How a WAF Can Enhance Legacy Systems Without Rewriting Code

By David Jones

Keeping your systems current is a challenge for many organizations. The cost to upgrade hardware and software regularly adds up quickly. Additionally, your company may not want to direct funds to replace a system component when the one you have still works. If your systems are working, the logic goes, why change them?

Unfortunately, a functional system is not the same thing as a secure system. Legacy systems are prime targets for attackers due to discontinued support, known vulnerabilities, and outdated security protocols. To mitigate these issues, consider implementing a Web Application Firewall, which can insulate your systems and prevent attacks. 

The Challenge of Legacy AppSec

All software contains vulnerabilities, whether it’s twenty years or two months old. However, legacy software that you’ve been using for years has been available to attackers to study for just as long. This means that any application you’re running needs to be protected, but you are at higher risk from your legacy software. 

Another complication of legacy software is the state of updates and patches. Most software companies stop updating applications after a while, which could create huge problems for you. When attackers do discover the app’s vulnerabilities (and they will), you won’t be able to patch that vulnerability. Alternatively, some app creators do still regularly create updates for aging software, but it may not be practical to implement in your system. 

Additionally, because your application is connected to your cloud services or your network (or both), these unsecured apps can be a point of entry for a larger attack. Once they have compromised your application, attackers can leverage the information found within the software to navigate to places on your network they should not be able to access. 

Benefits of a WAF for Legacy Systems

Even so, all is not lost. Web application firewalls (WAFs) can identify and block attempted attacks before they reach a vulnerable service. By tracking activity and blocking unusual patterns, WAFs can keep traffic from reaching your legacy software. Even if there are unfixable vulnerabilities, if you can keep attackers away from the software, those vulnerabilities pose a much smaller problem than they otherwise would. 

There are a few key features of the WAF for your legacy systems:

  • Rate limiting. Worth considering is that modern software is generally built to handle a higher volume of traffic than legacy applications. This doesn’t make much difference until you have a lot of people making the same requests at once. Rate limiting via the firewall can help by limiting traffic to allow only legitimate, authorized users to access the application. This reduces the chances of a DDoS attack. 
  • Data protection. To prevent attackers from accessing and exfiltrating data from your application, a WAF blocks unusual activity. Attackers may try to exploit your vulnerabilities, but they will be cut off at the pass. 
  • Compliance. Without adequate security measures, your legacy apps may not be in compliance with increasingly strict data privacy legislation. However, with a WAF, you can address those concerns. The tool fills in the gaps that an attacker could exploit to access your customers’ information.
  • Ease of use. Without a WAF, it is imperative that your software receives consistent security updates. However, if the company that created and supports your software stops issuing updates and pushing out patches, you’re on your own. You will have to address vulnerabilities on your own, which may require you to rewrite application code. Most organizations find that implementing a WAF is more effective, and a better use of their security team’s time. 

Protecting Legacy Services with a WAF

Although a WAF can provide an important layer of protection around your applications, you need to make sure you’re choosing the correct one. Not all WAFs are created equal, and you need a WAF that is specifically designed with the risks of legacy systems in mind. The WAF should also be quick on its feet. Any new vulnerabilities should be immediately added to the WAF’s repertoire, lest you end up on the receiving end of a zero-day attack. 

While the number of zero-day attacks that will crop up on legacy hardware is low, it is still a real risk that a WAF can mitigate. This is important for a holistic security approach; a WAF that protects you from known vulnerabilities but not newly developed attacks is suboptimal. 

By implementing a highly effective WAF, you can protect your software (and your network and cloud environments, by extension) from threats without compromising the ability of legitimate traffic to access your systems. Automation, which is present in some WAFs, can help keep your security abreast of new developments without bogging you down in new rule creation and firewall monitoring. 

Ultimately, whether you have legacy systems or not, a WAF can go a long way toward keeping your applications safe from attack. However, if you do have legacy systems, a WAF is one of the easiest ways to add a layer of protection. Especially when developers stop supporting the apps you depend on, it’s important to have as much of your own security infrastructure in place as possible. 

Better to stop malicious activity in its tracks than to let it get anywhere near your weak points, and legacy systems have plenty of those.