How to Mitigate the Security Risk of Orphaned Applications

The current economic climate is forcing many organizations to cut back and consolidate, leaving many applications abandoned. Unfortunately, these orphaned applications can create cracks in security and disrupt business as the applications are not adequately assigned and managed. Here, Knowledge Center contributor Ryan C. Barnett discusses the impact of orphaned application syndrome and offers simple steps companies can take to mitigate their risk.


As today's tumultuous economic climate forces organizations in both the private and public sectors to scale back or downsize, many programs, initiatives and even technologies have been abandoned. Similarly, the current economic environment has been rife with mergers and acquisition activity as companies and industries scramble to stay afloat. This has resulted in programs and projects that remain abandoned in their new homes.

In fact, a recent survey of 180 IT security professionals found that over 45 percent of respondents experienced a reduction in force that impacted their security organization's ability to adequately protect the enterprise.

While these effects are often chalked up to the pains of staying in business during challenging financial times, the problem of orphaned applications can mean far greater consequences for organizations if it remains unchecked. In this article, I will explain the challenges of orphaned applications and how organizations can protect them-and the sensitive information they can expose-against savvy Web hackers.

Orphaned application syndrome

Orphaned applications are those that have fallen through the cracks of asset management. In general, it means that the application is still on the network and externally accessible, but no one person or group has been tasked with its administration and management.

The problem with orphaned applications is that the systems are not properly assigned and managed, which means that no one is monitoring the application logging or updating the software with current security fixes and patches. As a result, the applications are left exposed and as ripe targets for attackers to use hacking methods such as SQL injections, cross-site scripting (XSS), and session hijacking and scraping to confiscate confidential information.

The cost of data leakage from abandoned applications could be steep. A recent study found that the financial impact of identity threat breaches is on the rise, with an average cost of $6.75 million per incident. Up to 80 percent of successful attacks against organizations occur due to exploitation of vulnerabilities in Web applications. MasterCard has identified SQL injection as the top reason for card data compromise.