Although we knew good tools such as Sapyto, a framework for auditing SAP systems that we had already talked about in the community, and an excellent talk given by Mariano Nuñez Di Croce, its creator, where he talks about pentesting to SAP systems, we still did not find a methodology to follow, so we decided to ask on Twitter if anyone knew any methodology to perform a pentest in SAP systems and the answer was so good that it gave rise to the creation of this post, where we intend to gather in one place, the best resources you may need when you perform an audit of SAP systems.
The first resource that I share with you is Mariano Niñez's talk on Pentesting in SAP Systems:
In the contributions they made to us is the Security Guide for SAP NetWeaver systems, but also some guidelines to audit SAP ECC created in 2009 by Nishant Sourabh an IBM employee, which were just what we needed:
But also documentation created by SAP itself with guidelines to audit SAP R/3 that will help us a lot in the task of auditing SAP systems.
In Spanish we find a portal dedicated entirely to SAP security called SeguridadSAP.com, which we totally recommend from The DragonJAR Community, we also thank Space Cowboy (@EspeisCouboi) and Alberto Hil (@bertico413), for their collaboration.
If you have more contributions in this matter leave them in the comments, so that together we build a good list of resources to audit SAP systems.
Author: DragoN
Source: DragonJAR
