The Equifax breach underscored the risk posed by unpatched software applications. As a refresher, 146 million customer records were exposed after a known vulnerability in Apache Struts was exploited. The reality is enterprises are supporting an ever-growing number of applications, both commercial and homegrown which has created many challenges in maintaining proper security patches for even the most critical applications.
That same challenge becomes even more difficult when you consider legacy enterprise applications that are no-longer monitored or maintained. Attackers are happy to use any means necessary to gain access to an organization’s network, and a legacy app can represent the ideal way in if the organization doesn’t have a comprehensive security plan that encompasses even their oldest, most seldom-used applications.
Most enterprises and organizations have neglected, outdated apps within their tech stack. It’s a fairly typical part of the organizational lifecycle. As organizations grow, they encounter growing pains and experience the burdens of keeping up with development and business goals. And as workflows and priorities shift, unnecessary apps may be forgotten, but never actually removed from the technology stack. Security blind spots like this represent a huge security risk for businesses.
Mitigating the risk that legacy apps represent is no easy task – it requires work and planning. The following are a few best practices for ensuring a sound application security posture:
Leverage existing standards and regulations
Conducting a full security audit is a lot of work. In order to lighten the load, the organization might as well make use of all resources available. So, be sure to cross reference legacy code against current compliance regulations like GDPR. Established security requirements are there to help organizations achieve sound security. Use these guidelines in the organizations favor.
Maintain an accurate app inventory
You can’t fix what you can’t see. Create and uphold an accurate app inventory and be sure to update the roster on a regular basis. This catalog should list all applications and their dependencies, including third-party applications. Know their main purpose and assign a manager to that app. This individual should know their implementation and be responsible for removing the app from the stack when it’s no longer necessary.
Regularly addressing tech debt
Dedicate some of your development team’s time to ongoing tech debt and maintenance. Constantly updating, monitoring and maintaining apps and legacy apps can be burdensome, so create this as an assignment and allocate ownership to a portion of the team before the work builds up.
Establish policies for sunsetting old apps
As you conduct security audits and address tech dept, you will likely find legacy apps that aren’t necessary anymore. With organizational growth, and new workflow development, it’s imperative that older applications be removed when their use-case no longer exists. Retire these apps and establish an internal procedure for doing so. Be sure the manager of the app is aware of their removal and is able to chime in on any concern. Moreover, once it’s removed from the organization’s stack, ensure it’s also removed from the overall inventory.
A comprehensive security approach must embrace all facets of the technology’s infrastructure. It’s easy for development teams to forget about outdated apps, but attackers don’t. These types of legacy app vulnerabilities create easy entry points for attackers who are looking for any opportunity to gain access to your network.
Development teams have limited time, and the widening cybersecurity skills gap is exacerbating this issue. However, the enormity of the challenge does not eliminate the need to address it.
Unnecessary legacy apps can easily remain in a technology stack and expose the organization to serious damage if organizational guidelines and procedures are not established and followed. By following the best practices presented in this article, organizations can mitigate the risk that legacy apps represent, ensuring that some disused corner of their tech stack won’t come back to bite them.