Mogull said the massive amounts of customization required to get products from both SAP and Oracle to perform ideally means that IT managers have no fail-safe point if some of the code creates vulnerabilities. As a result, managers have to cherry-pick through code to find their own mistakes as opposed to downloading a patch from a vendor.

Mogull said this problem has created custom vulnerabilities. "Custom code does not undergo the same QA [quality assurance] testing as commercial code does," he said.

"All major applications, be they an application server or off-the-shelf software is implemented mostly through custom code and this is one of the biggest issues facing major application security," said Mogull. "But what is even worse about this is any vulnerability you have in your system is yours and no one else will find it but you."

Vendors retort

"When we released Oracle 11 five or six years ago, we suggested that customers not get into customization of the code," said Peter Thomas, senior director, applications strategy, Oracle Asia Pacific, "as the pain that customers [would] go through defeats purpose of customization in the first place."