More ERP Problems Ahead
?"> More ERP Problems Ahead? "Im wondering just how much well hear about other ERP security problems down the road mainly because theyre not as widely deployed as, for example, a Windows operating system," says Johannes Ullrich, a data specialist for Bethesda, Md.-based System Administration and Network Security (SANS). "A lot of these exploitations will be handled under wraps. If a competitor has access to your ERP applications, they pretty much know everything about your company."Mehta says ISS will be posting notices of other vulnerabilities in other enterprise applications. In the meantime, technology executives should look at their applications and identify functions that run either by default and or can be accessed from the Internet. Information systems administrators also face the challenge of "bulletproofing" the system against default settings that could expose their data in the highly likely event that other coding flaws exist on software that interacts with their Web server. Pescatore says the software vendor is largely to blame. "Its really a case of sloppy programming by the vendor," says Pescatore. "As weve seen with Microsoft, if customers do enough complaining the vendor will have no choice but to improve the security by eliminating some of these default settings." Microsoft, which has long been berated for buggy code and security flaws in both its operating system software and servers, has already announced that its next version of its SQL data server, "Yukon," will by default disable all public access to "tables," where rows and columns of information are kept. "This is the type of thing Oracle and PeopleSoft and SAP are going to have to start doing if theyre ever going to get companies to spend the money on upgrades or to invest in an ERP system in the first place," Pescatore says. Rick Beers, director of supply chain technology at Corning Inc., says the complexity of installing, maintaining and securing enterprisewide applications across his companys technology architecture makes the process of discovering and patching security holes daunting. "We have 19 different production incidents of PeopleSoft running here and while weve seen some improvement in the way PeopleSoft informs us about these issues, theres a lot of room for improvement," Beers says. "Its no secret that there are still fundamental flaws in the delivery of software in the ERP industry." Companies will now have to get vigilant about protecting their enterprises from infiltration, as they conduct more and more business with customers and partners over the Web. SANS Ullrich notes that "anytime you take code written for a semi-controlled internal environment and expose it to the public at large, youre going to get hackers trying to attack it." But even alert organizations wont be able to anticipate each and every contingency created when a company integrates and manages all of its crucial business processes over the Internet. "As we deploy, were going to find out," what the holes are, says Ben Golub, senior vice president, security division, at Verisign in Mountain View, Calif. "We dont find out until we deploy."
In February, the British security firm Next-Generation Security Software discovered significant flaws in Oracles latest database software release, including four critical buffer overflows in its Oracle 9i Release 2. Buffer overflows occur when an application does not handle memory correctly. By causing a buffer overflow, a hacker can edit or add code into the execution of an application.