• United States




Building bridges in a fractured security ecosystem

Dec 07, 20156 mins
Application SecurityData and Information SecurityOperating Systems

Legacy systems may not be broken, but they still need fixing.

Because legacy systems are required and often critical to the daily operations of an enterprise, many companies are still using operating systems or applications that cannot be patched.

Developers are building applications with features in mind but security is usually an afterthought. The rush to publish applications surpasses the need to develop more secure software resulting in a fractured security ecosystem. As developers and defenders continue to learn how to work together, applications will become more secure.    

In a Forrester Research report, “Transform Your Security Architecture And Operations For The Zero Trust Ecosystem,” Rick Holland, vice president and principal analyst wrote, “Legacy, perimeter-centric approaches to security are ineffectual for today’s digital business. S&R pros need a new approach, and that approach is the Zero Trust Model of information security.”    

The case for many enterprises, said, Mark Curphey, CEO of SourceClear, is that as much as 90 percent of the software they use was not produced by them.

“Security team works on custom code–run scanning tools–but have no idea of the quality of those they didn’t develop,” said Curphey.

The fundamental way we build software has changed and changed quickly. At a time when the environment is constantly changing, the verified security of applications is changing with it. Despite the number of breaches, though, “Security isn’t even a speed bump, it’s the end of the line because pain isn’t being felt,” Holland said.  

This reality has not been lost of hackers, Curphey said.

[ ALSO ON CSO: 10 risky software that have passed their expiration dates ]

For many companies, regardless of size or industry, legacy systems cannot be patched because the original codes are too old. Outdated code libraries are problematic because when hackers are able to find a vulnerability in one library, they can exploit hundreds of applications, as was seen with the recent Java exploit.

According to Julien Bellanger, CEO of Prevoty, “Every large organization has a number of legacy systems. These are codes that are 5, 8, 10, or even 15 years old, for which there are no more developers that can update them.”

Many organizations function on legacy systems that date all the way back to late 1990’s, Bellanger said. Others are running from 2005 that are legacy in their environment because the notion of legacy is relative to the architecture of each organization’s system.

When critical applications are doing what they are designed to do, security professionals don’t focus on them every day.  “It’s kind of like you never think about the battery in your car until it fails,” said Bellanger.  “But If it is not maintained properly, if they are forgotten, then enterprises don’t spend any more resources on maintaining them, and they are vulnerable,” he continued.  

One reason this problem persists is the cycle of DevOps and the expansion of open source, noted Curphy. “A lot of systems grow up in Shadow IT,” he said.  

Because many of these Shadow IT systems are not developed in-house, their security is unreliable, and “managing these libraries of things that need to be constantly patched is really problematic,” Curphey said.

“A developer builds a piece of software or consumes someone else’s open source, and there’s lots of magic that happens behind the scenes,” Curphey said.  “It’s very tough for a human to track it and the vulnerabilities associated with it.”

As the environment changes, so will the targets for hackers.

“User data is going to be the ultimate goal for all hackers. Hackers will try to find a way to get that data, and to defend you have to be as close as possible to the data and the application,” said Bellanger.

Conducting business online is more prevalent which also makes it more vulnerable because data has become valuable information for hackers. Bellanger said, “Health care records are the highest paid records on the black market.”

As commercial companies move from the old credit card swipe to the EMV chip, a new class of hackers is evolving. Bellanger said, “Point of sale assaults are now shifting to the application. More people will focus on hacking online.”

Even though enterprises are not yet feeling the pain of breaches needed to catapult security to the top of everyone’s priority lists, many developers and security professionals are searching for ways to ensure more visibility and control across their ecosystem so as not to be the company that suffers more impact than a name in the headlines.

“The application ecosystem has always been protected behind the network, but that wall is going to crumble,” said Bellanger. “Now applications are most likely in multiple data centers or clouds, and you can’t build protection for the application.”

The more they build, the more developers they need and the more information security people, Bellanger noted. “There are not enough people focusing on security whether they are builders or defenders, so we have to start automating more,” he continued.

Curphey argued that the security professionals, developers, and defenders are all only beginning to understand the enormity of the fragmentation issue.

“The typical company is relying on 20,000 to 30,000 software libraries. To track that is a tough task in this day and age. Heartbleed is a great example. For many companies, it’s a matter of spending time on the code they write versus the code they consume,” said Curphey.

The evolution of SaaS and the transition to the cloud have caused a shift in the architecture for many enterprises. While cloud is not a fixed attack surface, it is a shift of environment.  

Bellanger said, “Like any new environment, it takes time to figure things out. They realize the defenses they put in place are not working.  There is a lot of money, and our apps are getting hacked, so we need to catch up with security.”

Having an application in the cloud is just having an application in multiple data centers.  Companies have to understand what is being done to protect the applications in every environment. Bellanger said, “Move the security to the core of the application and build the security infrastructure into the application itself.”

Self-defending applications, Bellanger said, “Bridges the gap in the fragmented ecosystem.” The architecture will continue to change along with the underlying infrastructure, so the way to bridge the gap is to make sure developers are building good applications and software.  

According to the Forrester Research report, security and risk professionals increasingly say they want what Bellanger suggests: Vendors to build security into their products and services, but before deploying products, enterprises need to evaluate tools and verify that they are effective.  

Security professionals “Need visibility into the interaction between users, apps, and data across a multitude of devices and the ability to set and enforce one set of policies irrespective of whether the user is connected to the corporate network,” Holland said in his report.

“Enterprises are still trying to sort out what is hype and what can actually be helpful,” Holland said. Focusing on agility and visibility as they adapt to new environments will help developers build applications and defenders secure their data in more effective and efficient ways.  


Kacy Zurkus is a freelance writer for CSO and has contributed to several other publications including The Parallax, and K12 Tech Decisions. She covers a variety of security and risk topics as well as technology in education, privacy and dating. She has also self-published a memoir, Finding My Way Home: A Memoir about Life, Love, and Family under the pseudonym "C.K. O'Neil."

Zurkus has nearly 20 years experience as a high school teacher on English and holds an MFA in Creative Writing from Lesley University (2011). She earned a Master's in Education from University of Massachusetts (1999) and a BA in English from Regis College (1996). Recently, The University of Southern California invited Zurkus to give a guest lecture on social engineering.

The opinions expressed in this blog are those of Kacy Zurkus and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author