Secure your code, from the start.

From COBOL to Go: Why We Must Support Legacy Security Training and Beyond

21st May 2020

It seems almost comical that in 2019, we should be talking about working with a computer language that was invented in 1959. There aren't too many seminars or conventions these days devoted to the art of rethreading classic Singer sewing machines, or swapping out the oil pan on a Chevrolet Parkwood or a Triumph Herald. Most of those aging tools have long since been retired, upgraded to new and more efficient models. Yet over here in technology land, which is supposed to be cutting-edge compared to other industries, we are still working with languages like COBOL, which was released around the same time.

Of course, there are very good reasons for this. The Common Business Oriented Language (COBOL) may be 60 years old, but it was so well constructed that it’s still relevant and in widespread use today.

COBOL was created as a relatively simple way, using plain language grouped into specific sentences and syntax, to program backend systems to perform mathematical and formulaic tasks. Why does it live on today? Put simply, it is very good at its job. In a sense, it has become a part of the computing fabric for many mainframe and core systems in industries as diverse as the financial sector and manufacturing.

There have been incremental updates to COBOL over the years, most notably in 2002 when it was turned into an object-oriented language to make programming new applications a little bit more fluid. But for the most part, COBOL remains today what it was back then: an unsung hero, and a workhorse kind of programming language that works on the back-end to underpin many modern mainframe-level applications.

How secure is COBOL?

Unfortunately, there was not much in the way of security considerations when COBOL was first created. For example, many COBOL applications have a password program protecting them, but they are almost never hardened against things like brute-force protection to prevent cracking. Couple this with the fact that many modern security tools that monitor network traffic don’t know how to deal with or evaluate functions happening within programs written in business languages like COBOL, and you have a real problem waiting to happen. Quite a few modern breaches have been successful because of a lack of security oversight for systems running classic computer languages. In 2015, the data of over four million US federal employees was exposed when the Office of Personnel Management (OPM) was hacked, with the blame falling to their usage of COBOL, citing an inability to implement modern security measures on such an archaic system.

Years ago, security was provided by an army of programmers who knew COBOL and other hot languages of the time. Back in the 1960s, COBOL was like today's Java or .Net, and those who knew about it were the rockstars of their departments. As of 2019, those folks have likely long since retired, even though the systems they protected have not.

Expanding COBOL's front lines of defense

Quite a few of these so-called greybeards were brought back to their organizations as contractors to defend the same mainframes they worked on before. In more than a few places, they existed as a bit of an anomaly: a secretive cabal of aging sorcerers in some back corner of the office, their strange dress (wide ties and three-piece-suits) and oddly polite mannerisms not quite fitting in with all the modern hipsters sporting skinny jeans and man buns. Yet, they were absolutely necessary, because few modern programmers sling code in COBOL and other ancient languages. Sadly, even these final wizard sentinels are fading away, finally giving up the ghost and moving to Boca Raton, and enjoying a true retirement.

As such, there is a dire need for people who understand older languages, and the security vulnerabilities that they contain. Even if younger people don’t know how to write code in classic languages, they should at least understand how they work and their potential vulnerabilities. Because while COBOL development has remained relatively static, the threats leveled against networks have continued to evolve. Trying to use ancient cybersecurity techniques programmed sixty years ago, like the aforementioned COBOL password application, to defend a mainframe against modern attackers is akin to deploying a phalanx of spearmen to fight a platoon of space marines - short of a Hollywood-esque miracle, it’s going to end badly for the dudes with the spears.

No matter old or new, it must be secure too.

That is why we believe in the importance of an advanced training system that covers a wide gamut of programming languages and frameworks. You see, one of the glaring issues with a lot of security training options is that the information is simply too generic, or worse - completely irrelevant in the day-to-day jobs of the developer partaking in it. Spending half a day learning about vulnerabilities that only apply to Java isn’t going to help a COBOL developer fortify their system, and it just perpetuates the idea of ‘security’ as a tick-the-box exercise to be forgotten about once the mandatory course has been completed. I might add that training someone in Java security bugs is not always applicable for a Java Spring developer. Secure coding is simply different in every language, even up to the framework level.

In our mission to empower all developers to become security superheroes, we won’t overlook a valid computer language that is still in use at some of the world's most targeted and critical facilities. Exploring our platform, you will find modern, hands-on challenges and training relating to COBOL offered alongside some of the most modern programming tools available today, like Google's Golang. This flexibility ensures that training is relevant to an individual and contextual, mimicking their work environment for maximum engagement and effectiveness. After all, building a robust security culture is paramount in the fight against cyber threats, so training should be practical (and fun, of course!).

We want our industry to get to the stage where it doesn’t matter if security threats are made against systems running aging languages, or against the most modern mobility apps. We want every developer to be armed with the best information about those vulnerabilities, the tools and techniques used by attackers to exploit them and how to stop them cold. We will never surrender or waiver in the face of cybersecurity threats. No matter how modern or how long ago threats or vulnerabilities were created, you can always turn to Secure Code Warrior to learn how to defeat them, every single time.

PS: Think an ancient language escapes susceptibility to SQL injection? Think again. See if you can locate and fix one in COBOL right now.

Pieter is the Co-Founder and CEO of Secure Code Warrior, as well as a principal instructor for the SANS Institute. He also co-founded BruCON, one of the most awesome hacking conferences on the planet.

View Comments