Half of UK organisations say they expect to be a victim of cybercrime, making it the UK’s largest economic crime. Many businesses rely on legacy code that was written before current threats existed, potentially in programming languages no longer used or taught, making them ideal for malicious attacks. Carrying out a software security audit is an excellent way of identifying the presence of legacy code which may be creating a software security gap that is ripe for exploitation.
As your software system ages, the amount of dead or potentially vulnerable code contained within it will continue to expand. Changes in business rules require business-critical software applications to be modified, but existing business rules can be left active but unused, rather than eliminated from a system. As the inactive code falls out of use in legacy applications, the presence of unmaintained or abandoned code can create new gaps for malware and Advance Persistent Threats. A software security audit is an essential step for businesses to plan into their software lifecycle, especially in this day and age.
Antivirus programs don’t offer enough protection for legacy applications; since few antivirus programs cater to ageing systems, also the majority of antivirus solutions on the market do not scan inactive code — the very points where legacy systems are most vulnerable. Legacy-specific antivirus applications cannot protect against attacks that target dead code, malware attacks can rely on inactive code to hide and therefore go undetected, so an organisation is likely unaware it has been compromised.
With so much at stake organisations need to take action to mitigate risk, Magma Digital recommends:
- A full software security audit and code review to assess the risk of cybercrime
- Identify and eliminate inactive code – remove opportunities for malware and APTs to lie hidden and undetected within your systems
- Document changes – it is critical to document changes made to business rules to protect the integrity of the systems
- Re-Evaluate business rule change processes – reconsider the processes associated with changes to business rules
- Apply the least privilege principle and apply strong passwords – legacy systems tend to allow far weaker passwords than required by today’s standards
- View security as a continuous business process as opposed to a one-off fix
- Maintaining security patches to keep the system up-to-date with the latest vulnerability fixes
The reality is that every business connected to the Internet is a target for cybercrime because of the data it holds and according to a PwC survey the average of cost a breach is between £1.4m and £3.14m. A software security audit is one step to help mitigate such a breach.
Magma is one of the few software agencies who are willing to work with legacy code and systems, we have many years’ experience of conducting software security audits and code reviews which will assess your current vulnerabilities and recommend refinements to reduce your risk of cybercrime. Upgrading old software is a painful and costly process but deferring those upgrades could be catastrophic for your business. Magma’s software security audits identify risks to the technology platform by reviewing not only the policies and procedures but also network and system configurations.
Do not wait until a successful attack forces your company to take action, we would recommend as a minimum that most organisations carry out an annual software security audit. Magma can help you establish your security baseline against which you can measure progress.