Updated on April 19, 2018 by UpGuard
Last week, leading global ERP vendor SAP was busier than usual in the patch department: it released a record amount of closed issues per month and addressed 48 vulnerabilities—one of them an authentication bypass vulnerability previously left unaddressed for 3 years. Given how mission-critical ERP systems are for centralizing business operations these days, is it safe to assume that ERP vendors are serious about their customers' security? Let's take a look at the leading solution providers in this category to find out.
SAP apparently first attempted to fix the flaw 3 years ago unsuccessfully; as a result, all SAP Portal systems are susceptible to being exploited via the authorization bypass vulnerability, allowing for sensitive information to be read by cyber attackers. Unfortunately, this wasn't the first time the enterprise software giant grossly delayed fixing flaws in its software: another 3 year-old information disclosure flaw was patched back in July of this year.
Because the majority of large enterprises depend on ERP systems to automate and integrate their core business processes, it's fair to say that much of the world's business resilience relies on the security postures of these systems. Measures around a firm's external risk exposure—its CSTAR rating—are an organization's performance indicators in the areas of security fitness, trustworthiness, and enterprise resilience. The leading ERP vendors' CSTAR scores offer insights into how each respective firm handles and regards cybersecurity, as reflected in their own website perimeter security measures and other data.
The leader of the pack SAP had a 6% market share and $5.3 billion revenue in ERP product revenues last year; in fact, it's the world's largest business software company and third largest independent software provider by revenue. With all that enterprise coin, can the German software behemoth spare some change for security?
A alarmingly low CSTAR score of 429 means that SAP's website could be compromised by exploiting several security flaws: lack of sitewide SSL, absent HttpOnly/Secure cookies, server information leakage, and lack of DMARC, among others.
Sage's ERP solutions have their roots in CP/M and later MS-DOS applications—a long track record in the ERP space, however, doesn't necessarily mean better security: lack of sitewide SSL, absence of secure cookies, and lack of DNSSEC are a few of its website perimeter security flaws. Also, a low CEO approval rating and employee company rating further impact its resilience posture. Learn more about how employee happiness relates to cybersecurity.
FIS—short for Fidelity National Information Services—is #392 on the Fortune 500 and the #2 provider of ERP solutions (after SAP) with a 4% market share. When it comes to security, however, FIS isn't bringing home any awards: lack of sitewide SSL, HTTP strict transport security, DMARC, and DNSSEC, among others, are just a few of its shortcomings.
Founded in Austin, TX in 1972, Epicor is another titan of the enterprise software world with a long track record in developing business ERP/CRM and supply chain management solutions. In 2003, the company delivered the industry's first completely web services-based enterprise service automation solution (Epicor for Service Enterprises)—today, the company's solutions are available in both on-premise and public cloud SaaS offerings.
The company has neglected to address a myriad of crucial website perimeter security flaws—as a result, a low CSTAR score of 333 means that it could be susceptible to a compromise.
Some of its flaws detected include lack of sitewide SSL, server information leakage of various sorts, and lack of HttpOnly/secure cookies. Additionally, lack of DMARC and DNSSEC allow for easy forging and spoofing. Finally, its low CEO approval rating further impacts Epicor's resilience posture.
NetSuite is one of the "newer" giants in the ERP vendor pantheon—founded in 1998, the company's consolidated ERP, CRM and e-commerce offering has gained widespread adoption, especially with cloud-centric businesses and enterprises. Sadly, its CSTAR score falls short of its born-in-the-cloud lineage: lack of sitewide SSL, disabled HTTP strict transport security, lack of HttpOnly/Secure cookes, and disabled DNSSEC are a few flaws impacting its resilience rating.
With customer ranging from Bausch & Lomb, Ferrari, and Heineken to Wyndham Hotels and Best Western International, Infor is another ERP giant with a broad user base and global footprint. Last year, it agreed to purchase GT Nexus—the world's largest cloud-based global commerce platform— for $675 million. Though better on average compared to some of its peers, Infor nonetheless falls short when it comes to website perimeter security—flaws include lack of sitewide SSL, HTTP strict transport security, and DNSSEC, among others.
Perhaps the most recognizable name of the bunch, Oracle in fact acquired NetSuite in July 2016; the jury is out on whether its security practices will roll over to the acquiree. Some flaws nonetheless exist in the firm's resilience posture: server information leakage, lack of DMARC/DNSSEC, and a low CEO approval rating, among others.
It's clear that most of the world's largest ERP vendors (and largest software companies by revenue) have not taken crucial measures to bolster their website perimeter security mechanisms—but how is this relevant to the business? Recall SAP's lackluster performance in patching various security flaws—some in existence for over 3 years old. A culture of weak security permeates all levels of an organization, even one with upwards of $24.9 billion in annual revenues. Find out how other enterprises perform with our CSTAR risk grader web application and chrome extension for instantly validating a website's security posture.
Misconfigurations are an internal problem that emanate from within the IT infrastructure of any enterprise; no hacker is necessary for massive damage to occur to digital systems and stored data. And the problem is pervasive, with Gartner estimating anywhere from 70% to 99% of data breaches result not from external, concerted attacks, but from internal misconfiguration of the affected IT systems.