Note: This page is part of the archive.

This document is part of the US-CERT website archive. These documents are no longer updated and may contain outdated information. Links may also no longer function. Please contact if you have any questions about the US-CERT website archive.

Software Security in Legacy Systems

Author(s): Carl C. Weber Maturity Levels and Audience Indicators: / E  SDLC Life Cycles: Maintenance  Management  Copyright: Copyright © Cigital, Inc. 2005-2007. Cigital retains copyrights to this material.


Much of the emphasis in your organization is undoubtedly on new systems work. You certainly have well-developed processes for building new systems, and you carefully track new software development activity. This attention is appropriate, since it is not simple to install new software, test it fully, and deploy it throughout the organization.

Typically, though, a large portion of your code base lies in the legacy systems. Not just the major systems, but a myriad of smaller systems in every corner of the organization. These legacy systems do the hard, day-to-day work of your organization. Further, a considerable portion of your systems development work is directed at maintenance and extension of these existing systems, though these smaller projects are often done without benefit of the rigorous methods, independent review, and management attention devoted to new systems work. The result is increased performance risk and greater security risk.

Discussions elsewhere on the Build Security In web site address developing new systems. Their basic message is that you should design and code systems with security in mind. Systems constructed in this way are inherently more secure because they minimize the design flaws and coding errors that attackers can exploit.

But your existing legacy systems undoubtedly contain the same sorts of security flaws and bugs that attackers look for and that you work so hard to root out and contain in new systems. How should you address these in legacy systems?

This content area offers two articles to help answer this question.