CRM BUYER SPECIAL REPORT
Oracle Flaw Underscores Enterprise Software Security Risks

About three weeks ago, Oracle (Nasdaq: ORCL) issued a security alert describing multiple SQL injection vulnerabilities in its E-Business Suite 11i and Applications 11.0. The alert carried the company's highest severity rating, which it associates with a flaw that is "high risk and requires little specialized knowledge to exploit."

The alert also warned that any user who has browser access and what it called "specialized knowledge" can take advantage of this security hole. Internet-facing application servers are most susceptible because attackers can remotely exploit the vulnerability through a browser.

According to the alert, all releases of Oracle Applications 11.0 and Oracle E-Business Suite Release 11i, 11.5.1 through 11.5.8 on any platform are susceptible what the company described as "SQL injection vulnerabilities." Oracle Applications 11i installs the code for all product modules making Oracle 11i customers also vulnerable to the SQL injection issues. However, Oracle E-Business Suite Release 11.5.9 and later are not in danger of such attacks.

Stephen Kost, chief technology officer at Integrigy, a security company that focuses on security for large enterprise, mission-critical applications, exposed the weakness.

Finding Flaws

In an interview with CRM Buyer, Kost explained that the vulnerability affected a little-used module in the Oracle system. "Although this problem was in a module that's rarely used, the code was still accessible to all customers," he explained.

According to Kost, company executives too often believe that their companies are secure once they've locked down their Internet perimeter; however, they give little thought to the enterprise applications inside that perimeter that an attacker could use to exploit something like Oracle's SQL injection flaw.

As a result, an attacker can exploit the software loophole to execute procedures or SQL queries and updates inside the database to manipulate or grab corporate data, Kost said.

Whenever it finds any flaw, Integrigy notifies Oracle and then works closely with the company throughout the patching process, which can take anywhere from 30 days to a year. To find the severity of the flaw Integrigy goes through validation process checking with some of its clients to identify what software versions the flaw is associated with.

"There are a number of these types of issues constantly being worked on," Kost acknowledged.

How quickly a patch is issued and whether it's tested or not depends on Oracle's processes for developing a patch, although both companies release the patch information the same day, Kost added.

Where are the Risks?

Andrew Braunberg, senior analyst of information security at research firm Current Analysis, told CRM Buyer that the current client-server model is not the issue when examining vulnerabilities such as Oracle's. Rather, the complex nature of enterprise software and the ways in which it is managed play a primary role.

For his part, Kost said that "most corporations have done a pretty good job at nailing down their Internet security -- but the enterprise applications –- ERP, CRM, SCM -- that companies spend tens of millions of dollars on remain vulnerable."

Kost pointed out that the single database model makes good business sense for a company because it ties everything together, but increases the company's risk from a security perspective. The way Oracle and SAP (NYSE: SAP) have put everything in one database means one theoretically could add a supplier module to the Internet that could connect human-resources data and everything else in that database to the outside.

"There are no walls within these enterprise applications, and once you're in an application you have the whole thing," Kost said. "There is not any segmentation that protects parts connected to the Internet more."

Size an Issue

Part of this is because of the very scale of enterprise applications. Most companies are intimately involved with developing their Web applications; however, Web applications are small compared to "monstrous" enterprise software, Kost said.

According to Kost, there are 198 modules within Oracle's E-Business Suite, including data servers, batch servers, application servers and Web servers.

"In these systems, there are hundreds of default things that you have to change," he said. "Just changing the password means that there are 198 account passwords that have to be changed. In the application, there are another 20 to 30 application-level passwords that need to be changed. Then there are patches that need to be applied."

Companies hosting enterprise applications, like CRM, are probably in better shape, because they have larger staffs that focus solely on keeping Oracle or SAP applications running, whereas a midsize company may only have three or four IT people dedicated to an enterprise application and each only knows a small piece of it, Kost said.

Security Comes Last

Another problem companies face is that they have a small staff that either doesn't understand all aspects of its enterprise application the way it does its Web applications or that only sees a single part of the enterprise software puzzle, Kost explained.

These people "are too busy applying patches and trying to keep the system running to worry about security," he said. "Security is usually the last task of the work plan, and when it's time to go live they are out of time, and so either don't do it or only get rudimentary security in place."

Kost said that when his firm checks out a customer Web site, it typically finds 20 to 40 high-risk vulnerabilities that must be fixed immediately.

Insider Risk

"The hacker in Bulgaria isn't really the problem for enterprise security," Kost explained. "He doesn't know enough. He's trying to get in, but he's not trying to shut down a company. He wants some credit card numbers or social security numbers."

But Kost believes that every company running enterprise software has in insider risk it needs to address.

"It's the company insiders who know the system, its value and how it works that are a more serious threat," Kost said. "They are daily users of the enterprise systems who know the value of the systems, what its vulnerabilities are and where the information is."

Kost believes that these daily users or even contractors with a company pose the greatest risk when it comes to shutting down a manufacturing line or destroying financial data. "Fortunately, we're not seeing much of this," he said.