Today’s rapid acceleration of technology is exciting. It means new products and opportunities for growth and innovation are around every corner. And yet this speed of growth and change has its downsides, especially regarding security: just one bad actor can cause massive business disruption, reputation damage, and lost revenue.
You have likely heard industry leaders talk about their need for digital transformation and the worrisome dependency on outdated or “legacy” systems. While legacy code is not inherently problematic, it often isn’t compatible with modern security tools, leading to exploitable vulnerabilities. Coupled with open source code — which requires ongoing security vigilance — your code base may be putting your organization’s data, users, and reputation at risk.
Legacy code is risky from a security and compliance perspective, and it’s also expensive and time-consuming for developers to maintain — if developers on your team even have the legacy knowledge to do the work.
Ultimately, this industry-wide reliance on legacy code is a concerning and costly practice. So, how do we work our way out of it?
Below, I’ll explore legacy code and how organizations can increase the security of their code base with AI-powered code refactoring. Together with AI-driven testing and security capabilities, code refactoring will propel your codebase into the future while empowering your whole team to look ahead, not behind.
What is legacy code?
Broadly, legacy code refers to an existing code base that a team inherits from previous team members and continues to use and maintain. The code might work just fine, but several different developers have likely modified it over the years. The current team might struggle to identify which modifications are valuable and which are not. Additionally, the code might be written using an outdated framework or in a programming language that no one on the team knows (whether it’s simply old or completely obsolete).
It might seem strange that companies still rely on legacy code. While the reasons can vary, think of it like this: You live in an old house. It's cozy and familiar, but the plumbing's unreliable, the wiring is outdated, and every time you fix one thing, something else breaks. Sure, you could remodel, but that means a huge upheaval – contractors, permits, living in chaos for months, and costs that can spiral out of control.
So, you keep patching things up, hoping for the best. It's not ideal, but it works — for now. That's kind of what it's like with legacy code. It's the familiar, “working” solution, even if it's creaky and inefficient. Rewriting it from scratch is a daunting prospect with its own risks and costs. Plus, who has time for a massive overhaul when there are new features to build and urgent bugs to fix?
When it comes to updating code, many companies decide to keep their legacy code because maintaining it can be less disruptive in the short term. Updating code involves a lot of developing and testing code. It can also involve training a team to ensure they have the skills to work with the outdated code language or framework. If there isn’t any documentation, it can be even more challenging to navigate.
What’s the problem with legacy code?
If your organization does decide to stick with your legacy code — and many do — you’re opening yourself up to a host of potential issues. Since this code wasn’t designed for newer tech, you might not be able to integrate it with the latest and greatest software (like AI tools, for example), which could also impact the performance and scalability of your products. This can hold you back and impact customer experience down the line.
What’s most concerning about legacy code, whether it was written five years ago or 50, is that there may be no security scanners that work for this code. That means you can’t detect problems on your own while making updates. Moreover, developers making these updates may not understand the language or its structure well and might even accidentally create vulnerable code in the process. Finally, older applications are commonly written in C or C++, which are memory unsafe languages — proven to host 70% of identified vulnerabilities.
These three issues — the fact that there may be no way to secure legacy code, there are fewer ways to safely update it, and that the end result is far more likely to be vulnerable — should be warning signs for organizations across industries.
In developing a catalog of bad practices that can put critical infrastructure at risk, the U.S. Cybersecurity and Infrastructure Security Agency added the following:
“Use of unsupported (or end-of-life) software in service of Critical Infrastructure and National Critical Functions is dangerous and significantly elevates risk to national security, national economic security, and national public health and safety. This dangerous practice is especially egregious in technologies accessible from the Internet.”
Even if you aren’t working in national security or for national public health and safety, this warning is still applicable: Using old code is not a best practice. It’s a bad one.
The solution: Code refactoring
According to software developer and author Martin Fowler, “Refactoring is a controlled technique for improving the design of an existing code base, a disciplined technique for restructuring an existing body of code, altering its internal structure without changing its external behavior.”
In other words, code refactoring allows you to secure and modernize your legacy code without obscuring its original functionality.
There are many refactoring techniques — from inline refactoring, which involves simplifying code by removing obsolete elements, to refactoring by abstraction, where duplicate code is deleted. What’s important to know is that code refactoring requires time and significant developer skills to do well. It also requires a lot of testing when developers are already busy working on other tasks.
So, while code refactoring is certainly the answer to bringing your legacy code into the future, making it readable, efficient, and secure, it is a project in and of itself, especially at scale.
How AI can help
We know that AI is already accelerating the software development lifecycle — and there’s a lot that AI can do to help teams accelerate the refactoring process, too. For example, tools like GitLab Duo can help explain existing code and create new code, two of the biggest hurdles when modernizing legacy code. If a developer isn’t familiar with a language, AI can help fill in the blanks. Regarding testing and security, AI can also analyze root causes, generate tests, and help developers remediate vulnerabilities. With AI in your toolkit, code refactoring can finally be more accessible and achievable for organizations, so they can move this project off their backlog for good.
According to our research, 34% of all respondents using AI across the software development lifecycle already use AI to modernize legacy code. This is even higher in the financial services industry (46%).
Of course, there are a few things to keep in mind as you start to implement AI in any of your practices.
AI isn’t perfect. It still requires testing, guardrails, and human oversight. So, while it absolutely can facilitate and accelerate some of these critical, time-consuming manual tasks, it can’t do this work alone. Especially regarding security, you should implement other tools to keep your code as secure as possible. We recommend creating a dynamic software bill of materials (also called an SBOM) to give you full visibility into the license and security risks associated with your software, including any legacy code you may have.
Bring your codebase into the future
While the jump from legacy codebase maintenance to modernization might feel daunting, it is the best path forward if you want to keep your organization and user data secure. With the right tools and methods, it may be more efficient for your teams and cost-effective for your company.
The good news is that your teams don’t need to spend time and resources deciphering old languages and working with old frameworks — causing frustration, delays, and bottlenecks. By letting AI do the hard work of refactoring your code so that it’s safe, secure, and functioning as it should, developers can focus on what they do best: building new products and features and driving value for customers.
Driving business success with DevSecOps
DevSecOps gives software development teams, and the whole organization, a security focus that saves companies money and time, while better securing the business, its customers, and its brand. Read our ebook to learn how DevSecOps protects the entire business, saves time and reduces costs, and secures the entire software supply chain.