Even in organizations that continually build new applications, legacy code frequently persists in the code base, often for months or even years. Inevitably, much of this code either originated outside the organization or was written by developers who’ve long since left the company. Realistically, there’s no way to know what security risks it poses or how severe these risks are.
So while many companies are focused on emerging threat vectors, it’s easy for them to overlook the risks posed by old code and applications. Even if organizations intend to apply patches and recommended updates, often day-to-day business concerns get in the way. If certain apps are too important to the business to mess around with, updates might get postponed — or forgotten about entirely.
And if organizations have customized legacy software, updates might require rework that is ultimately too time and resource intensive for the development team to tackle. The problem can compound itself as attackers discover new vulnerabilities in legacy code, and start to leverage those vulnerabilities.
Even if your organization’s applications are secure when they go into production, they likely won’t stay that way. So how does this happen?
The Changing Threat Landscape
The type and scope of threats to applications change over time. Applications written in legacy, proprietary web platforms often contain severe vulnerabilities that haven’t yet been exposed to the light of day (but which can be exploited by attackers later). Libraries and frameworks used by applications might be insecure or outdated. Legacy web apps also may lack the necessary mechanisms for secure login and authentication, putting them at risk for stolen sessions.
So how can your developers and security teams keep up? Here are a few things to consider:
Monitor all your apps, and don’t forget about frameworks, libraries, and platforms. Knowledge is power, so it’s critical to understand the security landscape for all your apps, new as well as legacy.
Periodically re-evaluate the resources and staffing you devote to application security. The monitoring, maintenance, and updating of legacy apps takes time. It makes sense to factor in dedicated time, staffing resources and budget for this effort, and re-examine it as often as it makes sense for your organization given how business-critical these apps are.
Develop an “end of life” plan for your apps. Not all apps will remain useful and relevant for your business and customers indefinitely. Many organizations fail to develop specific, actionable plans for what happens when apps reach this point. Planning for this from the outset reduces the security risk these apps can pose to your business down the road.
Keep up to date with OWASP recommendations for securing legacy apps. The organization has a project underway to compile the most prevalent threats to legacy web applications. Visit the OWASP site for details on possible exploits, and great advice to help keep these apps safe.