Cybersecurity in the government has certainly come into focus recently as we have witnessed sensitive document troves exposed on WikiLeaks along access to government information from transaction systems. Perhaps the most serious of the latter was the 2015 incident in which the Federal Human Resources database was hacked for more than 22 million records containing sensitive personal information such as Social Security numbers. In this incident the source of the problem was 30-year-old mainframe software written in COBOL that was too technically obsolete to encrypt personal information. This raised the discussion of legacy system security to a new level.
Cybersecurity in the government has certainly come into focus recently as we have witnessed sensitive document troves exposed on WikiLeaks along access to government information from transaction systems. The debate over modernization of legacy systems to improve data security has been going on for some time. Many view antique systems as potential security liabilities, but some have argued that security is enhanced by antiquity. In this argument, fewer hackers have skills in older languages, and these systems are isolated and tend to act as “black boxes” that don’t interact with other sysems. A new study now demonstrates that "security-by-antiquity" is not a concept which may be taken for granted.
A Study of Government Security
The new study, “Security Breaches in the U.S. Federal Government,” by Min-Seok Pang, of Temple University, and Huseyin Tanriverdi, of the University of Texas, reviewed security incidents and practices across a wide number of US government agencies and found that a 1% increase in the share of new IT development and modernization spending is associated with a 5% decrease in security breaches. In other words, security is enhanced through modernization efforts, and through the development of new software. The "security-by-antiquity" concept doesn’t work.
According to the report, specific issues leading to lack of security in legacy systems include:
• Accumulation of large amounts of sensitive information over the years, making them attractive targets;
• Lack of strong security features, because knowledge of security defenses was limited at the time they were created.
• Complex loosely connected enterprise architectures, making the overall system more prone to security threats
• Frequently modified code creating software quality issues related to complexity.
The issues raised for security of federal systems apply equally well to corporate systems. A continual cycle of maintenance, although costly and all-consuming of IT budgets, will not, in the end improve security and the continuing ongoing expense will drain capability for modernization.
The TSRI Solution
Modernization of antique COBOL systems can be a daunting problem, but it is a specialty of TSRI. We have perfected a model-based code conversion and modernization solution that makes it possible to digest and understand legacy code; to pinpoint weaknesses, vulnerabilities, and areas that are not up to modern standards; to delink and modularize procedures for greater security and better access; and to re-factor older code to create modern language objects which are fully integrated with security procedures. The resulting code is secure to a level that meets or exceeds requirements of all auditing frameworks and regulatory systems, and can safely be integrated into the security processes of the firm.
A robust modernization effort makes it possible to add to the security of the overall system by fostering integration and adoption of cloud-based resources, mobility and encryption. This means that funds will be spent in making the system more robust as well as more efficient. By using a model-based approach, the modernized system can be easily updated and refactored to meet new situations as the IT environment continues to evolve.
TSRI's modeling and refactoring process is handled by TSRI JANUS Studio®, which provides a high level automated solution. JANUS Studio® is a dynamic system that makes it possible to provide continuous automated remediation of cyber threats as well as dynamic real-time protection against common attack patterns.
The JANUS Studio® toolset can be extended to detect threats through integration with third-party cyber security weakness and threat detection tools. It is capable of analyzing legacy custom code for vulnerabilities and augmenting this with annotations to permit OMG threat assessment. It transforms legacy code into a type-safe modern language, reducing internal complexities and access points. The new code can then be subjected to a thorough vulnerability check to ensure the best possible result.
TSRI has extensive experience in modernization of large legacy code bases. JANUSStudio® has been employed in over 150 critical code transformation and jobs over the past decade all of which have been successful. It has been employed in extremely sophisticated code conversion with high accuracy and performance requirements for the Department of Defense, in medicine, and in finance. It is becoming clear that modernization of older systems will be increasingly essential in keeping valuable assets secure.