Caveat Customers

By Larry Barrett  |  Posted 2003-04-07 Print this article Print

A security flaw in a PeopleSoft application may presage more holes in enterprise resource planning software.


Caveat Customers?

Vendors contend it's up to individual customers to secure their systems and disable the functions—which could provide openings to would-be hackers—that they aren't going to use.

"We found that nobody had called our customer service center about this particular problem," says Paola Lubet, vice president of technology marketing at PeopleSoft. "In any case, we offered the information to our customers. But it was pretty much like, 'If you don't want to be burnt, don't pour hot coffee on your knees.' "

That's easier said than done. By tying together supply chain, human resources, finance and customer relationship management functions across an organization, an enterprise's resource planning (ERP) system provides increasingly fertile ground for hackers to try to compromise.

"We believe there are going to be many more examples like this with other ERP applications in the near future," says John Pescatore, a security analyst at Gartner. "Now that the ISSs and other security consultants are turning their attention away from operating systems and to more business applications, I'm sure we'll see more. As more and more applications are getting exposed on the Internet, this is likely to become a much more serious issue."

Neel Mehta, a research engineer at X-Force, Internet Security's research arm, says his group has increased its scrutiny of ERP applications in the wake of the PeopleSoft discovery.

"We can't comment on the specific vendors we're looking into for similar security problems," he says. "But it's safe to say ERP is an area of concern."

X-Force's database of potential security vulnerabilities reported 164 references for Oracle and 10 for SAP in the past year. The common thread: unlocked gateways to data on a server that provides services to Web users; and, functions that aren't turned off when not in use.

Oracle and SAP officials weren't available for comment on how they are addressing security of enterprise software that they market.

Senior Writer
Larry, of San Carlos, Calif., was a senior writer and editor at CNet, writing analysis, breaking news and opinion stories. He was technology reporter at the San Jose Business Journal from 1996-1997. He graduated with a B.A. from San Jose State University where he was also executive editor of the daily student newspaper.

Submit a Comment

Loading Comments...
eWeek eWeek

Have the latest technology news and resources emailed to you everyday.