Weakest link in app security is customization

20.07.2006
The customization of off-the-shelf software is the weakest link in application security. This is particularly true for widely used enterprise products such as SAP and Oracle, according to Gartner research director Rich Mogull.

He said the massive amounts of customization required to get products from both SAP and Oracle to perform ideally means that IT managers have no fail-safe point if some of the code creates vulnerabilities. As a result, managers have to cherrypick through code to find their own mistakes as opposed to downloading a patch from a vendor.

Speaking at the Gartner IT Security Summit in Sydney last week, Mogull said this problem has created custom vulnerabilities.

"Custom code does not undergo the same QA testing as commercial code does," Mogull said.

"All major applications, be they an application server or off-the-shelf software is implemented mostly through custom code and this is one of the biggest issues facing major application security. But what is even worse about this is any vulnerability you have in your system is yours and no one else will find it but you.

"The advantage of off-the-shelf programs is that vulnerabilities are managed by vendors through patch update, but typically the security models that we do see featured in some applications are limited compared to the amount of customization done on applications to get them running."