Caveat Customers?

Vendors contend it's up to individual customers to secure their systems and disable the functions—which could provide openings to would-be hackers—that they aren't going to use.

"We found that nobody had called our customer service center about this particular problem," says Paola Lubet, vice president of technology marketing at PeopleSoft. "In any case, we offered the information to our customers. But it was pretty much like, 'If you don't want to be burnt, don't pour hot coffee on your knees.' "

That's easier said than done. By tying together supply chain, human resources, finance and customer relationship management functions across an organization, an enterprise's resource planning (ERP) system provides increasingly fertile ground for hackers to try to compromise.

"We believe there are going to be many more examples like this with other ERP applications in the near future," says John Pescatore, a security analyst at Gartner. "Now that the ISSs and other security consultants are turning their attention away from operating systems and to more business applications, I'm sure we'll see more. As more and more applications are getting exposed on the Internet, this is likely to become a much more serious issue."

Neel Mehta, a research engineer at X-Force, Internet Security's research arm, says his group has increased its scrutiny of ERP applications in the wake of the PeopleSoft discovery.

"We can't comment on the specific vendors we're looking into for similar security problems," he says. "But it's safe to say ERP is an area of concern."

X-Force's database of potential security vulnerabilities reported 164 references for Oracle and 10 for SAP in the past year. The common thread: unlocked gateways to data on a server that provides services to Web users; and, functions that aren't turned off when not in use.

Oracle and SAP officials weren't available for comment on how they are addressing security of enterprise software that they market.