Those of us involved in information technology have traditionally used the label legacy for applications running on the mainframe accessed via green screens. Many of us can remember the struggles of getting these legacy Web applications upgraded so that desktops and laptops could easily be used. Then we went through a huge shift to develop and deploy applications that could be accessed via a browser on the Internet — the ultimate in thin client experience and portability optimization.

Legacy Apps Aren’t Going Anywhere

Well, many of those Web applications are still around and used within enterprises, and given their age, they can easily now be considered legacy. They’ve endured the test of time and are functional but probably haven’t been upgraded in a while and the personnel who initially developed them may have moved on, as well.

These legacy Web applications were also developed before many of today’s strict privacy rules and regulations were introduced. They may present to users information that they really should not have access to, such as payment card information (PCI), personal health information (PHI), personally identifiable information (PII) and other individual or proprietary corporate information.

I was recently talking with a company that had put together a portal many years ago that drew information from a couple disparate systems for presentation to customer-facing personnel. Though this certainly helped the agents by providing information at their fingertips, it pulled all the customers’ data, including items like their full Social Security number. In their usage, the agents never really need to see the full value; they really only needed the last four digits of that number for validation. Providing that extra information only created risk and the potential for theft.

How Dynamic Data Masking Can Help

This is where introducing dynamic data masking functionality can help provide necessary data privacy protection and extend the life of these legacy applications. A dynamic data masking appliance can integrate with the Web server stack to identify sensitive data elements and decide how to present them back to the end user.

Based on rules, users can be individually identified or put into classifications for the purposes of rules applicability. Then, based on the data element and the appropriate rule applied, sensitive data can be completely or partially masked. This fine level of granularity can provide flexibility in applying the right level of masking while still delivering the content users need.

The bottom line is for organizations to think about these legacy Web applications and evaluate whether there are data privacy gaps in what information is presented back to users. If that’s the case, dynamic data masking could be the ideal solution.

Download the 2015 Gartner Magic Quadrant for Application Security Testing report

More from Application Security

X-Force Identifies Vulnerability in IoT Platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

4 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

4 min read - Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

4 min read

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

17 min read - Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

17 min read