How legacy code is exposing business and government systems

Advanced persistent threats plague applications that were written decades ago in dead programming languages


The evolution of technology has made businesses, organizations and government agencies increasingly dependent on sophisticated IT infrastructure — and alarmingly vulnerable to a barrage of cybersecurity threats.

A recent report by Arbor Networks found a 36 percent increase in the number of organizations targeted by Advanced Persistent Threats (APTs) in 2013. But while most high profile discussions of cybersecurity threats center around the consequences of human error, APTs that target legacy applications are becoming a major source of system breaches.

The problem is that many businesses and government agencies continue to rely on applications that were written decades ago in programming languages that are no longer used or taught, making them ideal targets for malware attacks. The presence of legacy code creates a security gap that is ripe for exploitation — quietly and over time, in a manner that takes advantage of vulnerabilities without alerting standard IT defense mechanisms.

With legacy systems now central to the operations of most large organizations, there is a critical need to address the security threats posed by outdated code and similar vulnerabilities. But expensive and time-consuming system overhauls aren’t the only way to insulate IT infrastructure. For many organizations, the simpler solution involves the identification, removal and documentation of legacy code within existing IT systems.

The Legacy Code Threat

Although COBOL programming language was first implemented in 1959, 70 percent of all business transactions are still currently processed in COBOL. As a result, systems that were secure at launch are likely riddled with security holes today, more than three decades after they were created.

As legacy systems age, the amount of dead code that populates them continues to expand. Changes in business rules require applications to be modified, but existing business rules are often commented out rather than truly eliminated from system. Even more concerning, many organizations fail to document the changes that have been made to business rules, leaving them vulnerable and blind to systemic weaknesses. As more and more inactive code is commented out of legacy applications, the less structure remains, creating additional gaps for malware and APTs.

Antivirus programs simply don’t offer enough protection for legacy applications, since few antivirus programs cater to aging systems. Likewise, the majority of antivirus solutions on the market do not scan inactive code—the points where legacy systems are most vulnerable. Even legacy-specific antivirus applications cannot protect against every attack that targets dead code.

In today’s technology environment, malware attacks and APTs rely on inactive code to hide from antivirus scans. This enables malware to go undetected, leaving organizations unaware that they have been compromised. For example, since 2009, the U.S. government has been discovering malware embedded in power generation systems across the east coast — cyber threats capable of disabling power to several states.  

Further complicating the issue is the fact that the cost of ongoing, specialized antivirus protection can dwarf the cost of addressing the root cause of the problem. There simply isn’t enough tape to cover every leaky hole, and more holes spring up on a continuous basis. So, despite private and public sector organizations funneling large portions of their IT budgets toward the maintenance of legacy applications, most organizations are not giving aging systems the attention they deserve.

Mitigating the Risk of Legacy Code

Malware attacks inflict a heavy toll on private and public sector organizations. Recovery from a sophisticated attack can cost as much as $3,000 per day, with undetected attacks extending costs over a period of weeks or months. In 2000, National Air Traffic Services systems crashed due to a bad update of legacy software, costing airlines and airports hundreds of thousands of dollars—a scenario similar to those created by malware attacks and APTs that target legacy applications.

This content continues onto the next page...