The customisation of off-the-shelf software is the weakest link in application security. This is particularly true for widely used enterprise products such as SAP and Oracle, according to Gartner research director Rich Mogull.
He says the massive amounts of customisation required to get products from both SAP and Oracle to perform ideally means that IT managers have no fail-safe point if some of the code creates vulnerabilities. As a result, managers have to cherrypick through code to find their own mistakes as opposed to downloading a patch from a vendor.
Speaking at the Gartner IT Security Summit in Sydney last month, Mogull said this problem has created custom vulnerabilities.
“Custom code does not undergo the same QA testing as commercial code does,” he noted.
“All major applications, be they an application server or off-the-shelf software, [are] implemented mostly through custom code and this is one of the biggest issues facing major application security. But what is even worse about this is any vulnerability you have in your system is yours and no one else will find it but you.
“The advantage of off-the-shelf programs is that vulnerabilities are managed by vendors through patch updates, but typically the security models that we do see featured in some applications are limited compared [with] the amount of customisation done on applications to get them running.”
Mogull added that PeopleSoft had “pretty good” security models compared with other major enterprise applications and since the Oracle purchase, some of that knowledge is “seeping into other areas of Oracle”. However, the intentional ease-of-use within SAP applications has given IT managers free rein to make critical security mistakes.
“SAP, we find, is an incredibly flexible application, with large amounts of custom code, which may be why some implementation projects take two years. SAP is built on something called WebAS [application server], with two programming languages, J2EE and the other a programming language specific to SAP (ABAP),” Mogull says.
“Because we have this mixture of code and an application server on the back-end, any SAP implementation is, effectively, a custom-code implementation that needs a secure development lifecycle.
“Oracle does tend to be a bit more off-the-shelf than SAP, and the Oracle product line is huge as it has PeopleSoft, Siebel and JD Edwards, but the problem is it has yet to integrate [them]. The identity management line is still in the integration process; there is no consistent security model across all products.”
Mark Frear, director of business development for SAP Netweaver, says the vulnerabilities introduced through custom code are related to software development quality and the ethos of the company doing the coding.
Frear says the product Virsa, integrated into SAP products, does custom code scanning in real-time and also features a “whistleblower” function, to dob in fellow bad coders.
Oracle was unavailable for comment.