• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

How to fix up legacy applications that were not made to be secure?

 
Ranch Hand
Posts: 75
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Is there a better way to fix up legacy applications that were not built to be secure? Many applications, due to datelines, were build only thinking about its functionallity, and not concerned about security (they allow sql injection, and many other problems).
 
Sheriff
Posts: 17644
300
Mac Android IntelliJ IDE Eclipse IDE Spring Debian Java Ubuntu Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
While it's a bit broad, I think this question is one that many application teams ask themselves. This goes back to one of the points I mentioned in another thread: Developers often don't know where to start when it comes to securing their application. There are so many ways that an application can be attacked and there's only so much time in which to shore up your defenses. Sure, building security in from the start is probably the best approach but what do we do about legacy apps?

I think you have to start with a security assessment and risk analysis. Once you have that, you can focus on the aspects of your application that are at greatest risk where risk accounts for the probability of an attack and the costs of defending/preventing/mitigating/sustaining/recovering from a successful attack.
 
Author
Posts: 53
7
MySQL Database Tomcat Server Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
When dealing with legacy apps, approach the SDLC in reverse.

First do your assessment (code review and pentesting) to understand what is vulnerable.
Fix what you can in code. Consider mitigating controls like a Web Application Firewall but only if necessary.
Be sure your developers who continue to maintain the app are educated about secure development processes.

"Fixing" insecure legacy apps is expensive and challenging and there is no silver bullet that makes it easy.

Aloha,
Jim Manico
jim@manico.net
@Manicode
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
reply
    Bookmark Topic Watch Topic
  • New Topic