ERP Vulnerabilities Differ from Those at the Database Level

Friday, May 13, 2011

Alexander Rothacker


How ERP Vulnerabilities and Security Issues Differ from Those at the Database Level

In this Q&A, Esteban Martinez Fayo talks about ERP application vulnerabilities and security issues and how they differ from those at the database level.

How much of a target are ERP applications today compared with databases themselves?

There are not many companies focused on ERP security and not many independent security researchers are dedicated to finding vulnerabilities in ERP software. Databases, on the other hand, have been the target of security researchers and security companies for several years now. 

It is important to note that databases are the ultimate goal, whether the attacks come from ERP applications, web applications or some other kind of application - as it is within the databases where the valuable data is stored.

What makes ERP applications attractive and relevant targets?

They are attractive targets because this software is present in all major organizations and across the whole enterprise. It manages all functional areas of an organization. The backend database of these systems usually contains highly sensitive data including customer data and key company secrets, such as the logic for business processes.

Why have ERP vendors not necessarily focused on fixing flaws in these apps?

I think that the main reason why ERP vendors are not focused on fixing security flaws is simply because they haven't seen the need yet. Commercial software vendors (as any other kind of vendor) focus on sales.  It is a fact that making a software product more secure generally does not help sales as would a new feature for the product. 

So, software vendors tend to focus more on new features or customer-reported bugs than on security. This is true unless there is a special need for security, but ERP vendors haven't received much attention from the software security industry and they haven't suffered from a massive attack as databases have, for example, with worms like Slammer.

Do you see Oracle taking more notice of these apps as a risk? Why?

Not quite yet. There is a noticeable increment on the amount of vulnerabilities fixed in Oracle ERP software like JD Edwards and PeopleSoft, but I think that this is not enough. They really need to address these vulnerabilities much more quickly than what they are doing. 

If we look, for example, at the kind of vulnerabilities that were fixed in the April 2011 CPU, there are really serious and scary vulnerabilities. The advisories released by Onapsis (from their vulnerability discoveries) show nothing new or highly advanced with regards to the type of vulnerabilities, but on the contrary, these kinds of vulnerabilities are very well known and shouldn't be in a product like an ERP system.

Why do companies tend to overlook these apps security-wise?

Many companies still think information security is only about physical and network perimeter security and overlook application security. They think that by having their servers in physically secured rooms and network firewalls to stop any access from the Internet, they are secure. 

This is no longer the case in today's interconnected world with organizations sharing information and processes with customers and partners.

We've not seen any major attacks via these apps as yet. Is it easier or harder to hack one of these apps than a database?

I wouldn't be so sure that there have not been successful attacks via ERP software. Many companies are not willing to disclose the way in which they are breached and some of them may not even know that they have been breached via the ERP system. 

I think that ERP systems today are much easier to hack than a database, because the security is much more immature in this kind of software than it is on databases. In the end, ERP systems are yet another way in which attackers can get into a database, so a company breach via ERP systems will most likely include hacking the database as well.

Do you have any other thoughts on ERP security trends?

I think that ERP security will be a major information security topic in the next few years. ERP vendors do not seem to have taken security seriously in the past, and as a result their software contains a surprisingly large amount of security issues. 

It has happened in the past with Microsoft's Windows and SQL Server; they started to take security seriously when they had media attention with several malicious worms and serious vulnerabilities being exploited in the wild. 

Something similar also happened with Oracle Database, with many security researchers claiming that the software was really flawed from a security perspective, and as a result Oracle implemented the regular Critical Patch Updates to address vulnerabilities.

Patching databases is known to be a cumbersome task. Is the challenge similar in ERP apps?

ERP applications patching is as arduous as database patching or even worse. ERP software usually contains a lot of modules and software components that make patching much more costly.

Cross-Posted from

Possibly Related Articles:
Information Security
Storage Databases Software Application Security Vulnerabilities ERP
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.