Full Report
In this video, John Strand discusses the complexities and challenges of penetration testing, emphasizing that it goes beyond just finding and exploiting vulnerabilities. The post 5 Things We Are Going to Continue to Ignore in 2025 appeared first on Black Hills Information Security, Inc..
Analysis Summary
# Best Practices: Managing Security Risks from Legacy Systems and Penetration Testing Efficacy
## Overview
These practices address the security challenges stemming from the accumulation of neglected legacy systems (applications and servers) and emphasize shifting penetration testing beyond automated vulnerability scanning to focus on complex, creative human-led exploitation, compensating for hard-to-fix vulnerabilities through exception management.
## Key Recommendations
### Immediate Actions
1. **Differentiate Pen Testing Scope:** Immediately cease defining penetration testing solely as automated vulnerability scanning, exploitation, and simple pivoting. Re-scope testing agreements to prioritize human-led analysis against complex logic, non-standard issues, and areas AI cannot address.
2. **Inventory Critical Exceptions:** Compile a comprehensive, current register of all accepted security exceptions, especially those tied to critical or high-risk findings that were deemed too difficult or costly to remediate immediately.
### Short-term Improvements (1-3 months)
1. **Targeted Legacy Application Review:** Initiate prioritized assessments targeting aged, long-running legacy applications and servers. Focus on potential new classes of vulnerabilities that current patching cycles might overlook due to reliance on outdated codebases.
2. **Implement Compensating Controls:** For every security deviation listed in the exception register (especially legacy systems), formally document and implement documented compensating controls that demonstrably mitigate the risk associated with the exception.
3. **Review SaaS Application Age:** Audit third-party Software-as-a-Service (SaaS) providers to identify applications with potentially stagnant codebases (e.g., not updated in $5+$ years), treating them as internal legacy risks if continuous innovation is not evident.
### Long-term Strategy (3+ months)
1. **Establish Legacy Retirement/Modernization Roadmap:** Develop a multi-year strategy for decommissioning obsolete servers and applications, or aggressively modernizing them, rather than allowing the "snowball of crap" to continuously grow.
2. **Formalize Exception Review Cycles:** Implement mandatory, periodic (e.g., quarterly or bi-annually) reviews by senior leadership and security teams for all outstanding exceptions to ensure they remain necessary and that compensating controls are effective.
3. **Invest in Advanced Penetration Testing:** Ensure the security budget allocates resources for advanced penetration testing that incorporates complex attack paths, business logic flaws, and multi-stage compromises that automated tools consistently miss.
## Implementation Guidance
### For Small Organizations
- **Focus Remediation:** Prioritize the remediation of *all* vulnerabilities, not just critical/high, across the small set of systems you own, as every medium/low item contributes to the overall risk accumulation.
- **SaaS Scrutiny:** When onboarding new SaaS solutions, demand evidence of a robust, recent patching and innovation cadence from the vendor, treating stale SaaS products as high-risk liabilities.
### For Medium Organizations
- **Automate Baseline Tasks:** Aggressively automate vulnerability scanning and known exploit detection to free up security staff (or MSSP resources) to focus manual efforts on legacy system analysis.
- **Cross-Departmental Exception Buy-in:** Formalize the exception process requiring sign-off from both operational leadership (who owns the application) and security leadership to prevent low-priority issues from being ignored indefinitely.
### For Large Enterprises
- **Establish Risk Acceptance Governance:** Institute a formal Risk Acceptance Board responsible for reviewing and approving all high and medium-risk exceptions. This board must link exceptions directly to strategic technical debt reduction goals.
- **Measure Legacy Footprint:** Create metrics tracking the age and number of applications and servers actively running (e.g., age banding). Use these metrics to reward teams that successfully reduce the legacy footprint rather than simply adding new services.
## Configuration Examples
No specific configuration examples were provided in the context. General guidance suggests:
* **Compensating Control Example (Conceptual):** If an old web server (legacy app) cannot be patched, configure a Web Application Firewall (WAF) to exclusively filter traffic attempting known exploit patterns against that specific server's endpoints, supplemented by strict network segmentation.
## Compliance Alignment
The practices align with the principles underlying comprehensive risk management frameworks:
* **NIST Cybersecurity Framework (CSF):** Primarily aligns with **Identify (ID.RA, ID.AM)** by forcing identification and analysis of system age/technical debt, and **Protect (PR.IP, PR.PT)** by implementing compensating controls and ensuring testing effectiveness.
* **ISO/IEC 27002:** Supports controls related to **Asset Management** (tracking exceptions) and **Vulnerability Management** (dealing with difficult-to-remediate issues).
* **CIS Controls:** Relates to **Control 3 (Asset Inventory)** and **Control 29 (Application Software Security)**, encouraging the removal or securing of legacy software.
## Common Pitfalls to Avoid
* **Mistaking Pen Test for Scan:** Relying primarily on penetration tests to catch only what automated scans missed, rather than using testers for creative, human-centric bypass techniques.
* **The 'Low/Informational' Pileup:** Ignoring vulnerabilities classified as Low/Informational/Medium, as these details accumulate into a massive, unmanageable risk surface ("snowball of crap") that new zero-days exploit.
* **Treating Exceptions as Permanent Fixes:** Allowing security exceptions related to legacy systems to persist indefinitely without periodic review or active remediation planning.
* **Assuming Cloud Solves Legacy Debt:** Believing that migrating to SaaS or cloud infrastructure inherently removes the problem of stale, unmaintained, or cash-cow software stacks.
## Resources
- **Security Testing Methodology Documentation:** Develop internal documentation clearly outlining the required scope and depth for penetration testing beyond automated checks.
- **Technical Debt Reporting Templates:** Create standardized reports for tracking the age and risk profile of all applications and servers to feed into modernization planning.
- **Risk Acceptance Documentation Standard:** Formalize the intake and approval process for compensating controls and acknowledged exceptions.