Stay in touch

Application security insights and invitations to exclusive events in your inbox


Your data will stay confidential Private and Confidential

Murder of Cybersecurity by Legacy Applications

Friday, September 21, 2018 By

Equifax breach, WannaCry and NotPetya epidemics exploited flaws in shadow, legacy and abandoned applications. By definition, these applications cannot be patched, and thus pose a tremendous risk to organizations.


Murder of Cybersecurity by Legacy Applications

What are Legacy Apps?

“Legacy” is a phase in the application maturity life-cycle, after an application’s usefulness and relevance has become outdated, but before the app can be considered completely obsolete. The difference between “legacy” and “obsolete” is determined by the app’s use in business operations. In both cases, the application is no longer being supported or updated by its original developer. If, despite this, an organization continues using the application, this falls under the banner of “Legacy IT”.

The key issue for cybersecurity is that legacy apps are no longer supported, and are neither updated nor patched by their original author against newly discovered vulnerabilities.

The extent of the problem

A study conducted in June 2018 by Macro 4, a division of UNICOM Global, discovered that legacy applications still have a huge presence within today’s businesses. Eighty-nine per cent of UK IT executives admitted to knowingly allowing legacy applications to continue operating, despite the security and data storage issues. Even though an application loses developer support, it may hold important data or simply be seen as too expensive or inconvenient to replace.

89% of UK IT execs knowingly allow legacy apps to be used despite the security and data storage issues.

Legacy systems and applications may be outdated, but they are frequently still in operational use – and frequently attacked by cybercriminals. For example, in March 2018, travel website Orbitz reported a breach through its legacy booking platform. The payment information of 880,000 customers was compromised in the attack.

Every single legacy app is vulnerable to, and cannot be protected from, the next new exploit.

Why legacy apps continue to prevail

There is a reason, despite the security risks it brings, that the legacy phase of app maturity exists. While the applications are outmoded, unsupported and risky, fully updating an organization’s IT infrastructure can be extremely costly. Gartner estimates that for every dollar spent on innovation up until 2020, it will cost an additional three dollars to continuously modernize and update legacy applications.

Legacy apps exist because it is easier to accept and ignore them than to do anything about them. As time passes, more apps become legacy apps and the problem worsens. But this is a dangerous position. Legacy web apps with unpatched vulnerabilities can be easily found by cybercriminals.

Gartner estimates that for every dollar spent on innovation through to 2020, it will cost three dollars to keep legacy IT modernized.

Why are they so dangerous?

Although legacy applications are not necessarily an automatic security threat, the difficulty of keeping any legacy app secure increases exponentially with age. How an application stores and handles data may have been secure during its life-cycle, but legacy apps can no longer respond to a changing security landscape. The business landscape, too, makes app security harder. Corporate restructuring, acquisitions and mergers, and a push for more automation may leave legacy apps unnoticed and unmonitored by IT or security. The dangers of this were shown in February, when FedEx left an Amazon S3 server unsecured online. The server had belonged to Bongo, a company acquired by FedEx in 2014, and the legacy storage server had gone unnoticed as Bongo’s assets were incorporated into FedEx’s.

The difficulty for businesses

Since their original developers are no longer issuing security updates, keeping legacy applications secure becomes a big drain on resources. Before anything else, it requires dedicated internal analysis to determine the risks of any legacy application. After this, the business needs to decide between three courses of action:

I. continue using the app, but ensure that it doesn’t handle any data too sensitive to leave at risk

II. have an internal team begin customizing and patching the app’s code to improve security

III. scrap the legacy app and develop or license a new app to provide the same function, and then migrate all data from the old to the new.

Each of these options puts pressure on the business’ time, capital and manpower. The only way to mitigate this is to continuously monitor the organization’s application roster and follow a well-planned policy to maintain or modernize as necessary. If this monitoring of and for legacy apps is not already in place, it should be instigated immediately.

Legacy in CMS

The issue of legacy IT is exacerbated when it comes to content management systems (CMS). A CMS needs to enable users (whether internal or external) to upload and update content quickly, securely and easily. Older CMS often have a higher skill barrier and are less efficient, and need more time and resources to maintain. This can often eat into an organization’s budget as the CMS grows older.

Even WordPress – despite being a modern, maintained, highly versatile, customizable and the world’s most popular CMS – is by no means free of legacy-related issues. Luca Fracassi, founder of the Addendio search engine for WordPress plugins, wrote, “When you pick a plugin you need to keep in mind that only 2 out of 10 plugins keep being updated after 3 years. Yes, you read that right. If you pick a free plugin that has just come out today, there’s an 80-90% chance that in 3 years’ time you won’t have any more updates.”

There is a strong likelihood that a WordPress plugin will become a vulnerable legacy app within a very short time frame. If Fracassi’s figures hold good, they imply that nearly one-third of WordPress plugins are effectively legacy apps.

Nearly 1/3 of all Wordpress plugins are unsupported legacy components.

Legacy apps meet Shadow IT

Sometimes a company’s own staff can be the biggest obstacle to keeping track of legacy applications. Even if an application becomes deprecated or replaced as far as company policy is concerned, some staff may continue to use the more familiar, legacy app without IT’s awareness. When legacy IT and shadow IT conjoin in this way, it becomes the worst of both worlds. Shadow IT is always a security risk, as no matter how strong an organization’s security policies may be, unknown and unsanctioned applications cannot be secured.

Solving the legacy app problem

“Shadow IT and legacy applications are a plague of today,” High-Tech Bridge founder and CEO Ilya Kolochenko explains. “Large organizations have so many intertwined websites, web services and mobile apps that they often forget about a considerable part of them. On the other side, cybercriminals are very proactive, and as soon as a new vulnerability is discovered in a popular CMS they start exploiting it in the wild. Obviously, abandoned systems remain unpatched for years and serve a perfect prey to the attackers.”

The danger of legacy web apps is that they are easily discoverable by cybercriminals. The saving grace is that they are equally easily discoverable by security teams – provided they look for them.

All web-facing apps can be found in a non-intrusive manner with Immuniweb Discovery. Once all apps are known, their status can be ascertained. Legacy apps can be removed, replaced or maintained; and the risk of legacy apps can be managed. But the first step has to be discovery – and Immuniweb Discovery does just that.


Actionable introduction and analysis of web and mobile application security, DevSecOps and Machine Learning for AST.

User Comments
Add Comment

High-Tech Bridge on Facebook High-Tech Bridge on Twitter High-Tech Bridge on LinkedIn High-Tech Bridge RSS Feeds Send by Email
Share