Jump to content

Secure legacy systems vs newer versions


yougisatoshi

Recommended Posts

Hey folks;

security is a series of trade-off

sure you faced this issue, so do you apt for a newer version and manage to adapt your work (apps ..ect)with it or just keep the legacy systems and try to secure it more

if we go for new version every time there is one it is so boring no ?

  • Like 2
Link to comment
Share on other sites

This often ends up having a 5+yo software that eventually will need to get updated (mandatory update of a library, deprecation of X dependency... you name it) and you must face an update of an old, outdated and obsolete system which will need a huge amount of work to rebuild.

If it is my call, I rather keep everything as updated as possible. Sadly this is rarely the case since this are not the kind of decisions I'm in a position to make, but the people above me.

I agree that it might not be necessary to update a library because they have added support for Albanian language. I'm talking about those changes in 3rd party libraries/software/APIs that somehow affect your systems and is easier to make a "patch" to bypass it rather than integrate with the new features.

I had a boss that was very careless about this and he always told us "make some kind of patch to circumvent it and lose as little time as possible in it". We then end up with a huge amount of legacy code that eventually broke. I fed up of that and found another job.

  • Like 2
Link to comment
Share on other sites

In agreement with @fivesam here.

You might be able to hold-off an upgrade, add compensating controls to reduce risk... but all you're doing is creating technical / security debt that has to be paid one day.

Eventually there will be a bug you can't mitigate with additional controls, at which point you'll be forced to upgrade.  Possibly you stopped paying support since you weren't upgrading anyway so the business saw it as a waste of money... so now you have a vulnerable, unsupported solution with no license to upgrade.  That system might be performing a critical business task or providing a service to your clients.,.. what do you do now?

  • Like 2
Link to comment
Share on other sites

13 minutes ago, fivesam said:

This often ends up having a 5+yo software that eventually will need to get updated (mandatory update of a library, deprecation of X dependency... you name it) and you must face an update of an old, outdated and obsolete system which will need a huge amount of work to rebuild.

the question is : should I get that update or not !?

a stable system that is working vs a newer version with a lot of work to do

the cost you paid for this update or new version have to be calculated, or just accept the risk and continue using the legacy

@clarkee

  • Like 1
Link to comment
Share on other sites

there's always a cost, even doing nothing has a cost.

when that 0day appears and you can't easily update because you skipped 50 updates... that's going to cost you in downtime, expertise, lost opportunity, etc.

  • Like 1
Link to comment
Share on other sites

52 minutes ago, yougisatoshi said:

the question is : should I get that update or not !?

I'm afraid that is not a question I can answer out of the blue without any background context. But as I said, I prefer updating whenever is possible. I would never advise anybody not to stay up to date.

Being that said, it is up to you to take the risk of ignoring the new version, or face the expenses of updating. You might not have any problem ever if you choose to continue with the current system, or maybe find yourself in dire straits in the near future as a result of not having updated when you could have.

Link to comment
Share on other sites

It really depends how you define legacy. If it's going to be getting patches for a few years then there's no issue continuing to run it (e.g openssl vs openssl3).

 

If "legacy" == "unsupported" or "soon to be unsupported" then it's probably time to bite the bullet and start untangling whatever mess that makes the major version upgrades non-trivial.

 

If "legacy"=="boring" then stick with boring. People still use postgresql, apache httpd, and the like because it's well understood, documented and stable. Yes, there are more modern, specific and interesting alternatives and yes there are more known issues in older software but newer does not always equate to being more secure.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...