To CIOs: Did Critical ERP Security Updates and Patches Cause the PoS Breach?

To CIOs: Did Critical ERP Security Updates and Patches Cause the PoS Breach?

Posted on Posted in: Categories Blog / Tags ,

Image of cyber attackRecently an article appeared on the Computing UK website entitled, “Oracle attackers ‘possibly got unlimited control over credit cards’ on US retail systems, warns ERPScan.”  The article talks about exposure to potentially every credit card used in US retail as a result of the control hackers gained to Point of Sale (PoS) systems when exploiting a vulnerability. 

This isn’t really new news; we have all become somewhat numb to the stream of stories of account information being compromised from these incursions.  The security software industry is focused on prevention of these data breaches and enormous amounts of time and money are spent to secure corporate systems.

What does a PoS breach have to do with application testing?

Great question…glad that you asked.

No one would deliberately ignore application of these security updates if there weren’t significant operational barriers to doing so. 

So, why is it so common to have substantial delays in applying the latest updates and patches?

Enterprise applications present numerous unique challenges to timely application of patches, updates, support packs, etc. Just a few that impact an organizations ability to deploy updates on a timely basis:

Integrated Solutions – Enterprise applications are typically tightly integrated solutions, with many functional modules.  A change made to one area of the application often affects other parts of the application.  These metadata based applications must be thoroughly tested to ensure that changes and updates to the application do not have unintended functional consequences in other parts of the application.

Highly Customized – Virtually every company modifies the software provided by the vendor to reflect the unique nature of their business.  It is more common than not to have an application like SAP or Oracle EBS be 30% or more customized, which of course means that the vendor providing the patch or support pack cannot tell you what the impact on your system will be.  It’s up to the user to validate that the application functionally works as expected, in its entirety.  Customers are also concerned that any update by the provided by the vendor could negatively impact customization they have applied to the application causing even more re-work and business process validation.  Which leads me to my final point.

Mission Critical – These applications are often the heart of the enterprise.  These applications run finance, HR, sales, supply chain, distribution…virtually every function of the business.  A production outage, even briefly, can have enormous consequence and impact.  Therefore, and rightly so, it makes sense to proceed with extreme caution before introducing any change into the production system.

Image of man with watchBecause the process of fully testing the applications is essential, but lengthy and resource intensive, it isn’t unusual for these patches and support packs to remain in queue to be combined with a broader set of changes so that the testing process can be done all at once. 

The risk of leaving the systems vulnerable is balanced against the business risk of impacting production systems, as well as the time, cost and complexity of actually validating applications.  This is where effective business process validation software products can shrink this gap and eliminate the trade-offs inherent in the standard decision process.

TurnKey Solutions specializes in tackling the hardest problems – end to end, cross platform business process validation of the most complex and important applications in an enterprise.  We can help shield companies from security risks as well as providing greater visibility, control and business agility to application owners. 

photo credit: Week 36 – Cyber attack via photopin (license)

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.