An ERP system is really at the heart of any organization. It enables and facilitates all critical business processes human resources management, financial planning, product management, and more. More importantly, it holds all the data critical to the organization financial information, employee data, customer details, product information, and so on. The espionage or sabotage of this data could have a devastating impact on the company, translating into huge financial losses, a disruption in business processes, and the loss of customer trust.
It is hence essential that you pen test your ERP system to be assured that it is fully secure. A pen test will help you discover what kind of critical data attackers can gain access to.
However, this is easier said than done, for ERP systems are notoriously difficult to test, more so than applications or networks.
Why is it complex to pen test an ERP system?
- Firstly, pen testers are generally more familiar with web applications, databases, and networks than ERP systems (based on SAP for example) that are large and complex.
- Huge and overarching, an ERP system incorporates different database systems, application servers, different operating systems, etc., all adding to its complexity.
- Additionally, ERPs systems are never implemented as is; rather, they are heavily customized for each organization’s business logic and specific needs. This evidently makes each organization’s ERP system significantly different from another’s. Therefore, a tester has to understand the whole system and its complexities in depth before starting a pen test.
- Many ERP solutions were set up years ago, generally by an external vendor. It is hence difficult to find in-house expertise on these. While different people will know how the different touch points that concern them work, given the solution’s size and the fact that it touches so many different areas, it is virtually impossible for one person to understand the whole system, much less figure out areas of potential vulnerability.
- Given that the nature of ERP is so critical to business, some companies are simply reluctant to pen test it.
However, there is no question that a detailed pen test of your ERP system is essential and mandatory. It can provide an independent and comprehensive overview of where your vulnerabilities lie, the business impact of these risks, and the mitigating measures that you need to take.
Some things to watch out for
- Before you even begin a pen test, a deep knowledge of the system is necessary. As mentioned before, ERP systems are incredibly complex, and differ from one organization to another. Ensure that your tester understands your system’s business logic and processes prior to embarking on a pen test. Communicate your expectations upfront—that you expect to see business risks explained in reporting, and not just technical flaws.
- ERP systems are critical to business so one must be extremely cautious that testing does not result in high downtime, compromised data, and business outages. Some tests like proof of concepts or brute forcing a password for a system with account lockouts can impact important processes and critical tasks, causing the company to undergo financial loss or lose some sensitive data.
When it comes to pen testing an ERP system, remember that what is needed is a holistic approach, one that focuses on architecture, business logic and configuration problems rather than mere technical flaws or coding vulnerabilities.
Manoj Rai has around 14 years of IT experience in Enterprise Applications, Mobile and Infrastructure security. Has rich and diverse global experience in leading large engagements and building deep technology expertise in security testing domain.
Manoj is a Bachelor of Engineering in Computer Science with MBA in Systems and Executive Delivery Program from IIM-Bangalore. A regular speaker on various technical subjects like Ethical Hacking, Mobile security, Secure SDLC and Cloud Security areas in CISO platforms, OWASP, BLUG, NULL etc. Has been a regular blogger and has published white papers on threat management and best practices in various social groups.
