In this Spotlight podcast* we’re joined by Jason Fruge, the VP of Business Application Cybersecurity at Onapsis to talk about the growing attacks against critical systems like ERP and General Ledger applications by SAP and Oracle. We also talk about why these critical systems often lag on key security measures.
Security experts have been banging the drum about “risk based security” for years. The idea is simple: identify the assets and data within your organization that are critical to your mission, then concentrate resources – including staff and technology spending- on securing them.
That sounds sensible, but are companies listening? By one measure, they are not. Specifically: security for critical business systems such as Enterprise Resource Planning (ERP) and General Ledger systems continues to lag. A recent survey of 430 IT decision makers by the firm IDC, for example, found that 64% of ERP deployments had been breached within the preceding 24 months. Those incidents exposed financial, sales and HR data as well as intellectual property and personally identifiable information on customers, IDC found.
With all the talk about protecting organizations’ “crown jewels,” how is it that platforms like SAP and Oracle – the IT equivalent of the Tower of London where those jewels are kept – are often left unlocked and unprotected?
To understand a bit more, we invited Jason Fruge into the Security Ledger studios. Jason is the Vice President of Business Application Cybersecurity at Onapsis and a former CISO at fashion design firm Fossil Group.
In this interview, Jason and I talk about both the technical and cultural challenges of securing applications like Oracle and SAP. Those applications are so complex and bespoke that they often frustrate analysis using traditional vulnerability scanners and other security tools. We discuss the increase in attacks targeting these systems and what organizations can do to fend off attacks.
We also talk about the recent Onapsis publication of a slew of vulnerabilities in Oracle Business Suite, which Onapsis dubbed BigDebIt. That publication accompanies patches issued by Oracle. If left unpatched, the BigDebit vulnerabilities could allow an attacker to launch unauthenticated attacks on Oracle EBS platforms.
(*) Disclosure: This podcast and blog post were sponsored by Onapsis. For more information on how Security Ledger works with its sponsors and sponsored content on Security Ledger, check out our About Security Ledger page on sponsorships and sponsor relations.
As always, you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and check us out on SoundCloud, Stitcher, Radio Public and more. Also: if you enjoy this podcast, consider signing up to receive it in your email. Just point your web browser to securityledger.com/subscribe to get notified whenever a new podcast is posted.