This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
OWASP Supporting Legacy Web Applications in the Current Environment Project
Main
Legacy systems are everywhere. The security of these applications need to come into focus, mainly in the space of financial sector. This is because the impact of the known and discovered vulnerabilities in this area stand to lose a lot in terms of reputation, client base, user base and money. This apart from the legal implications. This particular project will focus on supporting legacy web applications in financial sector and will not consider any other sectors in scope.
Project About
This project will focus on listing down legacy technologies, applications that typically use these technologies, space of usage of these technologies, and their known vulnerabilities.
The next step would then list down remediation of these vulnerabilities and / or compensating controls such that it can be used as a cheat sheet that can be used by organisations that actualy have legacy technologies as a part of their organisation.
Introduction
What are legacy web applications
Legacy web applications are built in technologies, those technologies, that have been improved upon in terms of frameworks and key features since they were first built. These are also the systems, the license for whose technologies, are expired, and it is no longer possible to either renew the licenses or to buy new licenses.
Why do we still have them?
Legacy web applications are retained for a number if reasons, some of them being: 1. Financial resources to replace these applications are not available, though there is a cost benefit in doing the same. 2. The underlying architecture for the applications is complex and it is challenging to reconstruct the same. 3. There are upstream and downstream elements dependent on this application and replacement of the central application will require replacement of all the connected applications.
What are the vulnerabilities associated with legacy web applications?
Following are some of the vulnerabilities
1. Database connections
2. Sessions
3. Lack of necessary knowledge to support the application
4. Configurations
5. Insecure code
6. Data in transit
7. Data at rest
8. Lack of necessary secure login / authentication mechanism
What are the threats to these applications?
1. SQL injections
2. Session replay
3. Incomplete handling of errors
4. Directory listing
5. Visibility of configuration files
6. Broken / stolen authentication
How do we address these risks in the current environment?
1. Isolation
2. Wrappers
3. Education
4. Part code replacement
5. Complete code migration
6. Robust processes
| PROJECT INFO What does this OWASP project offer you? |
RELEASE(S) INFO What releases are available for this project? | |||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
| |||||||||||||||||||||||||||||||||||
