Back to newsletter
Previous Issue's Dilemma:
How to secure legacy systems?
Our organization still has some legacy systems, mostly client/server systems developed during the first generations of Web-based applications. Do readers have any suggestions on how best to secure these systems?
-- Jack S.
Legacy systems are often closed-source, mission-critical systems that were designed and developed before security was such a vital issue. In addition, they are sometimes invisible to users, as they are backend systems that process large amounts of data. Given their importance in and potential risk to many organizations, Jack's question on how to secure legacy systems prompted several concerned responses.
- Describe and understand the system
- Identify and assess high-risk systems
- Get programmers involved
- Harden the system
Describe and understand the system.
Complimentary White Paper
Real-time hybrid analysis marks substantial evolution in software security testing
It provides unique access to application information missing from the two most effective software security analysis technologies in use today -- dynamic and static testing. Using real-time hybrid analysis, organizations can analyze software with far greater thoroughness, precision and efficiency than previously possible to identify more vulnerabilities, improve the accuracy of diagnosis, speed remediation efforts and simplify software security processes.
This month's complimentary white paper, Real-time hybrid analysis: Find more, fix faster, will help security practitioners, software developers and management alike understand what hybrid security testing is and the benefits it can deliver.
Learn more ...
One reader writes in with this suggestion: "If you want detailed good advice in relation to the security of web-based services legacy or otherwise (from an individual that is unfamiliar with your systems), a detailed knowledge of how the system functions is required to identify priority areas. This area is a trust issue, because no one wants to admit potential issues, let alone post details of a system, which may have issues that they are unable to see or quantify, as this alone poses an unacceptable potential security issue."
Another reader, J. Clement, notes, "You should list all legacy systems and identify whether or not they are public-facing or internal, as well as if they are in-house custom systems, contractor-developed custom systems, or commercial off-the-shelf systems, etc."
Identify and assess high-risk systems.
Clement goes on to say, "Consider these factors: data sensitivity, functional criticality (Is it critical to the business function?) and implementation tools. Once you determine which systems are high-risk, then you'll need to conduct a more complete evaluation, putting emphasis on 'thinking like an attacker.'"
Clement continues, "You should focus on what the business risks are to the enterprise and how effective the system design is in handling those risks. Finally, you need to decide how severe the risk is to the enterprise."
Get programmers involved.
The first reader suggests the following: "The quickest and best way, in my opinion, to resolve potential security vulnerabilities is to ask the programmers to ensure that the vulnerabilities do not exist and to hold them accountable for failings. This should be done by holding regular reviews of the system and security-related matters (in the continuous development cycle) to ensure that a process exists to identify risks as they occur rather than the 'suck it and see' approach."
Harden the legacy system.
Clement suggests hardening the legacy system if the risks are significant and the costs reasonable. This could be done with patches or corrections to the source code, or by altering the architecture of the system to address exploitable design flaws. Clement says that patches "could create new security vulnerabilities and disturb operations of the system."
Jack, readers have shared some helpful ideas and processes; we hope that these suggestions help you address the security risks inherent in legacy systems.