A relic of the past, legacy code poses significant security risks and development challenges for government agencies, writes Craig Nielsen.
The Australian public sector still heavily relies on legacy IT. According to the Australian Signals Directorate, legacy IT presents significant and enduring risks, specifically to the cybersecurity posture of government entities and organisations. Outdated systems continue to strain public sector IT budgets and often obstruct the rapid innovation governments need to serve their citizens effectively.
It begins with the first line of code, as IT systems are developed and maintained through software code. Legacy code, a relic of past development practices, poses significant security risks and development challenges to public sector organisations due to its incompatibility with modern security tools and the vulnerabilities it creates for cybercriminals.
Beyond security, maintaining legacy code is a costly endeavor, requiring specialised skills and significant developer time. As a result, organisations are trapped in a cycle of technical debt, struggling to innovate and adapt to changing business needs.
By leveraging AI-driven testing, security capabilities, and code refactoring techniques, organisations can modernise their legacy systems, mitigate security risks, and empower development teams to focus on innovation.
What’s the problem with legacy code?
Legacy code refers to an existing code base that a team inherits from previous team members and continues to use and maintain. The codebase may function correctly, but its long history of modifications by various developers can obscure its original intent and introduce unintended consequences. The current team may struggle to distinguish between valuable and unnecessary changes. Furthermore, the code might rely on outdated frameworks or programming languages, increasing the risk of vulnerabilities and maintenance difficulties.
Government agencies that choose to retain legacy code expose themselves to a multitude of risks. Because the code wasn’t designed for newer technologies, teams may be unable to integrate it with modern software, potentially impacting product performance, scalability, and customer experience.
A particularly significant concern is the lack of security scanners designed for legacy code. This exposes agencies to undetected vulnerabilities, especially when developers unfamiliar with the codebase or its underlying language make updates. Moreover, legacy code frequently relies on memory-unsafe programming languages, which can host up to 70 per cent of identified vulnerabilities.
In 2024, the number of Australian government agencies that met the required levels of cyber security maturity – or Maturity Level 2 on Australia’s Essential Eight cyber security framework – fell to 15 per cent, compared to 25 per cent the year prior. The use of legacy IT systems contributed to this decline, with 71 per cent of entities indicating that using legacy technologies had impacted their ability to implement the Essential Eight. By continuing to rely on outdated code, public sector organisations jeopardise their security posture and undermine their ability to innovate and adapt to the evolving technology landscape.
The solution is code refactoring
Code refactoring – a controlled technique for improving the design of an existing code base – allows the securing and modernising of legacy code without obscuring its original functionality. There are many refactoring techniques – from inline refactoring, which involves simplifying code by removing obsolete elements, to refactoring by abstraction, where duplicate code is deleted.
What’s important to know is that code refactoring requires time and significant developer skills to do well. It also requires a lot of testing when developers are already busy working on other tasks. While code refactoring is the answer to bringing your legacy code into the future, making it readable, efficient, and secure, is a project in and of itself, especially at scale.
How AI can help
Artificial intelligence is already accelerating software development, and there’s a lot that AI can do to help teams accelerate the refactoring process. AI-powered tools can decipher complex legacy code, generate new code, and bridge knowledge gaps for developers unfamiliar with specific languages. AI can speed up modernising legacy systems by automating tedious tasks and providing intelligent assistance.
AI can further enhance refactoring by automating testing and security tasks. It analyses root causes, generates tests, and identifies vulnerabilities, enabling developers to efficiently remediate vulnerabilities. With AI as a powerful ally, code refactoring is accessible and achievable for organisations. According to GitLab research, 62 per cent of Australian respondents already use AI across the software development lifecycle to modernise legacy code.
While AI offers significant potential for accelerating code modernisation, it also requires testing, guardrails, and human oversight. To ensure optimal security, teams should combine AI-powered tools with other security measures, such as creating a dynamic software bill of materials. An SBOM provides a comprehensive inventory of software components, including legacy code, enabling organisations to identify and mitigate potential vulnerabilities. Our research showed that only 24 per cent of respondents in Australia use an SBOM to document the composition of their software.
Bring your codebase into the future
While transitioning from legacy codebase maintenance to modernisation may seem daunting, it is a crucial step toward ensuring organisational security and future-proofing operations. By embracing modern tools and techniques, government organisations in Australia can streamline processes, reduce costs, and boost efficiency.
AI-powered tools automate complex code refactoring, securing legacy code and aligning it with modern best practices, which allows development teams to focus valuable resources on innovative product development. This is the most effective way to modernise legacy IT.
Craig Nielsen is vice president, Asia Pacific & Japan, GitLab
Leave a Reply