How legacy code is exposing business and government systems

April 8, 2014
Advanced persistent threats plague applications that were written decades ago in dead programming languages

The evolution of technology has made businesses, organizations and government agencies increasingly dependent on sophisticated IT infrastructure — and alarmingly vulnerable to a barrage of cybersecurity threats.

A recent report by Arbor Networks found a 36 percent increase in the number of organizations targeted by Advanced Persistent Threats (APTs) in 2013. But while most high profile discussions of cybersecurity threats center around the consequences of human error, APTs that target legacy applications are becoming a major source of system breaches.

The problem is that many businesses and government agencies continue to rely on applications that were written decades ago in programming languages that are no longer used or taught, making them ideal targets for malware attacks. The presence of legacy code creates a security gap that is ripe for exploitation — quietly and over time, in a manner that takes advantage of vulnerabilities without alerting standard IT defense mechanisms.

With legacy systems now central to the operations of most large organizations, there is a critical need to address the security threats posed by outdated code and similar vulnerabilities. But expensive and time-consuming system overhauls aren’t the only way to insulate IT infrastructure. For many organizations, the simpler solution involves the identification, removal and documentation of legacy code within existing IT systems.

The Legacy Code Threat

Although COBOL programming language was first implemented in 1959, 70 percent of all business transactions are still currently processed in COBOL. As a result, systems that were secure at launch are likely riddled with security holes today, more than three decades after they were created.

As legacy systems age, the amount of dead code that populates them continues to expand. Changes in business rules require applications to be modified, but existing business rules are often commented out rather than truly eliminated from system. Even more concerning, many organizations fail to document the changes that have been made to business rules, leaving them vulnerable and blind to systemic weaknesses. As more and more inactive code is commented out of legacy applications, the less structure remains, creating additional gaps for malware and APTs.

Antivirus programs simply don’t offer enough protection for legacy applications, since few antivirus programs cater to aging systems. Likewise, the majority of antivirus solutions on the market do not scan inactive code—the points where legacy systems are most vulnerable. Even legacy-specific antivirus applications cannot protect against every attack that targets dead code.

In today’s technology environment, malware attacks and APTs rely on inactive code to hide from antivirus scans. This enables malware to go undetected, leaving organizations unaware that they have been compromised. For example, since 2009, the U.S. government has been discovering malware embedded in power generation systems across the east coast — cyber threats capable of disabling power to several states.  

Further complicating the issue is the fact that the cost of ongoing, specialized antivirus protection can dwarf the cost of addressing the root cause of the problem. There simply isn’t enough tape to cover every leaky hole, and more holes spring up on a continuous basis. So, despite private and public sector organizations funneling large portions of their IT budgets toward the maintenance of legacy applications, most organizations are not giving aging systems the attention they deserve.

Mitigating the Risk of Legacy Code

Malware attacks inflict a heavy toll on private and public sector organizations. Recovery from a sophisticated attack can cost as much as $3,000 per day, with undetected attacks extending costs over a period of weeks or months. In 2000, National Air Traffic Services systems crashed due to a bad update of legacy software, costing airlines and airports hundreds of thousands of dollars—a scenario similar to those created by malware attacks and APTs that target legacy applications.

But in addition to operational disruptions and lost productivity, attacks that exploit legacy code also jeopardize the security of sensitive business information. When secure data is compromised, the impact can extend beyond the reach of remedies that are available through simple cash expenditures. In many instances, organizations that suffer the loss of secure data struggle to repair the damage to brand reputation, loss of competitive advantage and other challenges that can take years to overcome.

With so much at stake, it’s clear that all organizations need to take steps to mitigate the risks associated with legacy code. But a costly overhaul of legacy systems isn’t the only way to effectively overcome legacy code issues. Although updating to modern systems addresses the problem, organizations can achieve significant cost saving by targeting flaws in existing legacy systems. Here are some remedies:

  • Identify and Eliminate Inactive Code - The first step is to identify and eliminate inactive code, removing opportunities for malware and APTs to lie hidden and undetected within the system.
  • Document Changes – It is critical to document changes made to business rules to protect the integrity of the system and to close gaps that are ripe targets for APTs and malware threats.
  • Re-Evaluate Business Rule Change Processes – Organizations need to seriously reconsider the processes associated with changes to business rules. Regardless of past routines, organizations can no longer afford to be complacent about application security when modifying business rules. Specifically, it is extremely dangerous to continue commenting out old code because it introduces a slate of vulnerabilities into the system.

Overcoming the vulnerabilities related to legacy code isn’t an easy task, but it’s a task that many organizations and agencies must face. Over the years, sloppy program modifications have created weak points in key systems, leaving IT infrastructure vulnerable to malware and APTs. However, by identifying and eliminating inactive code, documenting changes and re-evaluating the processes around modifications to business rules, private and public sector organizations can dramatically improve the security of systems, while avoiding the expense of costly system overhauls.

About the Author:

Miten Marfatia has over 25 years of experience co-founding and managing state of the art hardware and software solution companies. He currently serves as the CEO and CFO of EvolveWare, Inc. a software company that has developed a unique transformation technology to automate the transformation of any source system to any target system.