Legacy Modernization is About Application Security Not Just Cost


It seems more and more frequently we see security and cyber-attacks in the news today. From Yahoo’s apparent cover up of a massive security breach that is damaging its merger with Verizon to the even more recent bank hack in India, where millions of debit cards were compromised, it’s apparent that there are holes in our current defense systems. Adding to the complexity of it all, eWeek has reported that DDoS attacks hit record highs in Q3 2016.

For most data-intensive organizations, it would spell disaster if mission-critical or customer information was leaked. What’s more, security gaps are known to go undetected for much longer in enterprises with a high percentage of legacy systems.

Many organizations are in the process of digital transformations or cloud migrations to improve operational efficiencies and cut costs. A happy side effect of these modernization efforts is an opportunity to take a good look at application security. Keeping your organization off the front page of the Wall Street Journal requires creating a development culture committed to the reduction of security and quality risks in its mission-critical applications.

Despite the visibility of security risk, a surprising number of application developers do not understand how and where vulnerabilities are introduced into the code. Thought leadership groups, like the Consortium for IT Software Quality (CISQ), MITRE, and the Software Engineering Institute (SEI) publish best practices for secure coding, which CAST has embedded into its core products.

The Common Weakness Enumeration (CWE) is a list of security-related software vulnerabilities managed by MITRE, the most important of which also form standards such as OWASP, PCI DSS and CISQ. Many of these weaknesses, such as the improper use of programming language constructs, buffer overflows and failures to validate input values can be attributed to poor quality coding and development practices.

Improving quality is a necessary condition for addressing software security issues as 70% of the issues listed by MITRE as security weaknesses are also quality defects. Quality is not an esoteric value, it is a measure of risk in the software. Many organizations put QA gates in the software development cycle, however manual inspection only finds about 20% of the defects within individual modules.


While this typical 80% miss rate for manual inspection is bad, 50% of security breaches occur at module integration points. Manual inspection misses most of the inter-procedural problems that arise when the system components are integrated.

Though workstation code checkers find some of the intra-module defects, almost none of the inter-module defects accounting for 80% of the security breaches are found manually. With only 20% of the code defects uncovered, most of the security flaws will sail through undetected. Unit-level automated code scanners do not detect inter-module flaws either.

In practice, 92% of code review findings are unit-level and not dangerous. Only about 8% of findings are inter-module, system-level flaws. These are the issues that need to be addressed during IT modernization projects, prior to fielding the software release, as they are the most serious.

For example, the Heartbleed vulnerability defied discovery for 4 years because the flaw was in module interactions. As systems become more complex, the interactions between the systems components introduce numerous points of failure. Both static and dynamic analysis must be part of a quality and security assurance strategy, since detecting many non-functional, structural defects is extremely difficult with traditional testing. Functional testing consumes so much time that little remains for security. Hack testing only finds one way to breach the system. Automated inspection examines all the components for exposure points.

CAST helps IT-intensive enterprises though IT modernization projects by illuminating the full-picture view of both application and portfolio-level health. With industry-leading security and risk standards embedded in the Application Intelligence Platform, measuring the Reliability, Security, Performance Efficiency and Maintainability of your software source code is a breeze.

Get started with a structural health assessment of your mission-critical apps within 48 hours.

Barry Vasudevan
Barry Vasudevan Research Director, Portfolio Marketing at Sirius Decisions
I advise B2B clients on building their GTM programs including buyer personas and messaging. Specialties: portfolio marketing, product marketing, solutions marketing, industry marketing
Load more reviews
Thank you for the review! Your review must be approved first
You've already submitted a review for this item