Representatives of the Open Web Application Security Project (OWASP) periodically release a top 10 list of known vulnerabilities that impact applications across a typical enterprise. Why is this so important? In today’s world, the common digital attack does not focus on network vulnerabilities because networks no longer represent the wall or moat that protects an organization. Today, the bad guys are focused on applications.
With the advent of mobile and the connected economy, identity is the new perimeter. And identities live in applications. So, that’s what the attackers are targeting. And Enterprise Resource Planning (ERP) applications represent juicy targets as they are typically the user store of record for most companies. Names, addresses, SSNs, bank account numbers and other sensitive data are usually found in an organization’s ERP infrastructure.
Let’s talk about a couple of the top vulnerabilities recently identified by OWASP, and how they specifically relate to an ERP application:
Authentication encompasses the controls in place to ascertain the identity of an entity logging into an application. It is commonly confused with ‘authorization’, but authorization represents the controls in place to determine what rights and permissions are in a system after being authenticated.
ERP systems, like all critical applications, rely heavily on controls around making sure that I am who I say I am when logging in.
Broken authentication is when those controls can be subverted. And it is pretty common due to the ineffective design and implementation of most identity and access controls. Session management is the backbone of most identity management solutions and is present in most all stateful applications. ‘Stateful’ just means that once I log in, I am able to traverse the application doing what I need to do without having to re-login every time I access a new page or component. The application ‘remembers’ me.
Attackers can use automated tools to detect broken authentication controls and essentially gain access to an application by utilizing session hijacking or stuffing credentials into a session via dictionary attacks.
Many ERP systems are what we consider to be legacy applications and were designed and implemented when session management was not a huge concern due to the insular nature of their deployments (accessible only inside the network, etc.). This leaves them very vulnerable to authentication attacks.
Sensitive Data Exposure
Legacy on-premise applications are notorious for not maintaining good data controls around the information they contain. The risk was typically viewed as minimal, because the only people that could access those applications were ‘trusted’ employees inside the network. ERP implementations typically fell into this category.
In my experience doing security assessments in years past, ERP systems were typically an asterisk in my final report as my customers were not willing to invest in the time or expertise needed to fully vet their security controls. The common rationale? It’s an inside application that is only accessible by a few individuals in Finance and HR.
In today’s world, many of those legacy applications, including ERP, have evolved into web applications that allow access from the internet. And, in many cases, that evolution has not been well-planned or architected. Patchwork code and sloppy implementations rushed to market to meet a need to become part of the connected world have led to a whole new attack space for bad actors.
What’s exposed? Attackers have discovered that many organization’s keys-to-the-kingdom are data stores, including ERP systems, which are not well protected and are now exposed to the world wide web as a highway in. Whether it be financial data, personal information or private health data, attackers have new targets to go after.
Most of these applications are unable to implement the granular controls needed to control and monitor access to sensitive information. Companies have to start looking beyond the built-in security capabilities of these applications. Capabilities that weren’t typically designed or implemented to deal with today’s connected world.
What Can Companies Do?
It’s time to take a different view of application security. Applications no longer exist behind network perimeters, managed by firewalls and other network-level protections. In today’s digital economy, companies are rushing to be able to exchange data with prospects, customers, employees and partners – regardless of how they’re accessing the application (mobile phone, tablet or desktop), and from where they are trying to access it (inside/outside the network, etc).
Learn how Appsian can help protect against the risks associated with Broken Authentication, Sensitive Data Exposure and many of the other top application vulnerabilities identified by OWASP.