About the "holes" in the security of ERP systems
Although I prefer the name that I used in my livejournal . But Habr calls himself a serious site and the name should be appropriate.
Digital Security has conducted an SAP and Oracle ERP security study . The results of the study are disappointing for the above-mentioned manufacturers. However, Digital Security found only the tip of the iceberg, not knowing how it is there in detail, in production, so to speak. I want to talk about the reasons why customers of the above-mentioned ERP-systems “live” with these problems for almost decades and for some reason do not solve them.
The very fact of the existence of security problems didn’t worry me much. There is nothing unusual in their existence. How many cars annually withdraw the world's leading automakers for the same reason? And we regularly hear about the suspension of the operation of some airliners. ERP-systems are also made by people, and they, as we know, are prone to making mistakes. But if in cars these problems are solved with the help of recalling and eliminating faults, then with ERP-systems everything is much worse. Why?
')
Ten years ago, there was a joke about the MIG-29s that the Indians bought from us. Bought disassembled. Gather, it turns out the engine. Again dismantled and reassembled. Locomotive. Though you burst. They call ours, so they say and so, we can not understand. And ours to them is the same way it is written in the instructions “to assemble a locomotive, and then by file” So, this joke is much more suitable ERP-systems than MIGs.
Why do clients "live" with these problems forever? The authors of the study claim that the reason for this is the ignorance of the settings and their complexity. But I say no.
Imagine yourself in the place of a client. You know for sure that you have serious security problems. You can solve them, but for this you should study the "dense" system settings. Do not you deal with them? Of course, figure it out. But, unfortunately, it's not about the settings. And in godlessly outdated technologies, both production, and implementation of erp-systems.
Almost all manufacturers go the same way. Produced something that is called the ERP-system and is sold to customers. In reality, it is not even a semi-finished product that is produced, but something worse, that without a “file”, it is not capable in principle. Then this “something” is brought to the customer’s territory and poured out onto the floor. Then the developers come there and begin to "cut."
So customers are forced to "cut" and "plane" these semi-finished products, forcing them to work. In practice, this means that cardinal changes to the data schema and source codes of the original version are made to these products. As a result, each client has completely individual software that does not have any relation to the same software of other clients. And the centralized support from the manufacturer becomes completely impossible, because the manufacturer has absolutely no control over the situation with customers and does not know what changes have been made. All patches and versions produced by the manufacturer become completely useless for most of its customers, because their installation is simply impossible, because the customers have completely different products. This is the real reason why customers cannot solve security problems. And not only with security.
Someone may object to me - why then customers themselves do not solve these problems if they still drastically change the product, forcing it to work. But forgive me, why then do we need such manufacturers of ERP-systems, for which their own customers have to clean all the "bugs"? Yes, and it is impossible, because not all parts of ERP-systems are open to change and you can change not all.
Manufacturers of ERP-systems in general are often divorced from their own customers. Because they do not work with clients directly, but only through partners. The real needs and practical, life problems of ERP-systems for the manufacturer are simply unknown. They do not hear their clients, because they are fenced off from them by the wall of partners. I do not say that working through partners is bad. By no means. I am simply stating a fact.
Moreover, there are examples when a company sells an ERP system that it does not use itself, even more than enough. There are companies that sell and implement several ERP-systems. How in this situation their support is carried out, it is better to ask the clients themselves.
In other words, all problems grow from the production technologies and the implementation of ERP-systems, which, like security, are at the level of 10 years ago, when ERP-systems are in fact developed on the territory of the customer and strictly individually.
Manufacturers very often write about the replicability of their decisions. But then I will remind these manufacturers that the product being replicated is one in which the source codes and the data scheme do not change at the customer’s site. Here Word and Excel are replicated products.
In the same automobile industry, the elimination of security problems is mostly related to organizational problems, and not technical ones. It is necessary to give instructions to car dealers, to provide budgeting, etc. Because the cars are the same for customers and the manufacturer knows exactly how to fix the problem with each owner.
To justify the backward technologies, the implementation of the standard will be objected to me and they will say that all companies are different, all have different business processes, therefore, it will not be possible to avoid serious changes in codes and data schemes. The classic “excuse”, which, by the way, is also used to pull more money from the client forfinishing and finishing “customization.”
I answer. I would not have written this material if I had not implemented replicable technologies in my company.
Digital Security has conducted an SAP and Oracle ERP security study . The results of the study are disappointing for the above-mentioned manufacturers. However, Digital Security found only the tip of the iceberg, not knowing how it is there in detail, in production, so to speak. I want to talk about the reasons why customers of the above-mentioned ERP-systems “live” with these problems for almost decades and for some reason do not solve them.
The very fact of the existence of security problems didn’t worry me much. There is nothing unusual in their existence. How many cars annually withdraw the world's leading automakers for the same reason? And we regularly hear about the suspension of the operation of some airliners. ERP-systems are also made by people, and they, as we know, are prone to making mistakes. But if in cars these problems are solved with the help of recalling and eliminating faults, then with ERP-systems everything is much worse. Why?
')
Ten years ago, there was a joke about the MIG-29s that the Indians bought from us. Bought disassembled. Gather, it turns out the engine. Again dismantled and reassembled. Locomotive. Though you burst. They call ours, so they say and so, we can not understand. And ours to them is the same way it is written in the instructions “to assemble a locomotive, and then by file” So, this joke is much more suitable ERP-systems than MIGs.
Why do clients "live" with these problems forever? The authors of the study claim that the reason for this is the ignorance of the settings and their complexity. But I say no.
Imagine yourself in the place of a client. You know for sure that you have serious security problems. You can solve them, but for this you should study the "dense" system settings. Do not you deal with them? Of course, figure it out. But, unfortunately, it's not about the settings. And in godlessly outdated technologies, both production, and implementation of erp-systems.
Almost all manufacturers go the same way. Produced something that is called the ERP-system and is sold to customers. In reality, it is not even a semi-finished product that is produced, but something worse, that without a “file”, it is not capable in principle. Then this “something” is brought to the customer’s territory and poured out onto the floor. Then the developers come there and begin to "cut."
So customers are forced to "cut" and "plane" these semi-finished products, forcing them to work. In practice, this means that cardinal changes to the data schema and source codes of the original version are made to these products. As a result, each client has completely individual software that does not have any relation to the same software of other clients. And the centralized support from the manufacturer becomes completely impossible, because the manufacturer has absolutely no control over the situation with customers and does not know what changes have been made. All patches and versions produced by the manufacturer become completely useless for most of its customers, because their installation is simply impossible, because the customers have completely different products. This is the real reason why customers cannot solve security problems. And not only with security.
Someone may object to me - why then customers themselves do not solve these problems if they still drastically change the product, forcing it to work. But forgive me, why then do we need such manufacturers of ERP-systems, for which their own customers have to clean all the "bugs"? Yes, and it is impossible, because not all parts of ERP-systems are open to change and you can change not all.
Manufacturers of ERP-systems in general are often divorced from their own customers. Because they do not work with clients directly, but only through partners. The real needs and practical, life problems of ERP-systems for the manufacturer are simply unknown. They do not hear their clients, because they are fenced off from them by the wall of partners. I do not say that working through partners is bad. By no means. I am simply stating a fact.
Moreover, there are examples when a company sells an ERP system that it does not use itself, even more than enough. There are companies that sell and implement several ERP-systems. How in this situation their support is carried out, it is better to ask the clients themselves.
In other words, all problems grow from the production technologies and the implementation of ERP-systems, which, like security, are at the level of 10 years ago, when ERP-systems are in fact developed on the territory of the customer and strictly individually.
Manufacturers very often write about the replicability of their decisions. But then I will remind these manufacturers that the product being replicated is one in which the source codes and the data scheme do not change at the customer’s site. Here Word and Excel are replicated products.
In the same automobile industry, the elimination of security problems is mostly related to organizational problems, and not technical ones. It is necessary to give instructions to car dealers, to provide budgeting, etc. Because the cars are the same for customers and the manufacturer knows exactly how to fix the problem with each owner.
To justify the backward technologies, the implementation of the standard will be objected to me and they will say that all companies are different, all have different business processes, therefore, it will not be possible to avoid serious changes in codes and data schemes. The classic “excuse”, which, by the way, is also used to pull more money from the client for
I answer. I would not have written this material if I had not implemented replicable technologies in my company.
Source: https://habr.com/ru/post/115015/
All Articles