Security by Obscurity Doesn't Work for ERP Systems

2026-07-08

After building Bubely ERP and studying other open source ERPs, I'm concerned about security practices.

The Problems

1. Default credentials — admin/admin is still comically common

2. No audit logging — who approved that purchase order? Nobody knows.

3. Direct database access — applications connecting as root

4. No rate limiting — brute force attacks on login pages succeed more often than they should

What Every ERP Needs

Based on OWASP guidelines:

Bubely's Approach

Security isn't a feature. It's a property of good architecture.

The CISA ERP security guide is required reading for anyone building or deploying ERP systems.