Safeguard.sh
Risk Management

Legacy Software and Supply Chain Risks

Legacy systems are supply chain time bombs—running outdated dependencies, unsupported frameworks, and unmaintained libraries. Here's how to manage the risk.

James
Senior Security Analyst
7 min read

Nobody sets out to build a legacy system. It happens gradually. The Java application that was cutting-edge in 2014 still runs in production, now on a JDK version that's two years past end of life. The Node.js service built with Express 3 that nobody wants to touch because the original developer left. The Python 2 script that "just works" and processes financial data every night.

These systems do their jobs. That's what makes them dangerous—they work well enough that there's never sufficient urgency to replace them, but they're accumulating supply chain risk every day they run.

The Supply Chain Risk Profile of Legacy Systems

Legacy systems carry a distinct risk profile that differs from modern applications:

Unmaintained Dependencies

The most immediate risk. Legacy systems depend on packages that are no longer maintained. When a vulnerability is discovered in an unmaintained dependency, there's no upstream fix coming. Your options are limited to: writing the patch yourself, finding a maintained fork, or replacing the dependency entirely. Each option is expensive and risky in a codebase that may not have tests or documentation.

Deprecated Package Registries

Some legacy systems pull dependencies from registries or sources that no longer exist or have been compromised. The registry that hosted your company's internal packages in 2016 might have been decommissioned, and the DNS name might now resolve to something else entirely.

Invisible Transitive Dependencies

Modern tools generate SBOMs and map dependency trees. Legacy build systems often don't support these tools. You may literally not know what components are running inside a legacy application because the build process is opaque or undocumented.

Incompatible Security Tooling

Current-generation security scanners are designed for current-generation technology stacks. Running a modern SAST tool against a legacy codebase may produce overwhelming noise, miss legacy-specific vulnerability patterns, or fail entirely because it doesn't support the language version or framework in use.

Brittle Update Paths

In a modern application, updating a dependency is usually a matter of changing a version number and running tests. In a legacy system, updating a single dependency can trigger a cascade of incompatibilities because the entire dependency tree is pinned to versions from the same era. Updating one thing means updating everything—or nothing.

Assessing Legacy Supply Chain Risk

Before you can mitigate the risk, you need to understand it. Start with an inventory:

Component Inventory

For each legacy system, determine:

  • What language and runtime version is it using?
  • What are its direct dependencies?
  • Can you generate an SBOM, even a partial one?
  • When were dependencies last updated?
  • Which dependencies are still maintained?

For older systems, this might require manual investigation. Reading build files (Makefiles, Ant scripts, requirements.txt from 2015) and tracing dependency resolution by hand.

Exposure Assessment

Not all legacy systems carry equal risk:

  • Is the system internet-facing or internal only?
  • What data does it process? PII? Financial data? Nothing sensitive?
  • Who has access to the system?
  • What network segments does it touch?
  • Is the system isolated or does it communicate with modern systems?

A legacy system processing public data on an isolated network segment is a different risk profile than a legacy system processing customer PII that has API access to your production database.

Vulnerability Mapping

Once you have a component inventory, map known vulnerabilities:

  • Check each dependency against CVE databases
  • Pay attention to severity and exploitability, not just count
  • Note which vulnerabilities have public exploits
  • Identify which vulnerabilities are in components that are reachable from the system's input surfaces

Mitigation Strategies

Virtual Patching and Compensating Controls

When you can't patch the underlying vulnerability, layer defenses around it:

  • Web application firewalls (WAFs) can block known exploit patterns targeting specific CVEs in your legacy dependencies.
  • Network segmentation limits the blast radius if a legacy system is compromised.
  • Strict input validation at the boundaries of the legacy system can prevent exploitation of vulnerabilities in internal components.
  • Enhanced monitoring on legacy systems can detect exploitation attempts that would otherwise go unnoticed.

These aren't fixes—they're risk reduction measures that buy time for a proper remediation.

Incremental Modernization

Full system replacement is often impractical. Incremental approaches can reduce risk without requiring a big-bang migration:

  • Strangle fig pattern: Build new functionality around the legacy system, gradually redirecting traffic from legacy components to modern replacements.
  • Dependency extraction: Identify the most vulnerable dependencies and replace them individually, even if the rest of the system remains legacy.
  • Runtime upgrade: Sometimes the biggest risk is the runtime itself. Upgrading from Python 2 to Python 3, or from JDK 8 to JDK 17, can eliminate entire classes of vulnerabilities even if the application code changes are minimal.
  • Container wrapping: Place the legacy application in a container with a hardened base image. This provides isolation and makes it easier to control the system's network exposure.

Fork and Maintain

For critical dependencies that are no longer maintained upstream, forking the project and maintaining it internally may be the most practical option. This is expensive but sometimes necessary:

  • Fork the repository
  • Apply known security patches
  • Set up automated vulnerability scanning for the fork
  • Accept that you now own this code and its security

Controlled Retirement

Some legacy systems should simply be retired. The cost of maintaining compensating controls, plus the risk of eventual breach, exceeds the cost of replacement. Make the business case with data:

  • Total cost of compensating controls per year
  • Probability of breach based on vulnerability exposure
  • Estimated breach cost based on the data the system handles
  • Cost of replacement or migration

When retirement is the right answer, plan it deliberately. Data migration, user transition, and decommissioning all need to happen in a controlled sequence.

Building a Legacy Risk Registry

Create a dedicated registry for legacy supply chain risks that tracks:

  • Each legacy system and its supply chain inventory
  • Known vulnerabilities and their severity
  • Compensating controls currently in place
  • Modernization or retirement timeline
  • Risk owner (someone must be accountable)
  • Last assessment date and next assessment due date

Review this registry quarterly. Legacy risk doesn't change as rapidly as active development risk, but it does change—new CVEs are published against old components regularly.

Organizational Challenges

The hardest part of legacy supply chain risk isn't technical—it's organizational:

  • No one owns it. The original team is gone. The code is in a repository that nobody's primary team is responsible for. Assigning ownership is the first step.
  • No budget. Legacy modernization competes with feature development for budget, and features usually win. Frame the cost in terms of breach risk reduction, not technical improvement.
  • No expertise. Finding developers who can work on a 10-year-old codebase is increasingly difficult. Document what you can, while the few people who understand the system are still available.
  • Fear of breaking it. "It works, don't touch it" is a common attitude toward legacy systems. This fear isn't irrational—legacy systems often lack tests—but it can't be an excuse for indefinite inaction.

How Safeguard.sh Helps

Safeguard.sh provides supply chain visibility for legacy systems that traditional tools can't analyze. The platform can ingest manually-created SBOMs, correlate components against current vulnerability databases, and track the risk posture of legacy systems alongside modern applications in a single dashboard. Teams get a clear picture of where their legacy supply chain risk sits, how it compares to the rest of their portfolio, and which systems need the most urgent attention—whether that's compensating controls, modernization, or retirement.

legacy softwaresupply chain risktechnical debtmodernizationvulnerability management
Back to all articles

Related articles in Risk Management

Risk Management

Quantifying Digital Supply Chain Risk

Security teams struggle to express supply chain risk in business terms. This guide covers frameworks and methods for quantifying dependency risk in ways that boards and executives actually understand.

May 8, 2024Read
Risk Management

Where Technical Debt Meets Security Debt

Technical debt and security debt are deeply intertwined. Untangling them requires understanding how shortcuts in code quality create openings for attackers.

March 18, 2024Read
Risk Management

Building a Software Vendor Security Scorecard

Not all vendors are equal when it comes to security. Here is how to build a scorecard that objectively evaluates vendor security practices and informs procurement decisions.

February 28, 2024Read

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.