Upgrading existing infrastructure and migrating from one architecture to another is often the way to keep your information technology up-to-date. Changing major revisions of software is not for the faint of heart. Many sysadmins sacrificed a good portion of their life force just to jump to the next version. Sometimes you are simply stuck. Code is not always maintained. Products might be obsolete. Developers might have abandoned the project. However the application is still in place and keeps on working. When changes hit this kind of environment, you can’t decline the challenge. Meet the legacy systems that will ruin your day. Bernhard Göschlberger and Sebastian Göttfert have spent thoughts on this problem. They will tell you all about it in their presentation at DeepSec 2015.
Well elaborated principles of software engineering foster interoperability between systems and their extensibility. However, a lot of software systems grew and developed over time without incorporating any of those design principles. According to Wikipedia, a legacy system is an old method, technology, computer system, or application program “of, relating to, or being a previous or outdated computer system.”
As we focus on authentication for web applications, we use the term legacy system to refer to web applications with custom user management that cannot be rewritten or replaced for some reason. Despite decades of security research and authentication standards there is still a vast amount of systems with custom authentication solutions and embedded user databases. Such systems are typically hard to be integrated with others in a secure manner. When forced to federate identities to other systems programmers tend to get creative and forget about security principles.
We analysed an existing system of an organisation with approximately 12.000 sensitive user data sets and uncovered severe vulnerabilities in their approach. Those vulnerabilities had been perceived as an acceptable trade off due to the alleged complexity of a clean solution. Unfortunately, we found that a lot of programmers are convinced that quick and dirty solutions are less complicated. We don’t think so!
Hence, we developed a minimal, secure Single-Sign-On-Solution and demonstrated the feasibility of implementing both a minimal Identity Provider and a minimal Service Provider with only a few lines of code. We provided a simple blueprint for an Identity Provider and an easy to use Service Provider Library. It is now possible to integrate arbitrary web based systems with the organisations legacy web application.
Our success story and open source blueprints should inspire others to follow the proposed approach and tailor similar solutions with minimal time effort and low cost.
We recommend this talk for everyone dealing with infrastructure and information technology architecture. We all love it when a plan comes together. More often than not this doesn’t happen. Then you might need the results discussed by Bernhard and Sebastian. Make sure you do not miss this opportunity!
Bernhard Göschlberger studied Software Engineering at the faculty of Informatics, Communication and Media of the University of Applied Sciences Upper Austria (Campus Hagenberg) and Legal and Business Aspects in Technics at the Johannes Kepler University Linz.
He is currently a PhD student in Computer Science at the institute of Telecooperation at the Johannes Kepler University Linz.
Since 2011 he has been working for the Research Studios Austria FG as a researcher in the field of technology enhanced learning.
Sebastian Göttfert studied Business Informatics at the Johannes Kepler University Linz and deepened his knowledge in network technologies at the Oxford Brookes University.
Currently, he is writing his Master’s thesis in Computer Science at the Institute of Telecooperation at the Johannes Kepler University Linz.