244 Core Software Security
are a consequence of the discovery that security was not always a key
element of the software development process and sometimes led to
security vulnerabilities and risk mitigation costs that rivaled the initial
cost of the software to be developed. The acceptance of legacy code
is based on an assumption of what is expected to happen, in that the
software must be proven to be functionally correct and operationally
viable. However, when it comes to software security, the unexpected
is what typically causes the vulnerabilities. Not only are these security
vulnera bilities financially unacceptable, they are also unacceptable from
an operational, functional, and overall risk perspective. This is particu-
larly true when the software supports embedded critical systems and
applications such as those found in national and regional infrastruc-
tures, transportation, defense, medicine, and finance. In these applica-
tions, the liabilities, costs, mission, and business impacts associated with
unexpected security software and system vulnerabilities are considered
unacceptable. Unless the architecture of legacy software is correctly
assessed and analyzed from a security perspective, the impact of changes
cannot be predicted, nor can changes be applied effectively. This is why
the same testing and review rigor that is followed during the SDL must
be followed during legacy code reviews: as a means of mitigating the
unexpected. If done with the proper process and rigor, this will go far in
ensuring secure code implementation that is consistent between legacy
and new code.
A legacy software application is one that continues to be used because
of the cost of replacing or redesigning it and often despite its poor compet-
itiveness and compatibility with newer equivalents. The most significant
issue in this regard is that the organization has likely been depending on
this legacy software application for some time, and it pre-dates software
development security activities such as those described in our SDL and
the mandates that currently drive these practices. Further, a considerable
amount of money and resources may be required to eliminate this secu-
rity “technical debt.” Technical debt is the difference between what was
delivered and what should have been delivered. The importance of work-
ing with legacy code and technical debt is critical for most companies that
develop software.
14
Legacy code with technical debt can also exist because even though
the product should be have been put in “end of life” status, one or more
customers do not or cannot upgrade to a newer version of the software,