undefined | Better HN

0 pointscitrin_ru4y ago0 comments

Old != bad.

Old and well maintained software can be reliable and secure, it just rate to encounter it. Maintenance is underappreciated. People don't get rises and promotions for successful maintenance of an old system. But they get it for new projects even if this project is rewriting of an old system in a new language/framework (even if a rewrite introduces new bugs, vulnerabilities and drops some old features).

So if an organization has money to spare, the software will be re-written every several years to flow the fashion and if doesn't have money security will suffer too.

0 comments

5 comments · 2 top-level

cerved4y ago· 3 in thread

it's bad if it's running on a deprecated runtime that's no longer being patched for security

citrin_ruOP4y ago

If the runtime is no longer maintained then it is of course it is a problem (I'm from the Unix world and don't know if classic ASP is still supported by the vendor). We cannot say that a system as a whole is well maintained if it's dependencies are not.

raesene94y ago

The thing is, in web appsec world, when Classic ASP was a production platform, we were very early in terms of what attacks would be prevalent and the defences that are generally added to modern web application frameworks were not in use.

In theory you can totally add those protections per application but the effort of doing that, maintaining the knowledge required per application or team and keeping on top of new research, is likely higher than just moving to a new framework which has in-built protection.

Also you have to consider developer availability. At 19 years since it was deprecated, there is a smaller pool of people who are skilled at maintaining that codebase, and the group of people who can do that, and keep on top of web application security attacks is even smaller.

1 more reply

cerved4y ago

can't say for sure but I'd wager that it's not

1 more reply

raesene94y ago

Sure old != bad if they maintain it... Classic ASP was good 20 years ago, it's harder to secure than a modern framework which helps with security (e.g. XSS helpers, ORMs to help mitigate SQLi, which is one of the issues exploited here)

The problem is that in most codebases I've seen, once you get to 19 years passed deprecated, it's not that it's a well maintained hardened environment. It's a poorly maintained environment that people don't want to clean up for fear they break something.

j / k navigate · click thread line to collapse