SAP applications contain a ton of juicy information, making them a great target for malicious attackers who are after intellectual property, financial statements, credit card data, PII and PHI. Breaching SAP systems opens the door for fraud, sabotage, and industrial espionage.

SAP systems have often organically grown and are hard to update, making them a soft target. What's worse, pentesters are often unfamiliar with SAP infrastructures and how to pentest SAP systems. To help with the latter, Rapid7 is hosting some webcasts to introduce penetration testers to some of the key SAP infrastructure components.

This week, we're hosting two free webcasts for you to consider:

SAP Pentesting: From Zero 2 Hero with Metasploit

Dave Hartley aka @nmonkee has recently contributed a number of SAP modules to the Metasploit Framework. In this technical webinar for penetration testers, he is going to present a brief overview of how these modules can be used to go from Zero to Hero to achieve SAPpwnstar status when assessing or encountering SAP systems during engagements. The webcast will provide a very high level overview of common SAP system vulnerabilities and misconfigurations as well as demonstrating how the Metasploit Framework can be leveraged to quickly and easily exploit and compromise misconfigured/vulnerable SAP systems.

Dave is a Principal Security Consultant for MWR InfoSecurity and has been working in the IT Industry since 1998. Dave is a published author and has presented his research at several international respected security conferences such as 44CON, BSides, Sec-T, ZACON, DeepSec, T2 etc.

There are two showings for this webcast:

Become an SAP Pwn Star: Using Metasploit for ERP Security Assessments

In this technical webinar for penetration testers, Metasploit developers and security researchers Tod Beardsley and Juan Vazquez from the Metasploit team, give an introduction to SAP for penetration testers. The webcast introduces viewers to the most important components of SAP and gives an overview of Metasploit modules for SAP provided by community contributors. The webinar includes a live demo and time for Q&A.

Tod Beardsley is the Engineering Manager at Rapid7 for the Metasploit Project, the world-renowned open source penetration testing platform. He has over twenty years of hands-on security knowledge, reaching back to the halcyon days of 2400 baud textfile BBSes and in-band telephony switching. Since then, he has held IT Ops and IT Security positions in large footprint organizations such as 3Com, Dell, and Westinghouse. Today, he is passionate (some might say militant) about open source software development, open source security research, and data liberation. He can often be found on Freenode IRC and Twitter as "todb."

Our second speaker and international hacker of mystery, Juan Vazquez, has been working as a security consultant on both offensive and defensive tasks since 2006. Juan works on the Metasploit project, dividing his time between writing exploits and helping the Metasploit community with their contributions. Juan started contributing to Metasploit 3 years ago as an open source contributor and joined the Rapid7 team in 2011.

There are two showings for this webcast:

Research Report: SAP Penetration Testing Using Metasploit – How to Protect Sensitive ERP Data

Prefer reading to watching a webcast? Check out this in-depth research paper, which explores a number of methods to exploit vulnerabilities within the SAP enterprise resource planning (ERP) system. These methods have been implemented and published in the form of more than 50 modules for Metasploit, a free, open source software for penetration testing.The modules enable companies to test whether their own systems could be penetrated by an attacker.

Download SAP Research Report here