How to tackle security issues in large existing/legacy systems while maintaining development priorities

Legacy software systems represent a large base of software assets that hold significant corporate intellectual properties, along with carrying large opportunity costs and operational risks. There is a growing need to prolong their lifespan through maintenance efforts and enhance them to accommodate new and changing market requirements and governmental regulations. The majority of these systems were developed at a time when security requirements were more relaxed and not well understood, and at a time when being netted did not have the same consequences as exist today. There is a real need for retrofitting security into legacy software systems so they can operate in the current environments. However, over time, as legacy systems became larger and more complex, their design structure eroded which hinders system comprehension, compromises architectural integrity and decreases maintenance productivity. This makes the task of retrofitting security difficult and risky. Since legacy systems are a large part of our nations´ critical infrastructure we must retrofit-in security in such way that the level of confidence related to security is substantially increased. This paper will discuss a standards based approach to achieving this goal.