We were fortunate to have our CTO, Kunal Anand, interviewed by Eric Chabrow, Executive Editor of Information Security Media Group (ISMG) at the Garter Security & Risk Management Summit recently on the challenge of securing vulnerable legacy applications.
Here's a recap:
Legacy apps are tricky.
For many organizations, a good chunk of today’s business-critical applications are entrenched in yesterday’s code bases and runtime environments.
For instance, enterprise IT dependence on outdated Java despite its serious vulnerabilities has long been known in the industry and known “solutions” are far from easy. Yet, over 90% of organizations are running a version of Java at least 5 years old and 82% are running the most vulnerable version, SE6 (Source: Bit9).
Our ethos at Prevoty is to use a Secure SDLC (Software Development Lifecycle) from the get-go as a preventative measure, but for legacy apps, development is already complete and building in active prevention is not an option. But one way or another, security must be retrofitted. Today’s code analysis tools work well, but they’re generating significant vulnerability backlogs - fixing these defects forces you to confront ugly incompatibility and regression issues and slows your delivery timeline.
Modernizing Security (The Friendly Way)
By far, the biggest threat associated with legacy applications still comes from cross-site scripting (XSS). Instead of trying in vain to rewrite everything, we suggest a plug-in approach. Usability -- with simple architecture and integration – is our highest priority, so we came up with a hassle-free way to deploy modern security without worrying about patching ancient code:
Drop Prevoty’s Trusted Content JAR file (Java) or a DLL (.NET) into your framework.
Prevoty’s engine intercepts and sanitizes malicious content before the app even sees it.
Even Chabrow asked, “Is it really that simple?” Our answer: “Yes!”
Retain Value, Keep Innovating
Bottom line, legacy apps are here to stay – the old maxim of “if it ain’t broke, don’t fix it” applies in spades to enterprises whose business depend on them. But your security teams would be right to say that they are broke if they expose the organization to threats. So the answer is to quickly remediate without requiring re-coding and focus the developers on new application and feature development.
Listen to the full recorded interview, where Kunal dives deeper into organization culture, security trends, and more.
Want to learn more about our Trusted Content Framework Plug-In? Download the datasheet here (PDF).