"The advantage of off-the-shelf programs is that vulnerabilities are managed by vendors through patch update," said Mogull, "but typically the security models that we do see featured in some applications are limited compared to the amount of customization done on applications to get them running."

"We have not had a need to [produce "generic" patches]," said Frear. "This is not like Windows and viruses, or Oracle/PeopleSoft where bug fixes and security patches are released almost every week. Our platform is designed for robust operation and is not vulnerable."

"A lot of SAP customers are on older versions, so I perceive that moving to an upgrade would increase costs significantly," declared Thomas. "With us, 94 percent of our customers are on the latest version [according to a March 2005 Gartner study]."

"We find that our customers have moved away from customization of the basic product, as it just causes too much pain and aggravation," said Thomas.

- IDG staff contributed to this story