Co-founder and CTO of Veracode Inc. Chris Wysopal has recently been interviewed on the subject of how difficult is it to address legacy software in an organisation.
While Wysopal’s comments make great reading, one has to question whether legacy software is always a “challenge” and therefore a problem. After all, there is a school of thought which says that older software can be a good thing — as below:
Legacy software is not bad software; legacy software is software that still works!
But specifically, Veracode’s Wysopal talks about the need to “make good” legacy applications from a security perspective. This is because when it comes to the work of programmers, who must are faced with two options:
1. Retrofit and reengineer older legacy code to sharpen and precision engineer it to new security standards taking into account current malware and penetration considerations while also refreshing the programming language in use in some cases.
2. Write some secure code on new code.
While option #2 might sound like a good idea, it does arguably leave these older legacy applications in a state of bedraggled discombobulating slackness, so that they no longer represent the sharpest tools around.
“It’s so much easier to write secure code on new code than to go back and retrofit old code,” says Wysopal.
“The development team is gone, there are no resources and it’s just built with older languages, frankly in a fairly ugly way. To me that’s the big elephant in the room for application security. We just can’t ignore all the applications that have been built prior to today. Some of these applications will last another decade, so they need to be secured at some point. That’s a real challenge.”
Wysopal goes on to talk about the need for every developer to skill up and embrace the need to build in robust application security as part of every project undertaken as we currently suffer under what he calls a “breadth gap” in terms of both awareness and skills.
Time to go elephant hunting?