← All talks

SAP Security Myths: Unveiling Real Attack Vectors #shorts

BSides Frankfurt2:18589 viewsPublished 2026-03Watch on YouTube ↗
About this talk
Common SAP security myths are revealed. Discover why '0 Trust' isn't a product, the risks of standard passwords, and why controls are vital across all SAP environments, not just production. #SAPSecurity #Cybersecurity #Infosec #0Trust #EnterpriseSecurity
Show transcript [en]

Are we imagining how SAP's attack vector is quite impressive? Um I come from to get to the background, I come from a cybersecurity blue and red team. I went into SAP security around 5-6 years ago. And I tell you that what I found, Julian has been doing it for years, what I found is that the same thing that they have been doing before I jumped are still um existing. Um standard users are still existing with standard passwords. I'm just giving you an example here. But yeah. Anyway. Some myths around SAP which I like to always showcase. Zero trust. What uh where is the gentleman? What the Aaron, what what he showed us about zero trust, that's zero trust. So,

for SAP zero trust is not a product. Please don't believe SAP people when they tell you zero trust is a product. They don't It's not a product. Yeah? Um while identity and access um management and authorization is really a big thing around SAP, it's not the only thing. So, um I've seen coming into this um environment or coming into this domain, when we talk about SAP security, they only talk about those um IAM and authorization guys. They miss out on those other interfaces. They miss out on the entire environment. They miss out on the network. So, they're really isolated sitting somewhere a fancy. They're not like IT administrators in a in a bunker or somewhere. They have

budgets, really huge budgets when it comes to SAP. So, they are stuck somewhere doing IAM and authorization. They miss out on everything else. One other thing is that, you know, companies do is they really enforce some controls, some controls, only on production system. And there's a lot of staging um um levels for SAP system. So, you can imagine going from a development stage to a um acceptance stage to a regression stage. And yeah, we don't have to put controls there. Uh we keep it flat network, no network segmentation. Amazing. But we can't protect the we can't we should protect only the production environment. So, SAP basis team takes care of uh security.

Related talks

0:38
Microsoft Security: Safe PC or Password Risk? #shorts
BSides Frankfurt
0:41
IP Geolocation Inaccuracy: Understanding Network Routing #shorts
BSides Frankfurt
0:18
Vibe Coding Explained: Simple Rules for Secure Programs #shorts
BSides Frankfurt
0:22
Microsoft Shared Folder Error 1272: Security Policy Explained #shorts
BSides Frankfurt
0:25
Impossible Game Bot: The Ultimate Training Data Challenge #shorts
BSides Frankfurt
1:22
Microsoft Share Error: Security Policies & Honeypot Gold! #shorts
BSides Frankfurt