The Security Ledger Podcast

The Security Ledger Podcast


Spotlight Podcast: As Attacks Mount, ERP Security Still Lags

July 15, 2020

In this Spotlight podcast* we’re joined by Jason Fruge, the VP of Business Application Cybersecurity at Onapsis to talk about the growing attacks against critical systems like ERP and General Ledger applications by SAP and Oracle. We also talk about why these critical systems often lag on key security measures.

Security experts have been banging the drum about “risk based security” for years. The idea is simple: identify the assets and data within your organization that are critical to your mission, then concentrate resources – including staff and technology spending- on securing them. 

That sounds sensible, but are companies listening? By one measure, they are not. Specifically: security for critical business systems such as Enterprise Resource Planning (ERP) and General Ledger systems continues to lag. A recent survey of 430 IT decision makers by the firm IDC, for example, found that 64% of ERP deployments had been breached within the preceding 24 months. Those incidents exposed financial, sales and HR data as well as intellectual property and personally identifiable information on customers, IDC found. 

Jason Fruge is the Vice President of Business Application Cybersecurity at Onapsis

Report: Cybercriminals target difficult-to-secure ERP systems with new attacks

With all the talk about protecting organizations’ “crown jewels,” how is it that platforms like SAP and Oracle – the IT equivalent of the Tower of London where those jewels are kept – are often left unlocked and unprotected? 

To understand a bit more, we invited Jason Fruge into the Security Ledger studios. Jason is the Vice President of Business Application Cybersecurity at Onapsis and a former CISO at fashion design firm Fossil Group.   

How Digital Transformation is forcing GRC to evolve

In this interview, Jason and I talk about both the technical and cultural challenges of securing applications like Oracle and SAP. Those applications are so complex and bespoke that they often frustrate analysis using traditional vulnerability scanners and other security tools. We discuss the increase in attacks targeting these systems and what organizations can do to fend off attacks.

We also talk about the recent Onapsis publication of a slew of vulnerabilities in Oracle Business Suite, which Onapsis dubbed BigDebIt. That publication accompanies patches issued by Oracle. If left unpatched, the BigDebit vulnerabilities could allow an attacker to launch unauthenticated attacks on Oracle EBS platforms. 

(*) Disclosure: This podcast and blog post were sponsored by Onapsis. For more information on how Security Ledger works with its sponsors and sponsored content on Security Ledger, check out