Legacy systems and compliance – code mining as a solution
Old systems, also known as legacy platforms, are used in many companies. They are the result of software structures that have grown over many years. In addition, these platforms were often expanded step by step. Interfaces, modules, extensions and APIs have turned these software solutions into complex systems whose entire range of functions can hardly be overseen.
In terms of compliance, this causes problems. It is possible that there are undiscovered security gaps or the systems communicate in ways that are not known. If confidential data is stored in such systems, such behavior patterns are unacceptable. You may also be in breach of the European General Data Protection Regulation (GDPR). Sysparency provides a practical solution to such situations with code mining.
Why are legacy systems still in use?
Such complex legacy systems are often platforms that have grown in stages with special functions. The development sometimes took place individually in order to provide a company with exactly the IT environment that is required for day-to-day business. Over the years, this platform has been expanded and expanded.
A change to a new platform is therefore not easily possible. Modern standard solutions are not always available or do not offer all the required functions. The change is also problematic because there are links to other systems. Such legacy systems are often deeply anchored in the company’s IT structures. The exact connections can sometimes no longer be overlooked. Another problem is the effort involved in such a platform change. The more extensive the systems and the larger the corporate structures, the greater the effort.
In large corporations, projects in the field of digitization quickly reach volumes of several hundred million euros. Accordingly, the decision-makers have a hard time with such a platform change. If the software solutions are deeply anchored in the company’s infrastructure, such changes also entail further fine-tuning tasks.
What danger does the old infrastructure pose to IT security?
Legacy systems bring with them a multitude of potential problems. Especially in the area of compliance, there are dangers that are difficult to overlook. If the systems act in an uncontrolled manner or show security gaps, then these are compliance violations.
This begins with the lack of documentation for these software systems. In many cases, the decision makers and IT leaders who were originally involved in rolling out these legacy systems are no longer employed by the organization. As a result, background knowledge about these software systems has often been lost.
Another threat comes from undiscovered security gaps. Legacy systems often consist of a collection of different individual software products. These in turn are based on libraries from a wide variety of sources, including possibly open source. Neither the software components nor the libraries can be verified whether there are still security updates. To make matters worse, it is not possible to determine exactly which components these software systems consist of. Accordingly, it is possible that undiscovered security vulnerabilities exist in one or even more of these software components. There is enormous potential for damage from such zero-day gaps. If attackers know the gaps, they have the opportunity to exploit them. In this way, unauthorized persons may gain access to the systems without IT security noticing. This puts data and possibly even the entire network at risk.
Interfaces for communication represent another problem. In many cases, complex legacy systems have been expanded to include interfaces. Others communicate automatically via interfaces that have long been forgotten. These and similar situations create a platform that acts in fact uncontrolled. There is no real control over what interfaces are present and how they are addressed.
Compliance and legacy systems – what does that mean in concrete terms?
Compliance guidelines represent a kind of code of conduct for companies. On the one hand, they are an internal set of rules that ensure consistent standards in performance and public image. On the other hand, legal regulations are also included in the compliance guidelines. The aim is to use such a set of rules to prevent violations of our own guidelines and laws.
On the one hand, compliance guidelines concern the behavior of employees. On the other hand, this naturally also applies to software platforms. These must also meet the legal requirements and their own standards. This is particularly important for systems that manage customer data and for companies that are subject to special regulations. This is the case, for example, with financial service providers and banks.
Legacy systems are problematic in the sense that they are not aligned with modern compliance rules. Corresponding functions for data protection, for example, may not be available. This can also affect the communication or the evaluation of information. Since the introduction of the European General Data Protection Regulation, the processing of customer data is only possible with the consent of the data owner. This relates not only to the transfer of information, but also to internal processing. All companies in Europe are affected by this, not just banks and financial service providers. For this reason, it is important for every company to check the functions of its own legacy systems carefully. Undetected interfaces with other systems are potential sources of violations of compliance guidelines or applicable laws.
An important step is to know all the functions of a software. Compliance with rules can only be confirmed if all interfaces, functions and methods of data processing are known. Such a platform is then considered to be compliant.
What is code mining?
Code mining is a method that helps analyze the functionality of a software platform. Mining refers to the source code of the software. All functions of a software are recorded in this source code. It forms the basis for all calculations, functions and properties of software. The source code is correspondingly extensive. The source code often gets out of hand, especially in grown legacy systems. This is due to the numerous changes and additions that have been made over the years. Not infrequently, various service providers, programmers and those responsible have made changes to the software.
Sysparency has developed a special software analysis algorithm that is capable of documenting how software systems work. The technology is based on the concept of reverse engineering. As with reverse engineering, mining uses the functions and an analysis of the source code to document how the system is structured. The Sysparency solution works largely automatically. This is a key advantage, because without automated processes such documentation would require enormous resources. This is impractical both in terms of time and from a cost-benefit point of view.
The technical functions are documented in all details via code mining. This includes all communication interfaces. It is also possible to identify the programming languages used in this way. This makes it possible to find out precisely which programming language the old platform is based on. Very old variants such as COBOL, Natural or PL/I can often be found here. With these properties, mining helps to make existing software systems transparent.
How does code mining improve the software security of legacy systems?
A central goal of mining is to increase software security. In the current time, the topic of IT security plays a central role. The Advanced Persistent Threats (APT) are a permanent threat. Cyber criminals often focus on companies in the critical infrastructure sector. In addition to banks and financial service providers, these also include the energy sector and the transport industry. In such attacks, attackers are specifically looking for weak points in networks. You can sometimes find them in legacy systems.
One such potential gateway are forgotten or undocumented interfaces. These can be found and secured via mining. In complex systems in particular, there is a risk of many such hidden security gaps. Finding them manually is an enormously time-consuming task. In addition, there is no guarantee that all interfaces will actually be identified in this way. Therefore, an automated approach via mining with reverse engineering is the right starting point to ensure complete documentation.
In the course of code mining, outdated operating and development environments are often found. These are based on platforms or programming languages that are no longer up to date. If there is no further development on the part of the developer, there is a risk of potentially undiscovered security gaps. This is another point on how to improve software security. The software security of old platforms cannot be guaranteed without knowledge of the solutions used. In some cases, developers and software companies are no longer active at all, so that patches for security gaps no longer appear. Such problems can be identified by mining the source code. Then an evaluation of the software security is possible. In this context, an assessment is made as to whether the operation of an old system is still secure. If, on the other hand, obsolete and no longer updated components or even known security gaps are discovered during mining, it is absolutely necessary to replace the software.
The Sysparency algorithm also improves software security by recognizing dependencies between the systems. This is another point that has potential for security vulnerabilities. Documentation and graphic representations of the IT infrastructure can be created on the basis of this analysis. This makes even complex systems and links between the platforms comprehensible. This is an important step on the way to a transparent and secure IT infrastructure.
For which companies is the Sysparency solution suitable?
The analysis of legacy systems is particularly relevant for companies in which critical data is processed. This includes personal information from customers or payment information and bank details. This applies to banks and insurance companies, for example. In these areas, the legislation lays down particularly strict rules in terms of data protection. On the other hand, it is also in the interest of companies from the financial sector to guarantee the absolute security of customer data. In these companies in particular, there are often legacy systems that are problematic in terms of safety.
But companies from other sectors also benefit from such an analysis. In principle, it is helpful for every company with such legacy platforms to explore the functions in detail. Based on the result of the analysis, it can then be decided whether the platform can continue to be operated or where improvements are necessary. Thus, mining the source code is the first step on the way to ensuring compliance in your own company area.
In which situations does the Sysparency solution make sense?
There are a number of scenarios where code mining is a viable solution for dealing with a legacy platform. First and foremost, this is about support in adhering to guidelines in compliance. Since the introduction of the GDPR in 2018, companies that commit violations of data protection law have been subject to severe penalties. The violations explicitly include weaknesses in IT security that endanger third-party data. Compliance with these guidelines is therefore a top priority. Legacy systems are problematic here because they are a source of potential security vulnerabilities.
Compliance is responsible for ensuring compliance with the GDPR and other laws in the company. For this it is necessary to create compliance-compliant software documentation. This documentation provides information about the entire IT structure. Code mining is a good method here to create documentation for software systems that lack this information with little effort. This is particularly important for banks, insurance companies and service providers from the financial sector. These are subject to the regulations of the Federal Financial Supervisory Authority (BaFin). BaFin requires documentation about the software that banks and financial service providers use. As early as 2017, IT requirements for companies in this sector were established. This also includes risk management within IT. Here, BaFin makes specifications for the technical and organizational equipment and sets standards with regard to the requirements for information security. While such software documentation is mandatory for banks and other service providers from the financial sector, other companies also benefit from complete documentation of their own software platforms.
If you want to continue working with the existing platform, IT security must be guaranteed. Control is possible via the complete documentation of the behavior of the software and the communication via the interfaces. At the same time, subsequent documentation can also be created on the basis of this analysis by Sysparency. This is helpful for training the employees who are responsible for maintaining the platform. Missing documentation is often a problem when new employees who are unfamiliar with the old system have joined the company. Thanks to the post-documentation, the IT staff understand the structure of the system and can maintain it more effectively and securely. This is also necessary in order to meet the strict requirements of compliance.
At the same time, mining is also a good start for a modernization strategy. In many companies, a change of platform is due sooner or later. Large legacy systems in particular cause problems here, because it is necessary to find out exactly how these platforms work in their own infrastructure. Based on this analysis, it is then possible to develop an orderly strategy for switching to a new platform. The switch to service-oriented architectures often takes place. Here, too, mining helps to identify all the functions of software systems so that a new modular solution can be built that ultimately completely replaces the old legacy platform.
The Sysparency solution also makes it possible to identify dependencies between systems. This is also important in order to create a modernization strategy. Dependencies need to be considered when moving to a new platform or different software solutions. In this way, secure interfaces can be created if necessary, or the dependency is ended by finding an alternative solution for the function.