More ERP Problems AheadBy Larry Barrett | Posted 2003-04-07 Email Print
A security flaw in a PeopleSoft application may presage more holes in enterprise resource planning software.?">
More ERP Problems Ahead?
"I'm wondering just how much we'll hear about other ERP security problems down the road mainly because they're not as widely deployed as, for example, a Windows operating system," says Johannes Ullrich, a data specialist for Bethesda, Md.-based System Administration and Network Security (SANS). "A lot of these exploitations will be handled under wraps. If a competitor has access to your ERP applications, they pretty much know everything about your company."
In February, the British security firm Next-Generation Security Software discovered significant flaws in Oracle's latest database software release, including four critical buffer overflows in its Oracle 9i Release 2. Buffer overflows occur when an application does not handle memory correctly. By causing a buffer overflow, a hacker can edit or add code into the execution of an application.
Mehta says ISS will be posting notices of other vulnerabilities in other enterprise applications. In the meantime, technology executives should look at their applications and identify functions that run either by default and or can be accessed from the Internet. Information systems administrators also face the challenge of "bulletproofing" the system against default settings that could expose their data in the highly likely event that other coding flaws exist on software that interacts with their Web server.
Pescatore says the software vendor is largely to blame. "It's really a case of sloppy programming by the vendor," says Pescatore. "As we've seen with Microsoft, if customers do enough complaining the vendor will have no choice but to improve the security by eliminating some of these default settings."
Microsoft, which has long been berated for buggy code and security flaws in both its operating system software and servers, has already announced that its next version of its SQL data server, "Yukon," will by default disable all public access to "tables," where rows and columns of information are kept.
"This is the type of thing Oracle and PeopleSoft and SAP are going to have to start doing if they're ever going to get companies to spend the money on upgrades or to invest in an ERP system in the first place," Pescatore says.
Rick Beers, director of supply chain technology at Corning Inc., says the complexity of installing, maintaining and securing enterprisewide applications across his company's technology architecture makes the process of discovering and patching security holes daunting.
"We have 19 different production incidents of PeopleSoft running here and while we've seen some improvement in the way PeopleSoft informs us about these issues, there's a lot of room for improvement," Beers says. "It's no secret that there are still fundamental flaws in the delivery of software in the ERP industry."
Companies will now have to get vigilant about protecting their enterprises from infiltration, as they conduct more and more business with customers and partners over the Web. SANS' Ullrich notes that "anytime you take code written for a semi-controlled internal environment and expose it to the public at large, you're going to get hackers trying to attack it."
But even alert organizations won't be able to anticipate each and every contingency created when a company integrates and manages all of its crucial business processes over the Internet.
"As we deploy, we're going to find out," what the holes are, says Ben Golub, senior vice president, security division, at Verisign in Mountain View, Calif. "We don't find out until we deploy."