A false sense of security: Looking to the SAP environment from an attacker

For several years, the auditing and IT security industries have considered the deployment of Segregation of Duties (SoD) to be sufficient to enforce security in an SAP environment. Therefore, many SAP professionals refer to the term ‘security’ as the processes of creating and managing roles and profiles to restrict user activities over business information. These kinds of controls are important for the overall level of security in an SAP landscape. However, despite of the ongoing media attention to cyber security, corporate data security breaches, as well as increased government and industry scrutiny (compliance), there are many other security threats that are often not properly addressed.

By addressing different security threats, we would like SAP security related issues to be on the agenda at board level. We would also like customers and consultants to conceive security not merely as the deployment of Segregation of Duties.

During this session, multiple security aspects within SAP will be examined by looking to the SAP environment from an attacker’s perspective. The identified security vulnerabilities and attack paths will be demonstrated and exploited in a SAP Internet Demonstration and Evaluation System.