Services
SAP Security Training
At RedRays, we specialize in SAP penetration testing, hybrid testing, and SAP vulnerability assessments. Now, we’re offering our expertise to you through comprehensive SAP security training programs. Whether you prefer online or on-site learning, we have the perfect solution for your team.
Each day of training lasts 6 hours, and after the main sections, there is a Q&A session.
Our SAP Security Training Options
We offer two training options to meet the needs of different professionals:Option 1: Intensive Advanced Training (2 Days)
This option is designed for security professionals already familiar with SAP who wish to deepen their knowledge and skills in SAP security.Training Outline
- Day 1
- 1.1. What is Our Threat Model
- 1.2. Vulnerability Assessment vs. Penetration Testing vs. Threat Modeling
- 1.3. Analyzing Potential Attack Vectors Based on OWASP TOP 10
- 1.4. Attacks on SAP AS ABAP
- 1.4.1. Attack Vectors and Defense Mechanisms in Debug Mode
- 1.4.2. Attacks on SAP_ALL and Mitigation Strategies
- 1.4.3. Password Brute-Force: Attack Vectors and Protection
- 1.4.4. RFC Vulnerabilities and How to Prevent Them
- 1.4.5. Attacks via RFC Proxy
- 1.4.6. Critical Transactions: Threats and Defenses
- 1.4.7. SAP SSFS Vulnerabilities
- 1.4.8. Attacks on SAP Operating System
- 1.4.8.1. Privilege Escalation Using OS Vulnerabilities
- 1.4.8.2. Privilege Escalation Through SAP Processes
- 1.4.8.3. Extracting Secrets Using Wireshark
- 1.4.9. Vulnerabilities in SAP Enqueue Server
- 1.4.10. Attacks on SAP Message Server
- 1.4.11. Practical Examples of Common Vulnerabilities
- Day 2
- 2.1. Attacks on SAP AS JAVA
- 2.1.1. Analyzing SAP Traffic with Wireshark
- 2.1.2. File Upload Vulnerabilities
- 2.1.3. Attacks Through Proxy Servers
- 2.1.4. Privilege Issues and Their Solutions
- 2.1.5. Vulnerabilities in RFC Connections
- 2.1.6. Attacks via RMI/P4
- 2.1.7. Practical Examples of Common Vulnerabilities
- 2.2. Attacks on SAP Cloud Connector
- 2.2.1. Vulnerabilities in Logs
- 2.2.2. File Execution and NTLM Hijacking
- 2.2.3. SAP Cloud Connector SSFS Vulnerabilities
- 2.3. Overview of SAP Patches
- 2.3.1. Reverse Engineering SAP Patches for ABAP
- 2.3.2. Reverse Engineering SAP Patches for JAVA
- 2.1. Attacks on SAP AS JAVA
Option 2: Comprehensive Training for Beginners (3 Days)
This training is suitable for professionals with no prior knowledge of SAP. It covers SAP fundamentals and advances to in-depth security concepts, ensuring a solid foundation and advanced skills in SAP security.Training Outline
- Day 1: Introduction to SAP
- 1.1. What is SAP
- 1.2. List of SAP Systems
- 1.3. Tools and Software
- 1.4. SAP Ports and Services
- 1.5. SAP Instances and Clients
- 1.6. Common OWASP Vulnerabilities
- 1.7. Segregation of Duties (SoD) in SAP
- 1.8. Basics of Working with SAP
- 1.9. SAP ABAP Architecture (RFC, Profile Parameters)
- 1.10. SAP GUI
- 1.11. Critical Transaction Codes and Their Security Implications
- 1.12. AS JAVA Architecture
- 1.13. Connecting to SAP NW AS JAVA
- 1.14. JAVA Components (RMI, RFC)
- 1.15. S/4HANA Architecture
- 1.16. Basics of Working with S/4HANA
- Day 2: SAP Security Concepts and Attack Vectors
- 2.1. What is Our Threat Model
- 2.2. Vulnerability Assessment vs. Penetration Testing vs. Threat Modeling
- 2.3. Analyzing Potential Attack Vectors Based on OWASP TOP 10
- 2.4. Attacks on SAP AS ABAP
- 2.4.1. Attack Vectors and Defense Mechanisms in Debug Mode
- 2.4.2. Attacks on SAP_ALL and Mitigation Strategies
- 2.4.3. Password Brute-Force: Attack Vectors and Protection
- 2.4.4. RFC Vulnerabilities and How to Prevent Them
- 2.4.5. Attacks via RFC Proxy
- 2.4.6. Critical Transactions: Threats and Defenses
- 2.4.7. SAP SSFS Vulnerabilities
- 2.4.8. Attacks on SAP Operating System
- 2.4.8.1. Privilege Escalation Using OS Vulnerabilities
- 2.4.8.2. Privilege Escalation Through SAP Processes
- 2.4.8.3. Extracting Secrets Using Wireshark
- 2.4.9. Vulnerabilities in SAP Enqueue Server
- 2.4.10. Attacks on SAP Message Server
- 2.4.11. Practical Examples of Common Vulnerabilities
- 2.5. Attacks on SAP AS JAVA
- 2.5.1. Analyzing SAP Traffic with Wireshark
- 2.5.2. File Upload Vulnerabilities
- 2.5.3. Attacks Through Proxy Servers
- 2.5.4. Privilege Issues and Their Solutions
- 2.5.5. Vulnerabilities in RFC Connections
- 2.5.6. Attacks via RMI/P4
- 2.5.7. Practical Examples of Common Vulnerabilities
- 2.6. Attacks on SAP Cloud Connector
- 2.6.1. Vulnerabilities in Logs
- 2.6.2. File Execution and NTLM Hijacking
- 2.6.3. SAP Cloud Connector SSFS Vulnerabilities
- Day 3: Advanced Security Techniques and Patch Management
- 3.1. Overview of SAP Patches
- 3.2. Reverse Engineering SAP Patches for ABAP
- 3.3. Reverse Engineering SAP Patches for JAVA
Training Highlights
- Comprehensive understanding of SAP systems and architectures
- Hands-on experience with SAP security tools and techniques
- Identification and mitigation of common and advanced SAP vulnerabilities
- Strategies for securing SAP landscapes against various threat models
- Knowledge of SAP patch management and reverse engineering
- Preparation for real-world security challenges in SAP environments
Why Choose RedRays for Your SAP Security Training?
- Training led by Vahagn Vardanyan, a recognized expert in enterprise application security
- Hands-on exercises with real-world scenarios and labs
- Access to exclusive scripts and tools used by RedRays professionals
- Flexible learning options: online or on-site
- Small class sizes for personalized attention
- Up-to-date content covering the latest SAP security threats and best practices
Ready to Secure Your SAP Environment?
Empower your team with the knowledge and skills they need to protect your critical SAP systems. Contact us today to learn more about our training programs or to schedule a session for your organization.
