Because legacy systems are required and often critical to the daily operations of an enterprise, many companies are still using operating systems or applications that cannot be patched.
Developers are building applications with features in mind but security is usually an afterthought. The rush to publish applications surpasses the need to develop more secure software resulting in a fractured security ecosystem. As developers and defenders continue to learn how to work together, applications will become more secure.
In a Forrester Research report, “Transform Your Security Architecture And Operations For The Zero Trust Ecosystem,” Rick Holland, vice president and principal analyst wrote, “Legacy, perimeter-centric approaches to security are ineffectual for today’s digital business. S&R pros need a new approach, and that approach is the Zero Trust Model of information security.”
The case for many enterprises, said, Mark Curphy, CEO of SourceClear, is that as much as 90 percent of the software they use was not produced by them.
“Security team works on custom code--run scanning tools--but have no idea of the quality of those they didn’t develop,” said Curphy.
The fundamental way we build software has changed and changed quickly. At a time when the environment is constantly changing, the verified security of applications is changing with it. Despite the number of breaches, though, “Security isn’t even a speed bump, it’s the end of the line because pain isn’t being felt,” Holland said.
This reality has not been lost of hackers, Curphy said.
For many companies, regardless of size or industry, legacy systems cannot be patched because the original codes are too old. Outdated code libraries are problematic because when hackers are able to find a vulnerability in one library, they can exploit hundreds of applications, as was seen with the recent Java exploit.
According to Julien Bellanger, CEO of Prevoty, “Every large organization has a number of legacy systems. These are codes that are 5, 8, 10, or even 15 years old, for which there are no more developers that can update them.”
Many organizations function on legacy systems that date all the way back to late 1990’s, Bellanger said. Others are running from 2005 that are legacy in their environment because the notion of legacy is relative to the architecture of each organization’s system.
When critical applications are doing what they are designed to do, security professionals don’t focus on them every day. “It’s kind of like you never think about the battery in your car until it fails,” said Bellanger. “But If it is not maintained properly, if they are forgotten, then enterprises don’t spend any more resources on maintaining them, and they are vulnerable,” he continued.
Sign up for CIO Asia eNewsletters.