How To Conduct Security Audits on Legacy Software

Legacy software encompasses the outdated products a company uses. Although these products might meet an organization’s immediate needs, they’re more likely to pose security risks than newer products. That’s primarily because software vendors no longer provide patches or other product updates, leaving vulnerabilities for cybercriminals to exploit. 

Legacy software often has performance-related shortcomings, too. Since it no longer receives new features, everyone in the company must use the product as-is, which restricts the company’s growth potential. 

Despite these downsides, many companies still have some legacy software. Its prevalence in today’s workplaces makes it necessary for people to know how to include such programs in the organization’s security audits. 

Determine Why the Organization Still Uses the Legacy Software

People involved in software audits should pinpoint the factors that cause the company to continue using legacy products even though new ones are available. Learning the specifics isn’t always easy, especially if companies have had their current infrastructures for decades. 

Emma McGrattan, senior vice president of engineering at Actian, explains that many of the systems associated with the world’s largest organizations are at least three decades old. One reason is that they usually have several infrastructural layers, making updates more cumbersome than people might expect. 

Companies also rely on legacy software because no newer alternatives exist. In such cases, decision-makers accept the associated risks. Once those conducting security audits understand the specific reasoning, it’ll be easier to verify whether the outdated software is an essential part of keeping the business running. 

Scrutinize the Code Quality and Its Potential Threats

People must also check the overall code quality, looking for bugs, security risks, and other concerning aspects. Many vendors offer specialty products to automate this process and supplement human expertise. 

These careful code examinations can create a valuable foundation showing which legacy software contains the most risks. Consider a case where the Government Accountability Office (GAO) analyzed 65 used by federal agencies. That examination included finding the 10 most critical associated problems at 10 affected organizations. The GAO then provided relevant remediation suggestions. 

However, the GAO’s analysis occurred in 2019. Although many of the identified companies made significant progress in addressing the legacy software risks, two still had not fully implemented the GAO’s recommendations by 2023. 

An internal security audit could provide an additional motivator. Those involved should have in-depth discussions with executives to explain the risks of poor-quality code and the ramifications of not addressing them.  

After people know the risks within the code, they can begin addressing those issues with appropriate cybersecurity measures. Even if the audit reveals problems impossible to fix, the organization could at least invest in monitoring tools to increase awareness of potential infiltration attempts or attacks in progress. 

Plan Paths for Reducing or Eliminating the Risks

Security audit procedures can also contain steps to assist organizations in minimizing or getting rid of the identified risks. Software vendors know that communications about the end of support for legacy software are integral to helping people gauge the risk. Such information is especially valuable when that end of support affects parties outside the company performing the audit. 

For example, medical device manufacturers must tell healthcare customers when software support will end. People can then use that information to decide whether to keep using the product or look for alternatives. Software vendors can assist with parts of the process, such as telling customers about newer products and specifying when the last provided update for the legacy software will arrive. 

Risk elimination may involve looking for alternative products and understanding how they could become better investments overall. Laptops become security risks when people can no longer update their software. However, they can also interfere with productivity if those older machines can no longer withstand how people use them. 

Additionally, a 2023 survey of IT professionals found that 10% worked at organizations that had breaches over the past year. Although that’s a relatively small percentage, a more worrisome finding was that known security vulnerabilities caused 47% of those cases. Those statistics illustrate why failing to upgrade to newer software could create preventable security burdens. 

Avoid the Unnecessary Concentration of Responsibility

A security audit on legacy software may reveal cases where only a few people — or just one person — know how to manage the legacy product. Such situations could be disastrous if those essential employees are away from the office due to illness, vacation, or other reasons. 

Consider a case study inspired by real-life events associated with Australia’s Office of the Victorian Information Commissioner (OVIC). OVIC’s Department of Innovation relied on a legacy system to pull organizational data and compile mission-critical reports. However, only one worker in the organization knew how to manage that legacy system. 

The worst-case scenario happened when a ransomware attack occurred during that essential employee’s vacation. The legacy system lacked redundancy options, and no one else in the Department of Innovation understood the legacy system’s infrastructure. 

The organization’s systems administrator was the sole worker who did. He had previously approached leadership and asserted a strong case for migrating away from the legacy systems as soon as possible. However, the effort generated significant pushback, with executives believing the migration would prove too costly for the organization and result in an inevitable outage. 

Once the ransomware struck, those within the organization tried in vain for nearly a week to deal with the cybersecurity threat before contacting the employee during his time away. 

Many people think of single points of failure as weaknesses inside legacy systems. However, this case study illustrates how overdependence on key individuals can increase the risk of catastrophic problems, too. 

Get User Feedback

A security audit should also include getting input from those who frequently use the legacy software. What do they like about the experience, and which factors cause frustration or other barriers? The feedback will likely steer IT team members’ decisions about addressing and minimizing the security issues identified during the audit. 

All proposed solutions for dealing with legacy vulnerabilities must stay mindful of workers’ needs, processes, and duties. Security audits may show that organizations must make urgent changes to prevent imminent cyberattacks. Even so, most people resist change and may feel confused or dismayed if modifications to legacy systems disrupt their workflows. However, good communication throughout the process can reduce those downsides.

Just as those conducting the audits should ask workers for feedback, they must remain open to receiving it. When workers see that the IT team cares about what they have to say, they’ll be more likely to embrace new security measures rather than trying to circumvent them. 

Choose a Migration Approach and Time Frame

A security audit may ultimately show that the best way to deal with the most pressing risks is to migrate away from the legacy system as soon as possible. In such cases, people should create detailed plans and goals to illustrate how they’ll do that while ensuring minimum disruption to the organization, its operations, and its workforce. 

The staff associated with a business information services provider took that approach when moving legacy systems — some more than 20 years old — to the cloud. Workers engaged in an internal discovery process, saving time by sorting applications into buckets and consolidating them according to shared technology patterns. 

People at the company had more than 400 applications to handle during this migration and knew re-factoring them all would take too long. Instead, they focused on re-hosting and re-platforming to get the legacy applications ready to move to the cloud. Those working on this project made the task more manageable by breaking into cohorts, where each cohort handled five to 10 applications. 

This approach allowed the company to meet its primary objective, which was to complete the migration within two years. An analysis also revealed how the company had a 20% reduction in cloud costs after moving the legacy applications. That conclusion shows that moving legacy applications to the cloud — for security or other reasons — doesn’t necessarily result in additional expenses over time. 

Build Security Audits Into Security-Related Operations

Most companies relying on legacy software cannot immediately stop using it. The next best option is to perform thorough audits highlighting the identified vulnerabilities' type and extent.

Decision-makers can use that information to determine the most effective risk mitigation measures to use until organizations can gradually transition from outdated products.

Besides following the above recommendations, people should report security audit findings to executives with the power to make direct decisions to reduce legacy software threats and authorize reducing the organization’s dependence on outdated products. 

Additionally, everyone involved should review the organization’s existing policies and procedures to ensure they reflect the risk mitigation strategies identified via the audit. These proactive measures will allow the organization to build a more modern and secure infrastructure to meet current and existing requirements.