network environment to identify targets and understand network protection measures.
  • Understand common security issues related to the typical use of SAP business software applications to create more specific and practical advice to remediate or mitigate identified vulnerabilities.
  • Identify common vulnerabilities caused by insufficient hardening of SAP system components or their interaction and how they can be used to compromise a system completely.
  • Learn the security traits of some SAP proprietary remote protocols and how an attacker can leverage them for lateral movement and exploitation.
  • Take a journey through the typical roles in an SAP IT department to understand their security responsibilities and conflicts of interest to ask the right stakeholders about information or support required for an assessment or to exploit the organization's processes and traits like attackers do.
  • Gain practical experience to identify and proof the exploit-ability of vulnerabilities without causing business disruption to implement a safe approach to assess the security state of your SAP environment.
  • Understand the different options on how to defend an SAP system against the most common attacks and adversarial techniques by putting SAP-specific and agnostic protective measures in place.

Course Information

  • Number of Modules: 32
  • Duration: 4 full-days, 36 hours total (8:00 - 17:00 CET)
  • Class Size: 7-14 participants per class
  • Investment: 3,200 EUR per person taxes excluded
  • Software Version: Unrestricted
  • Instructor: Marco Hammel, Waseem Ajrab
  • Security Skill Matrix: IYPT-IPAC learn more here

Days Covered in Online Class

  1. SAP Technology Fundamentals for Cybersecurity Professionals.
  2. Overview of the Security Systems in SAP Solutions
  3. Common Security Flaws of SAP Applications and Systems
  4. Common Security Flaws of an SAP System Landscape and Operations

*NO MONKEY SAP Security training content is referenced to existing standards for application security such as OWASP, NIST , and SAP recommendations.

Who’s a Good Fit

IT Security

  • Penetration Tester or Red Teamer
  • Application Security Expert
  • Blue Teamer
  • IT Security Auditor

NIST/NICE Cybersecurity Workforce Framework Work Roles

(SAP) Secure Software Assessor (SP-DEV-002)
SAP Security Control Assessor (SP-RSK-002)

Who Else Might Be A Good Fit

If you have a traditional background in SAP operations and database administration and want to get into cybersecurity this course is a great fit to help you expand your existing skills with a security point of view.

Prerequisites

Mandatory

  • Good knowledge of network security architecture concepts, including topology, protocols, components, and principles (e.g., application of defence-in-depth)
  • General understanding of Security architecture concepts and enterprise architecture reference models (e.g., Zachman, Federal Enterprise Architecture [FEA])
  • General knowledge of Security models (e.g., Bell-LaPadula model, Biba integrity model, Clark- Wilson integrity model)
  • Good understanding of Penetration testing principles, tools, and techniques
  • Common understanding of common security controls related to the use, processing, storage, and transmission of
  • Good understanding of typical Application Security Risks (e.g. Open Web Application Security Project Top 10 list)
  • Familiarity of working with command line applications and Unix shells

Recommended

  • You can conduct vulnerability scans and can recognize vulnerabilities in security systems
  • Familiarity with Apply confidentiality, integrity, and availability principles
  • Good understanding how to discern the protection needs (i.e., security controls) of information systems and networks
  • Familiarity with conducting application vulnerability assessments
  • Ability to Interpret vulnerability scanner results to identify vulnerabilities

Helpful

  • Fundamental knowledge about how to determine how a security system should work (including its resilience and dependability capabilities) and how changes in conditions, operations, or the environment will affect these outcomes
  • You know how to perform a target system analysis
  • General understanding of the meaning and use of critical SAP applications

Practice Environment Tools

For this course you will use a lab environment hosted by us to practice. The lab provides access to an SAP S/4HANA© landscape consisting of two stages and a SAP NetWeaver© Java application server. You can access to environment by a virtual desktop system with all necessary tools pre-installed.

In addition you will need:

  • HTML 5 ready Browser preferably Edge, Chrome, Firefox
  • (Optional) Zoom client

Reach out to us to book a training for you or your team!

Send us a message

Read Our Customer Success Story

"Let me first say that I had some previous contact with other SAP-related trainings, but this one was by far the best. One can clearly see that you are a knowledgeable trainer with a wide array of expertise, willing to sidetrack interesting topics as they arrive."

Alexander MeierTeam Lead SAP Security Services at SEC Consult

Read the Customer Success Story

Security is Culture!