Amsterdam, Netherlands - May 19-22, 2015 Alexey Tyurin, Head of Penetration testing at ERPScan, and Dmitry Chastuhin, Director of security consulting at ERPScan, conducted a training titled "Enterprise Business Application Security: Attack and Defense" at AppSecEU 2015.
This training covered basic and advanced areas of ERP and Business Application security. Researchers described the architecture of typical business application systems and how every single component of those systems can be penetrated. This course included live demo and hands-on exercises covering business applications from vendors such as SAP, Oracle and Microsoft.
Current dependence of big businesses on Enterprise Business applications is greater than ever before. These enormous systems store and process all the companies' critical data. Any information an attacker might want, be it a cybercriminal, industrial spy or a competitor, is stored here. This information includes financial, customer or public relations, intellectual property, personally identifiable information and more. Industrial espionage, sabotage and insider embezzlement is a reality today, and for an attacker what can be more effective than targeting victim's Business application systems and inflicting severe a damage. These applications may be of different types like ERP, CRM, SRM, XI, BI, ESB and others. Some of them store data and some of them like Enterprise Service Bus are for transferring critical data.
Unfortunately, there is a lack of information about Security of those systems both about how to break them during penetration tests and about how to configure them securely. Most of public research was focused on SAP ERP applications, but Alexey and Dmitry additionally also covered other software such as Oracle PeopleSoft, Oracle EBS, Oracle JD Edwards, Microsoft Dynamics, etc.