Application security vulnerable because of customization

Published 20 July 2006

Customization: The weakness of security applications or at least this is what one researcher claims; customization of off-the-shelf software, does it lead to vulnerabilities?

Gartner research director Rich Mogull claims that customization of off-the-shelf (OTS) software is the weakest link in application security, especially with widely used products such as those from Oracle and SAP. In his assessment Mogull says that the amount of customization needed to have these OTS products work properly should alert IT managers. Mogull, who spoke at the Gartner IT Security Summit in Sydney last week, says that the customization leads to custom vulnerabilities within the system. “Custom code does not undergo the same QA testing as commercial code does,” Mogull said. This then leaves IT managers to make their own code without any fail-safe way to check it unless the do it manually, which will often lead to mistakes causing security weaknesses. Mogull continues:

All major applications, be they an application server or off-the-shelf software is implemented mostly through custom code and this is one of the biggest issues facing major application security. But what is even worse about this is any vulnerability you have in your system is yours and no one else will find it but you.

Mogull did, however, cite PeopleSoft as having one of the better security models, and since it has been acquired by Oracle, some of the security measures have been “seeping into other areas of Oracle.” The same cannot be said though for SAP said Mogul. “SAP we find is an incredibly flexible application with large amounts of custom code, which may be why some implementation projects take two years and is built on something called WebAS (application server) with two programming languages, J2EE and the other a programming language specific to SAP (ABAP).” The ease of use of the application may seem appealing to users at first glance, but Mogul also notes that the flexibility, giving IT managers free rein contributes to security mistakes.

In response to these assertions, Mark Frear, director of business development for SAP Netweaver said the vulnerabilities introduced through custom code are related to software development quality and the ethos of the company doing the coding and that Virsa, a product integrated into SAP products scans code in real time and also features a “whistleblower” function to flag fellow bad coders.