Enterprise Business Application Security Development Issues
This document will describe different areas of program vulnerabilities that can be found in source code of Enterprise Business applications and ERP systems.
The purpose of this document is to increase awareness of the developers of Enterprise Business software. Here, we will collect top software vulnerabilities in server side and frontend side that can exist in Business Applications.
There are many different languages and technologies that can be used to develop business applications and write costom code such as ABAP for SAP, PeopleCode for PeopleSoft,X++ for Microsoft Dynamics, PL/SQL for Oracle EBS, LotusScript for Lotus and much much more. Here, we will try to categorize them into 9 main areas filtered by criticality.
Crosslinks to CWE, SANS, OWASP and risks with descriptions will be added soon.
9 most critical types of issues in source code (EASAD-9-2013)
1 injections (Code sql os) 2 critical calls (to db to os ) 3 missing or bad access control checks (miss auth checks ) 4 directory/path traversal (write, read, smbrelay) 5 Modification of displayed content (XSS stored, linked, js/html injections) 6 backdoors (hardcoded credentials) 7 covert channels (sockets, http calls, ssrf's, ) 8 information disclose (hardcoded users, passwords, debug information, 9 obsolete statements ( READ TABLE, kernel methods,….)
Alexander Polyakov Alexander Minojenko Pavel Kuzmin