?"> Caveat Customers? Vendors contend its up to individual customers to secure their systems and disable the functionswhich could provide openings to would-be hackersthat they arent going to use.Thats easier said than done. By tying together supply chain, human resources, finance and customer relationship management functions across an organization, an enterprises resource planning (ERP) system provides increasingly fertile ground for hackers to try to compromise. "We believe there are going to be many more examples like this with other ERP applications in the near future," says John Pescatore, a security analyst at Gartner. "Now that the ISSs and other security consultants are turning their attention away from operating systems and to more business applications, Im sure well see more. As more and more applications are getting exposed on the Internet, this is likely to become a much more serious issue." Neel Mehta, a research engineer at X-Force, Internet Securitys research arm, says his group has increased its scrutiny of ERP applications in the wake of the PeopleSoft discovery. "We cant comment on the specific vendors were looking into for similar security problems," he says. "But its safe to say ERP is an area of concern." X-Forces database of potential security vulnerabilities reported 164 references for Oracle and 10 for SAP in the past year. The common thread: unlocked gateways to data on a server that provides services to Web users; and, functions that arent turned off when not in use. Oracle and SAP officials werent available for comment on how they are addressing security of enterprise software that they market.
"We found that nobody had called our customer service center about this particular problem," says Paola Lubet, vice president of technology marketing at PeopleSoft. "In any case, we offered the information to our customers. But it was pretty much like, If you dont want to be burnt, dont pour hot coffee on your knees. "