First, thanks to PreEmptive for inviting me to do a guest post.
Since you’re reading this on preemptive.com, you are already aware of and probably concerned with the importance of planning for security in application development. In this guest blog post, I want to address the security vulnerabilities legacy applications present to your entire organization.
If the Equifax hack wasn’t a wake-up call for your entire appsec team, you’re probably headed for an earlier retirement than you might have planned.
Equifax wasn’t hacked solely because they ran an old version of Apache Struts, but it didn’t hurt. They were hacked because they didn’t update the software with a patch they had until after the vulnerability had been exploited. Waiting was fatal.
I’m pretty sure the “unnamed individual” doesn’t work there anymore, nor do the CEO, CIO, or CSO. Equifax will be in court for years, but more importantly, people like you and me now have our PII scattered all over the interwebs to be sold like chattel to whoever wants to ruin our lives.
It’s all a big bowl of wrong.
One of the more common threads running through cyber horror news is that an attack vector was old, as in legacy. Legacy OS, legacy platform, legacy apps, and even legacy languages. Legacy is old, old is dangerous, and thus legacy is dangerous. Let me restate that:
But why, you ask? After all, my legacy app has been running fine for all these years. I’m still here—there is no hack that I can see.
“If it ain’t broke, don’t fix it.”
Well, the Equifax app had been running fine for years, too. Although they had experienced earlier hacks, they were on other applications. And I’m pretty sure (just guessing) that on the morning of the discovery, no one got up, yawned, and thought, “Today’s the day my career goes down in flames.” Everyone thinks they’re okay until they aren’t.
The following isn’t new, but it’s even more relevant today:
Old stuff sticks around because there frequently isn’t a reasonable way to make it newer or replace it. Looking at legacy code, you have some clear choices about disposition:
The Visual Basic Upgrade Companion (VBUC) has existed since the dawn of .NET. It’s the most trusted and popular method for migrating VB6 apps to .NET, targeting either C# or VB.NET. Over 80% of the Global 1000 have used the VBUC to migrate billions of lines of legacy VB6 code.
Why? Why not rewrite? Because using the VBUC, you don’t introduce errors in existing, proven business logic code. You don’t change namespaces, comments, or structure. You don’t have a plug-in or runtime, which depends on a third-party company. The VBUC generates native .NET, readable, understandable, familiar, and correct. That cuts time and risk out of the equation, letting you get off legacy quickly.
Further, the VBUC is your on-ramp to web, mobile, and cloud. The .NET apps generated by VBUC can be fed into WebMAP and migrated to a well-formed web application as a second step. They are ready for Azure or AWS, are less complex, and are expensive to deploy.