Hi, this is Scott Stender from iSEC Partners. I recently had the privilege of speaking at Microsoft’s BlueHat event in Brussels on the topic of securing legacy systems.
With all of the recent coverage on the need to secure our networked systems — national, corporate, and individual alike — I felt that the BlueHat event was a good time to shine the spotlight on those little-loved, perhaps little-known systems that keep our plugged-in society working. Those are the legacy systems, the giants on whose shoulders we stand in order to build the rich computing environment we enjoy today.
I had hoped to discuss, perhaps defend, the following points with the attendees:
· Legacy systems will always be with us. After all, we create more of them with every completed software project.
· The attacks leveraged against our systems are always changing and growing more sophisticated. Those of us on the defensive side will need to be equally sophisticated and tireless in our response.
· We software engineers need to develop and improve the means to secure our existing systems, just as we already do when developing for new systems.
· Those who maintain the budget for software systems not only need to plan for the effort required to build secure systems, but also to plan for the effort required to secure and maintain these systems throughout their lifetime.
However, as is often the case in these gatherings, I was surprised by the diversity of opinion in the room.
What I thought were going to be the most challenging statements did not stir the attendees. Most notably, it seemed to have been accepted that we will need to evolve the security of our existing systems rather than “start from scratch” for the majority of our systems. The benefits of starting anew are often far exceeded by the drawbacks. For instance, there is potentially a large amount of acquired wisdom in a system (learned through hard years of bug fixes and real-world operation) that could be lost when starting anew.
Instead, the attendees challenged me with the following topics:
· How do we show progress and demonstrate value for the resources spent on securing our legacy systems? After all, it is hard to make the case that we need to spend money on something that was deemed “completed” years before.
· How do we manage tightly-regulated systems, where certifications limit the changes that can be made? Attackers move faster than certifying agencies, and that opens a window for attackers.
I am afraid that easy answers to these questions are elusive, and those found are unlikely to hold in the general case. That is what makes venues like BlueHat important; because by discussing our experiences with peers in the industry, we come closer to understanding the potential solutions to our hard questions and the scenarios in which these potential solutions could be applied.
It is my hope that I made a good case for the need to secure our systems at their core, and that perhaps a few attendees were moved by this software engineer’s view of how to address our quickly shifting attack landscape. I left BlueHat with a greater appreciation for the experience of those who work in different industries than I do, under different regulatory pressures, and with varying levels of support for security initiatives. Together, continually improving software combined with technology to help us improve security immediately, we may be able to address the challenge of securing our legacy.
– Scott Stender, iSEC Partners