The customization of off-the-shelf software is the weakest link in application security. This is particularly true for widely used enterprise products such as SAP and Oracle, according to Gartner Research Director Rich Mogull.

He said the massive amounts of customization required to get products from both SAP and Oracle to perform ideally means that IT managers have no fail-safe point if some of the code creates vulnerabilities. As a result, managers have to cherrypick through code to find their own mistakes as opposed to downloading a patch from a vendor.

Speaking at the Gartner IT Security Summit in Sydney last week, Mogull said this problem has created custom vulnerabilities.

"Custom code does not undergo the same QA testing as commercial code does," Mogull said.

"All major applications, be they an application server or off-the-shelf software, is implemented mostly through custom code, and this is one of the biggest issues facing major application security. But what is even worse about this is any vulnerability you have in your system is yours, and no one else will find it but you.

"The advantage of off-the-shelf programs is that vulnerabilities are managed by vendors through patch update, but typically the security models that we do see featured in some applications are limited compared to the amount of customization done on applications to get them running."

Mogull added PeopleSoft had "pretty good" security models compared to other major enterprise applications, and since the Oracle purchase some of that knowledge is "seeping into other areas of Oracle"; however, the intentional ease of use within SAP applications has given IT managers free rein to make critical security mistakes.

"SAP, we find, is an incredibly flexible application with large amounts of custom code, which may be why some implementation projects take two years and is built on something called WebAS [application server] with two programming languages, J2EE and the other a programming language specific to SAP [ABAP]," Mogull said.

"Because we have this mixture of code and an application server on the back end, any SAP implementation is effectively a custom-code implementation that needs a secure development lifecycle.

"Oracle does tend to be a bit more off-the-shelf than SAP, and the Oracle product line is huge as it has PeopleSoft, Siebel and JD Edwards, but the problem is it has yet to integrate it. The identity management line is still in the integration process; there is no consistent security model across all products."

Mark Frear, director of business development for SAP Netweaver, said the vulnerabilities introduced through custom code are related to software development quality and the ethos of the company doing the coding.