Palo Alto, CA - January 16-19, 2011 Alexander Polyakov, CTO of ERPScan, together with Val Smith from AttackResearch spoke at the BlackHat DC conference.
Do you know where all the critical company data is stored? Do you know how easily you can be attacked by cybercriminals targeting this data? How can an attacker sabotage or commit espionage against your company having access just to one system? This talk described some basic and advanced threats and attacks on Enterprise Business Applications, the core of many companies.
The talk provided the latest information on business application security and ways attackers can gain access to critical business data, steal money or disable technological corporate network like SCADA, using vulnerabilities and misconfigurations in the architecture of business applications. Alexander showed examples of various business applications including custom ones as well as the more popular ones, like SAP and JD Edwards and previously unknown vulnerabilities and attack methods that can be exploited not just for popping a shell, but to gain unauthorized access to business-critical data. These attack methods can also be useful in penetration tests against ERP systems. Many problems that were shown cannot be easily patched because they are design flaws or business logic problems requiring re-design of a system.