Mogull added PeopleSoft had "pretty good" security models compared to other major enterprise applications and since the Oracle purchase some of that knowledge is "seeping into other areas of Oracle"; however, the intentional ease of use within SAP applications has given IT managers free rein to make critical security mistakes.

"SAP we find is an incredibly flexible application with large amounts of custom code, which may be why some implementation projects take two years and is built on something called WebAS (application server) with two programming languages, J2EE and the other a programming language specific to SAP (ABAP)," Mogull said.

"Because we have this mixture of code and an application server on the backend, any SAP implementation is effectively a custom-code implementation that needs a secure development lifecycle.

"Oracle does tend to be a bit more off-the-shelf than SAP, and the Oracle product line is huge as it has PeopleSoft, Siebel and JD Edwards but the problem is it has yet to integrate it. The identity management line is still in the integration process; there is no consistent security model across all products."

Mark Frear, director of business development for SAP Netweaver said the vulnerabilities introduced through custom code are related to software development quality and the ethos of the company doing the coding.