Building bridges in a fractured security ecosystem

Legacy systems may not be broken, but they still need fixing.

Because legacy systems are required and often critical to the daily operations of an enterprise, many companies are still using operating systems or applications that cannot be patched.

Developers are building applications with features in mind but security is usually an afterthought. The rush to publish applications surpasses the need to develop more secure software resulting in a fractured security ecosystem. As developers and defenders continue to learn how to work together, applications will become more secure.    

In a Forrester Research report, “Transform Your Security Architecture And Operations For The Zero Trust Ecosystem,” Rick Holland, vice president and principal analyst wrote, “Legacy, perimeter-centric approaches to security are ineffectual for today’s digital business. S&R pros need a new approach, and that approach is the Zero Trust Model of information security.”    

The case for many enterprises, said, Mark Curphy, CEO of SourceClear, is that as much as 90 percent of the software they use was not produced by them.

“Security team works on custom code--run scanning tools--but have no idea of the quality of those they didn’t develop,” said Curphy.

The fundamental way we build software has changed and changed quickly. At a time when the environment is constantly changing, the verified security of applications is changing with it. Despite the number of breaches, though, “Security isn’t even a speed bump, it’s the end of the line because pain isn’t being felt,” Holland said.  

This reality has not been lost of hackers, Curphy said.

[ ALSO ON CSO: 10 risky software that have passed their expiration dates ]

For many companies, regardless of size or industry, legacy systems cannot be patched because the original codes are too old. Outdated code libraries are problematic because when hackers are able to find a vulnerability in one library, they can exploit hundreds of applications, as was seen with the recent Java exploit.

According to Julien Bellanger, CEO of Prevoty, “Every large organization has a number of legacy systems. These are codes that are 5, 8, 10, or even 15 years old, for which there are no more developers that can update them.”

Many organizations function on legacy systems that date all the way back to late 1990’s, Bellanger said. Others are running from 2005 that are legacy in their environment because the notion of legacy is relative to the architecture of each organization’s system.

When critical applications are doing what they are designed to do, security professionals don’t focus on them every day.  “It’s kind of like you never think about the battery in your car until it fails,” said Bellanger.  “But If it is not maintained properly, if they are forgotten, then enterprises don’t spend any more resources on maintaining them, and they are vulnerable,” he continued.  

One reason this problem persists is the cycle of DevOps and the expansion of open source, noted Curphy. “A lot of systems grow up in Shadow IT,” he said.  

Because many of these Shadow IT systems are not developed in-house, their security is unreliable, and “managing these libraries of things that need to be constantly patched is really problematic,” Curphy said.

“A developer builds a piece of software or consumes someone else’s open source, and there’s lots of magic that happens behind the scenes,” Curphy said.  “It’s very tough for a human to track it and the vulnerabilities associated with it.”

As the environment changes, so will the targets for hackers.

“User data is going to be the ultimate goal for all hackers. Hackers will try to find a way to get that data, and to defend you have to be as close as possible to the data and the application,” said Bellanger.

Conducting business online is more prevalent which also makes it more vulnerable because data has become valuable information for hackers. Bellanger said, “Health care records are the highest paid records on the black market.”

As commercial companies move from the old credit card swipe to the EMV chip, a new class of hackers is evolving. Bellanger said, “Point of sale assaults are now shifting to the application. More people will focus on hacking online.”

Even though enterprises are not yet feeling the pain of breaches needed to catapult security to the top of everyone’s priority lists, many developers and security professionals are searching for ways to ensure more visibility and control across their ecosystem so as not to be the company that suffers more impact than a name in the headlines.

“The application ecosystem has always been protected behind the network, but that wall is going to crumble,” said Bellanger. “Now applications are most likely in multiple data centers or clouds, and you can’t build protection for the application.”

The more they build, the more developers they need and the more information security people, Bellanger noted. “There are not enough people focusing on security whether they are builders or defenders, so we have to start automating more,” he continued.

Curphy argued that the security professionals, developers, and defenders are all only beginning to understand the enormity of the fragmentation issue.

“The typical company is relying on 20,000 to 30,000 software libraries. To track that is a tough task in this day and age. Heartbleed is a great example. For many companies, it’s a matter of spending time on the code they write versus the code they consume,” said Curphy.

The evolution of SaaS and the transition to the cloud have caused a shift in the architecture for many enterprises. While cloud is not a fixed attack surface, it is a shift of environment.  

Bellanger said, “Like any new environment, it takes time to figure things out. They realize the defenses they put in place are not working.  There is a lot of money, and our apps are getting hacked, so we need to catch up with security.”

Having an application in the cloud is just having an application in multiple data centers.  Companies have to understand what is being done to protect the applications in every environment. Bellanger said, “Move the security to the core of the application and build the security infrastructure into the application itself.”

Self-defending applications, Bellanger said, “Bridges the gap in the fragmented ecosystem.” The architecture will continue to change along with the underlying infrastructure, so the way to bridge the gap is to make sure developers are building good applications and software.  

According to the Forrester Research report, security and risk professionals increasingly say they want what Bellanger suggests: Vendors to build security into their products and services, but before deploying products, enterprises need to evaluate tools and verify that they are effective.  

Security professionals “Need visibility into the interaction between users, apps, and data across a multitude of devices and the ability to set and enforce one set of policies irrespective of whether the user is connected to the corporate network,” Holland said in his report.

“Enterprises are still trying to sort out what is hype and what can actually be helpful,” Holland said. Focusing on agility and visibility as they adapt to new environments will help developers build applications and defenders secure their data in more effective and efficient ways.  

Join the CSO newsletter!

Error: Please check your email address.

More about CSOForrester Research

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Kacy Zurkus

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place