Palo Alto, CA – March 12, 2015 ERPScan, a most distinguished player in the ERP and Business Application Security area, has released a new tool – the first and only Vulnerability Management solution for Oracle PeopleSoft applications.
The ERPScan company is known for their innovative platform for assessing and monitoring SAP systems against cyber attacks and fraud activities. It covers all security areas: Vulnerability Management, Source Code Security, and Segregation of Duties. All major SAP platforms are supported: NetWeaver ABAP, NetWeaver J2EE, HANA, BusinessObjects, and Mobile, with high focus on industry solutions. The solution can be deployed onsite, in the cloud, or as a service, and was focused on SAP applications.
Now, ERPScan also supports vulnerability management for Oracle platforms, which have a huge market share, especially in North America. For the last 5 years, the researchers of ERPScan have been engaged in searching for vulnerabilities in the PeopleSoft platform, provided services for Oracle applications security assessment and relevant trainings. Results of this research became the basis for this new product.
Oracle PeopleSoft software is a combination of supply chain, human resources, supplier relationship management, and much more. This software is installed by 6000+ customers (57 % of Fortune 100 list) and serves 20 million employees worldwide. Providing an attacker with an opportunity to steal the personal data of more than 20 million people is very easy because most PeopleSoft applications are connected to the Internet for providing access to suppliers. Simple Google search strings can find about 500 internet-enabled PeopleSoft applications. Shodan requests will show much more.
PeopleSoft applications are known for multiple attacks, especially in universities. An example dated November 2007: “Two California men are facing 20 years in prison on charges they hacked into a California state university’s PeopleSoft system to change their grades,” according to a PCWorld article. Later, in 2012, officials at the University of Nebraska in Lincoln (UNL) identified an undergraduate student they said was “responsible for a recent intrusion into a university database containing personal information on more than 650,000 students, parents and employees.
The intrusion, which was described by university officials as a ‘skilled attack,’ exposed the Social Security Numbers (SSNs), names, addresses, course grades financial aid and other information on students. The system is used to manage student admissions is based on Oracle’s PeopleSoft Enterprise Campus Solution platform.” [link] The technology is now in use at more than 800 universities in 20 countries.
Multiple vulnerabilities that were found in this system by different researchers, including unique research from the ERPScan team, can allow third parties to get full access to the system and obtain critical HR or supplier data, social security numbers, probably even credit card data. Moreover, it is not only possible to steal data but also to execute a denial of service attack on competitors or modify financial information, such as bank account numbers. Until now, there were no solutions on the market which could address vulnerabilities in Oracle PeopleSoft applications, and we are happy to announce ERPScan add-on for PeopleSoft as the industry’s first vulnerability management solution for Oracle PeopleSoft applications and components.
The current release supports all enterprise functions of ERPScan Security Monitoring Suite: high-level dashboards, integration, and multi-user access. It also provides a package of security checks specific for Oracle PeopleSoft, including 0-days.
- Oracle PeopleSoft Vulnerability Assessment
- Oracle PeopleSoft Configuration
- Oracle PeopleSoft Anonymous Web Services
- Oracle PeopleSoft 0-day Vulnerability Checks and Exploits
- Oracle PeopleSoft Access Control Checks
- Oracle Database Security Checks
- Oracle WebLogic App Server Vulnerability Checks
We’ve been working on business application and ERP security since 2007 as researchers, and my personal experience with Oracle products started even earlier. We have since been acknowledged by Oracle in 15 critical patch updates for finding 40+ vulnerabilities in different Oracle business applications. This research became the basis for our unique workshops and trainings provided at largest US and Europe conferences, such as BlackHat and HackInParis. Now, we are ready to introduce the support for Oracle PeopleSoft applications in our innovative product, ERPScan Security Monitoring Suite, which has already been honored by 25+ different awards. We will continue to supplement our suite with support for other business-critical applications: ERP, CRM, SRM, HCM systems, and industry-specific solutions.
Alexander Polyakov, CTO, ERPScan.
ERPScan is the most respected and credible Business Application Security providers. Founded in 2010, the company operates globally. Named an ‘Emerging Vendor’ in Security by CRN and distinguished by 25+ other awards, ERPScan is the leading SAP SE partner in discovering and resolving security vulnerabilities. ERPScan consultants work with SAP SE in Walldorf to assist in improving the security of their latest solutions.
ERPScan’s primary mission is to close the gap between technical and business security, and provide solutions to evaluate and secure ERP systems and business-critical applications from both cyber-attacks and internal fraud. Our clients typically are large enterprises, Fortune 2000 companies, and managed service providers who need to actively monitor and manage the security of vast SAP landscapes on a global scale.
We use the ‘follow the sun’ principle and function in two hubs, located in the Netherlands and the US to operate local offices and partner network spanning 20+ countries around the globe. This allows for monitoring cyber threats in real time while providing agile customer support.
Oracle PeopleSoft was PeopleSoft company’s ERP system. Although, it was swallowed up by Oracle in 2005, it is still growing. Among the topmost popular PeopleSoft products are HRMS-, CRM-, FMS-, SCM-solutions, all widely spread, especially in the US.