Legacy Web Application Code: Secure It or Flush It? | Pivot Point Security

3 min readOct 12, 2020

Last Updated on October 14, 2020

Starting off strong with security in the design, development and testing of a new web application is challenging . But retrofitting a security approach onto a legacy web application? That can be an even bigger challenge.

Where do you start? What do you focus on? How do you know if it might be time to “pull the plug” and rebuild the application?

A recent episode of The Virtual CISO Podcast drilled into this topic with none other than , one of the world’s leading web application security experts . Jim is the founder of the web app security training company , and a primary contributor to multiple Open Web Application Security Project ( ) projects, notably the Application Security Verification Standard ( ), the OWASP Cheat Sheet Series and the OWASP Web Security Testing Guide . Hosting the episode, as always, is Pivot Point Security’s CISO and Managing Partner, John Verry.

Jim shares a story about “one of the big eCommerce players” and how they had been lax in updating their third-party libraries. Then they recognized that they had a major security issue on their hands. “Finally they decided, ‘We’re going to fix this problem.’ And for a year, half of their developers were just doing third-party library updating , “ Jim recalls.

John asks whether it might make sense to periodically revisit a legacy web app and proactively re-architect or re-code parts or all of it , to avoid the scenario Jim just described.

Jim answers with another cool story: “ I was talking to an application architect of a large bank, one of the top 20 banks in the world. I’m like, ‘ What is the architecture of the software in your organization? ‘ He’s like, ‘ Yeah. I’ve been studying that for 10 years. What architecture do we use at this bank? That’s a great question, Jim. ‘ I’m like, ‘ Well, what is it? ‘ And he’s like, ‘ I have no idea. ‘ … I’m like, ‘ Why? I don’t understand your answer? ‘ He’s like, ‘ Well, the architecture of our software is in flux at all times. There’s no way for me to analyze it. ‘ “

“So the more complicated your software is, the more that architecture is going to be in flux at all times,” Jim explains. “Once you’re using a framework that is no longer updatable or doesn’t have a lot of active maintenance on it, it’s known to be a legacy framework. Should you consider rewriting big portions of that software? That’s a big money question. You’re rolling the dice now with sometimes millions of dollars.”

Jim suggests you start by evaluating the risk. “When you have legacy software, you want to onboard it into your automated security testing mechanism. So you’re checking it with dynamic analysis, static analysis and third-party library scanning on a daily basis. And as we start seeing bugs in legacy software, let’s start addressing it.”

Anyone involved in web app security should listen to this insight-packed episode of The Virtual CISO Podcast with special guest Jim Manico .