First, thanks to PreEmptive for inviting me to do a guest post.
Since you’re reading this on preemptive.com, you are already aware and probably concerned with the importance of planning for security in application development. And in this guest blog post, I want to address specifically the security vulnerabilities that legacy applications present to your entire organization.
If the Equifax hack wasn’t a wakeup call for your entire appsec team, you’re probably headed for an earlier retirement than you might otherwise have planned for.
Equifax wasn’t hacked solely because they were running an old version of Apache Struts, but it didn’t hurt. They were hacked because they didn’t update the software with a patch they had until after the vulnerability had been exploited. Waiting was fatal.
I’m pretty sure the “unnamed individual” doesn’t work there anymore, nor do the CEO, CIO, or CSO. Equifax will be in court for years, but more importantly, people like you and me now have our PII scattered all over the interwebs to be sold like chattel to whomever wants to ruin our lives.
It’s all a big bowl of wrong.
One of the more common threads I see running through cyberhorror news is that an attack vector was something old, as in legacy. Legacy OS, legacy platform, legacy apps, even legacy languages. Legacy is old, old is dangerous, and thus legacy is dangerous. Let me restate that:
But why, you ask. After all, my legacy app has been running fine for all these years. I’m still here–no hack that I can see.
“If it ain’t broke, don’t fix it.”
Well, the Equifax app had been running fine for years, too. And although they had experienced earlier hacks, they were on other applications. And I’m pretty sure (just guessing) that the morning of the discovery no one got up, yawned, and thought, “Today’s the day my career goes down in flames.” Because everyone thinks they’re ok until they aren’t.
I wrote this a little while ago, but it’s even more relevant today:
Old stuff sticks around because there frequently doesn’t seem to be a reasonable way to make it newer or just replace it. Looking at legacy code, you have some clear choices about disposition:
The Visual Basic Upgrade Companion (VBUC) has been around since the dawn of .NET. It’s the most trusted and popular method to move VB6 apps to .NET–targeting either C# or VB.NET. The VBUC has been used by over 80% of the Global 1000 to migrate billions of lines of legacy VB6 code.
Why? Why not rewrite? Because using the VBUC, you don’t introduce errors in existing, proven, business logic code. You don’t change namespaces, comments, or structure. You don’t have a plug-in or runtime with its commensurate dependency on a third-party company. The VBUC generates native .NET, readable, understandable, familiar, and correct. That cuts time and risk out of the equation, letting you get off legacy quickly and efficiently.
Further, the VBUC is your on-ramp to web, mobile, and cloud. The .NET apps generated by VBUC can be fed into WebMAP and migrated a second step to a well-formed web application, using popular building blocks like ASP.NET MVC, JSON, JavaScript, HTML5, and more. Ready for Azure or AWS. Ready to run on mobilize. Less complex and expensive to deploy.