But What About Application and Network Security?!
Application and network security have become prominent concerns for IT organizations, large and small. The threat of data loss, of business and customer data falling into the wrong hands, and of disruption to business processes caused by malicious attacks are all center stage in IT priorities.
Mind the gaps!
Figure 1: There is a lot consider where security is concerned...
In the context of application modernization, security concerns can often pose a risk factor delaying or complicating the decision to move desktop based client server applications to modern platforms, especially to the web or cloud. Securing what are now considered to be traditional applications was much easier before applications started to be delivered over public networks using general purpose browsers. Yet in a recent publication, Gartner estimates that “Through 2020, 99% of vulnerabilities exploited will continue to be ones known by security and IT professionals for at least one year”. In other words, almost all of harmful attacks have been and will continue to be preventable if up-to-date best practices are employed.
Risk or opportunity?
So why is security perceived as a risk factor instead of an opportunity when considering the modernization of a legacy application? After all, getting rid of older operating systems and often un-supported platforms as VB6, PowerBuilder and WinForms should have clear security related benefits. The answer is that when organizations consider modernization, they usually think in terms of re-development, or of a manual re-write. The manual re-write process is a lengthy, risky and resource intensive undertaking. Security standards and best practices are usually added at the end of the re-write process, employing static analysis tools which point to vulnerabilities and require very precise across the board modifications to the new application, as well a whole separate testing cycle as a result.
What if there was …
What if there was a process to modernize an application, faithfully capture all the business rules for which the organization has invested major development efforts over decades, and produce a modern application that has up-to-the minute security best practices baked in? This is really only possible if the re-write was done by a machine that will re-architect and re-write the application for the new platform.
Well, there is!
Gizmox Transposition is the leader in machine based modernization of legacy desktop based applications. The company’s innovative & patent protected tech produces migrated applications that have best-practices-based security procedures and features inherently built in to the code base, as opposed to ‘bolted on’ security wrappers that are much more vulnerable to attacks.
Gizmox Transposition’s migration technology is based on complete code understanding of the source application and then a re-architecting to a new solution on a target platform - desktop, web and cloud, including mobile experiences with a unified codebase. The process is based on reading in the source application, automatically building an intermediate representation of the source code in Transposition Studio, creating refactoring and mapping rules for all source objects (both automatically and by the architect driving the tool), and then automatically applying those rules to create a re-architected application with all business rules intact and a UI that is appropriately equivalent to the legacy UI, depending on the target platform.
And, in more detail
Several features of the migrated application on the new platform are specifically in answer to security concerns inherent to the web or cloud environments. These include:
- SQL injection resistance
All legacy SQL statements are migrated to parameterized ADO.NET or Entity Framework commands. Any string manipulation that may have existed in the legacy implementation is automatically rewritten as command operations, removing the threat malicious input attacks.
Figure 2: The dreaded SQL injection exploit
- All services are authenticated at all times.
This is achieved by automatically creating the required code and attribute decoration so developer error can never be responsible for vulnerable code to be created. Identity authentication can be generated automatically to connect with standard (e.g. LDAP) or proprietary identity systems, using custom mapping rules during the migration process.
- Similarly, Identity Spoofing is thwarted
By including authentication on all services, and creating corresponding secure code on the client, during the automatic code creation of the re-architected application.
- Cross Site Scripting prevention
Requires escaping all user inputs, as well as validating all inputs. Because applications may use different browsers and client frameworks, automatic static analysis will not always find these vulnerabilities, and developers are hard pressed to close all the cracks. The automatic code generation of Gizmox Transposition is the perfect solution here too.
Figure 3: A cross site scripting attack
- Double Input Validation
Because any data that is entered or influenced by application users should be untrusted, the migrated application will validate everything twice, both on the client (mostly for convenience and the elimination of unnecessary roundtrips) and on the server, for security as well for data integrity. It is important to note that not only data directly entered by users is validated but also information in HTTP headers, cookies, GET and PUT parameters including hidden fields, which can all be the source of vulnerabilities.
Figure 4: If data is not validated...
- Data protection
Gizmox Transposition has two complementary approaches for data protection. For ASP.NET MVC applications, the VisualTree layer limits to a minimum both data being transmitted between browser and server and code running and visible on the client. Encryption can be added automatically to protect especially sensitive information.
- Standard Logging
Application logging should not be an afterthought or limited to debugging and troubleshooting. Gizmox Transposition automatically includes logging for all or specific activities, for monitoring, intrusion detection, compliance verification and auditing purposes. As the migrated application is the result of automatic code generation, rules can be written at varying granularities to automatically add logging at many levels.
- Error handling & exceptions
Several attack methods rely heavily on causing exceptions, stack overflows etc. The challenge with applications migrated from legacy frameworks such as VB6 or PowerBuilder is that exception handling in those framework is non-standard and in many cases not adherent to best practices. Translating business logic which includes such error handling to modern languages such as C# or Java may cause one or both of the following – the business logic will not be reproduced faithfully in the migrated application, and some errors will not be handled by the migrated code, causing potential exceptions to be introduced to the migrated code. Gizmox Transposition automatically translates legacy error handling patterns to precise and secure patterns in the target language, thus eliminating this potential vulnerability from being introduced.
An additional challenge with error handling on migrated legacy applications is that often, critical parts of the application have simply not been correctly protected from possible exceptions. Gizmox Transposition allows the automatic addition of standard error handling and logging, in vulnerable areas of the application such as I/O.
Or in short, the new-gen practice: secure while modernizing!
In summary, probably the most unique security related feature of a Gizmox Transposition migrated application is that all the above is not added after the fact, or ‘bolted on’ to the application as a result of a vulnerability audit done on the application after it is migrated or written from scratch. All the previous points are an integral part of the code generation process with the added benefit of the process being both automatic and configurable so specific practices, standard or proprietary will be implemented across the board, with the confidence that only a machine based process can provide.