As a security-conscious developer, contributing to a legacy system development project is a real headache. It’s like starting work on an old house in ruins that sits on cracked foundations. Where to start when the problems encountered are as varied as they are critical?
An application on a legacy system may have its security threatened by unmaintained dependencies with older versions of software libraries, misconfiguration, or even using insecure protocols and open source components with known vulnerabilities, such as the recently discovered CVE-2021-44228 (log4d).
If we continue the analogy of the house, we can compare the unmaintained outbuildings to a damaged roof. If we don’t take care of it right away, the problem will get worse until it becomes critical. Using insecure protocols is like a broken door lock and therefore represents a boon for intruders. Cracked foundations are reminiscent of vulnerable open source libraries. A disaster can strike at any time, a malicious actor attacking an application will have the same effects as a storm bringing down a house. Prioritizing security issues thus seems complicated, if not impossible, and it can be tempting for developers to choose to destroy everything to start from scratch.
The online behavior of a French person is shared 340 times a day on average
Measure the impact and the efforts to be made
Adopting a simple system for prioritizing actions to take is a first step. By evaluating the benefits that a correction can have according to the severity of the vulnerability, it will thus be possible to prioritize those that are critical and those that only require good cyber hygiene.
After prioritizing the security problems, it is now necessary to assess the efforts they will require to be resolved. For example, replacing much of the vulnerable functionality will be much more burdensome than replacing a dependency with another updated version.
After setting up this evaluation process, the to-do list is divided into four main categories:
- Tasks with a high impact but which do not require a lot of remediation effort should be given priority because they will quickly make a big difference to the level of application security.
- Tasks with a high impact and which are complicated to deal with are the ones to be taken care of in the second time after the easiest to correct
- Tasks with low impact and easily manageable should be in the background, they should be taken care of punctually between two more important tasks.
- Complex tasks without major consequences should be placed at the bottom of the list. It is interesting to take a step back from this type of task in order to define the best approach to act as efficiently as possible.
Don’t forget about usability
Assessing effort and impact can help sort out the to-do list efficiently. However, this policy does not work for very long lists or when first applying security compliance to an application. It is then necessary to include a third dimension which can be exploitability.
An application is likely to have exceptional vulnerabilities such as long-standing issues that involve nearly every operating system and programming language or edge cases with many common open source libraries. However, if all the conditions necessary for the exploitation of the vulnerabilities are not met, they are less urgent to address. This is particularly the case for vulnerabilities that are not visible to cyber attackers and commands with a vulnerability that is not related to any project. Note that, sooner or later, all vulnerabilities will have to be fixed because the context can evolve and expose a vulnerability that was not exploitable until now.
Adding a third dimension makes it possible to sort and prioritize vulnerabilities in order to deal with them effectively, regardless of the degree of progress of the project. For this you will need tools, especially when the list of corrections is long. This is when automation becomes particularly important in helping businesses combat cyber threats. Sorting and prioritizing the necessary corrections and changes is essential to improving the security of an application. Applying methods and solutions to the service of developers allows to accelerate its necessary steps to guarantee the continuous security of applications.