Why is ERP security so difficult?
ERP (Enterprise Resource Planning) security has been all over the news lately. From high profile breaches, like the recent U.S. Office of Personnel Management breach, to researchers presenting vulnerabilities in ERP systems at recent security conferences, the visibility of ERP in the security community has never been higher.
Still, many security professionals aren’t familiar with how ERP systems work and the complexities involved in properly testing them. Why are ERP systems different than other systems?
Technical complexity
ERP systems are technically complex. A single ERP system supports hundreds of different business processes. A typical ERP system has tens of millions of lines of code. In addition to common languages such as SQL, JavaScript, and Java, many ERP systems have a proprietary language for defining business logic (e.g. ABAP for SAP).
That huge amount of code is not just what the ERP vendor delivers to the customer, but can also include modifications that the customer has developed as well. We recently worked with an Oracle customer that has a business critical bolt-on to their ERP system originating from when they first installed the ERP system in the mid 1990s. They have kept the ERP system up to date as Oracle has rolled out new releases, but the bolt-on is so important to their company that they continue to bring it into each new version of the ERP system. That might sound crazy, but the business value to them greatly exceeds the cost of maintaining it, so they continue to keep it around.
The data volumes for ERP are significant as well. Database sizes can range into the terabytes. There are systems out there with larger volumes of data, but in an ERP system the data is split across tens of thousands of database tables. Different business processes access subsets of these tables to do their work, so it is not always easy to identify a single “business owner”.
Political complexity
It’s easy to forget that the organizations that use ERP systems are not monolithic. Many times the ERP system supports companies that are legally separate from each other, but have a common parent company. This isn’t as simple as what most people think of as a multi-tenant application though; some data and business processes may be shared across the different companies (e.g. common purchasing for discounts from larger volumes), but other data and business processes are completely separate.
Making matters worse, companies don’t just pick one way to be organized and stick with it. Look at the business section of the news and you’ll see changes in this every day. For this reason, many ERP systems support the idea of effective dating, which allows different business rules (and the corresponding security changes) to take effect as of a certain date (and allows reporting and analysis to be done with not just historic data, but the state of the business rules that were in effect in the past).
In addition to the internally driven changes to organization structure and business rules, changes can be driven by things like governmental regulations, union agreements, etc. Keeping up these changes and being able to make the code changes needed to support them takes a huge amount of effort; effort that in many cases takes the developer’s focus away from things like thinking about security.
Advice for security professionals
Given the complexity of ERP, its no wonder that it is difficult for security professionals to wrap their heads around an ERP system. There are some things that you can do to gain a better understanding though.
If you are working within an organization, then get to know the functional users. Learning more about how particular business processes work will help you gain access to parts of the ERP system that you won’t find by poking around manually or with a fuzzer. Otherwise you may only be testing the tip of the proverbial ERP iceberg.
Getting access to test systems is also a big help. There may be test systems within the organization that you are working for or you may be able to arrange access to your own test system to learn more about the inner workings of ERP. This is an area where the traditional ERP vendors such as Oracle and SAP are ahead of the game. They make pre-built virtual machines with full ERP systems in demo configurations available for download. At the time of this writing, there do not appear to be any Cloud ERP vendors that provide test systems if you are not a customer.
Whether you are working on your own test system or using a shared test system, you will find that learning about the tracing functionality that the ERP system offers is very valuable in figuring out how it works. ERP systems typically have a variety of knobs and switches that can be set to turn on various levels of tracing. Reviewing these in conjunction with going through a business process online as the end-user does is very helpful.