Security of ERP applications is at the level of 10-year
08.02.11, 12:00, Msk
In spite of the fact that producers, such as SAP and Oracle, regularly release security updates in the products, the companies are all the same subject to the attacks directed to architectural vulnerabilities and errors of a configuration. Alexander Polyakov, the technical director of Digital Security (the Digital Security guard) considers that architectural vulnerabilities of the listed systems in the majority cannot just be closed that involves a possibility of their operation further.
"Very few administrators of SAP systems regularly set updates and very few specialists who deeply understand technical details of safe setup of ERP systems, at best being limited to problems of SOD. That is why we see is unsafe the customized systems as a result of our works on the analysis of security", - Alexander Polyakov notes.
Specialists give an example of how during audit set ERP- the system JD Edwards of the version 10 summer prescription which had the architectural vulnerability allowing any user to get access to all data was detected. Other example of architectural vulnerability was detected in DBMS "Open Edge database" (Progress Software) which is used in many companies from Fortune of TOP of 100 companies. In this application the trivial error in authentication process was found. Check of a password hash was implemented on a client part therefore authentication in a system under any user is possible, without knowing the password and even a user name. The problem is that this vulnerability will not be corrected by the producer because of need of rewriting of all architecture of the application.
One more example is the SAP SRM system used among all other for the organization of a system of tenders. As a result of one architectural vulnerability any supplier can get access to tenders of other suppliers and also load the Trojan program into network of the competitor, for example, for the purpose of industrial espionage.
Security of ERP applications is at the level of 10-year, and with the current trend of an output of business applications in the Internet between branches of the companies or vendor relations all these systems became available to data exchange to a wide range of the persons aiming to use gaps of applications in the mercenary purposes. Still the companies spent millions of dollars, eliminating SOD the conflicts, and considering that it is an integral part of security of ERP, the amount of vulnerabilities of level of the application nevertheless grows in geometrical progression, as well as interest in these systems at malefactors.
| The site content is translated by machine translation software powered by PROMT. The machine-translated articles are not always perfect and may contain errors in vocabulary, syntax or grammar. Read original article If you find inaccuracies or errors in the results of machine translation, please write to editor@tadviser.ru. We will make every effort to correct them as soon as possible. |