Mitigate Baron SameEdit (CVE-2021-3156) vulnerability

Supporting and Securing Legacy Infrastructure

By Alan Gush

The COVID-19 pandemic exposed critical insufficiencies in the legacy technology systems at local, state, and federal levels. As a result, a bipartisan group of lawmakers, including Reps. James Langevin (D-R.I.), Mike Gallagher (R-Wis.), Cedric Richmond (D-La.) and Michael McCaul (R-Texas), drafted a “dear colleague” letter that urged House Speaker Nancy Pelosi and Minority Leader Kevin McCarthy to allocate technology modernization funding in the HEROES act. Rep. Langevin is a Cyber Solarium commissioner and has a cybersecurity leadership post on the House Armed Services Committee. Rep. Gallagher is a co-chair of the Solarium Commission, which was chartered by Congress to develop forward-looking cybersecurity policies. Rep. Richmond is chairman of the Cybersecurity, Infrastructure Protection, and Innovation Subcommittee of the House Homeland Security Committee. Rep. McCaul is a former chairman of the Homeland Security Committee and was a co-sponsor of the legislation that chartered the Cybersecurity and Infrastructure Security Agency. The letter states, “As we consider additional legislative measures to address the urgent needs of our citizens, we encourage you to consider the digital infrastructure on which so many of our constituents rely to access vital government service,” it continues, “Outdated digital infrastructure means that services don’t scale, so rapid relief is unavailable to large numbers in times of crisis” [1]. While it remains unclear whether Congress will allocate additional funding for modernization efforts, it is important to understand why so many legislative leaders on technology issues are concerned about the deficiencies and danger of legacy systems.

What are Legacy Systems?

The adjective “legacy” is often used to refer to a mission-critical hardware or software solution that is difficult to upkeep, expensive to maintain, and vulnerable to cyber-attackers. Legacy infrastructure is prevalent in both public and private sector organizations because, as entities grew over years or decades, they expanded their networks without modernizing aging systems. Legacy systems often cannot handle modern technology requirements, may not be frequently patched or updated, and are more susceptible to common exploits and malware because known vulnerabilities often remain unmitigated.

Why Don’t Organizations Modernize?

Modernization, while logical, is not easy. According to a 2020 global study, 74% of organizations started a legacy system modernization project but failed to complete it for reasons such as a misalignment of technical and leadership priorities [2]. The International Data Corporation estimated that globally, $1.8 trillion was spent in 2019 on digital transformation efforts; however, an estimated 70% of digital transformation efforts experience significant challenges or altogether fail  [3] [4]. Reasons for partial or complete failure range from transition difficulty to push-back from complacent end-users. Every failed attempt at modernization increases “digital transformation fatigue” has an associated cost that deters future efforts [5].

What is the threat of Legacy Infrastructure?

Outdated infrastructure often fails to meet the performance demands of the modern world. Worse, antiquated hardware and software are prime targets for cybercriminals and advanced persistent threats (APTs). Digital adversaries scan for exposed legacy systems with easily exploitable vulnerabilities. Once a foothold has been established on the network, the attacker can sell access-as-a-service or laterally compromise networked systems.

What Solutions Exist to Secure Legacy Infrastructures?

Legacy infrastructure introduces deficiencies, challenges, and risks to government networks; but, modernization funds may not always be immediately feasible. Successful modernization strategies often require years and, in some instances, are outdated by completion. More affordable, more immediate, and more secure options are available. Polyverse offers leading-edge cybersecurity solutions that build diversity and uniqueness across multiple system dimensions, increases the complexity and cost for attackers, and stops cyber-attacks before they start.

Polymorphing solutions mitigate memory-exploiting attacks that account for 80% of all CVEs, by scrambling the source code at the binary level. In addition to mitigating attacks before they start, polymorphing solutions remove the race to patch legacy systems and are available for Linux distributions, including Red Hat, Alpine, CentOS, Fedora, Ubuntu, SUSE and Debian [6]. Polyverse also offers polymorphing solutions for embedded and IoT devices [7].

Many outdated servers rely on patches that are infrequent if they exist at all. Polyverse leverages polyscripting to render PHP code-injection attacks impossible, thereby mitigating one of the most critical vulnerabilities consistently identified by the Open Web Application Security Project (OWASP) since 2010. Polyscripting reduces the urgency for patching and mitigates against code-injection attacks without impacting runtime performance overhead or functionality [8].

Finally, Polyverse offers build farm solutions for government and defense organizations that are struggling with legacy upkeep and modernization efforts. The Polymorphing Build Farm for Government increases security while decreasing cost by running the source code of a chosen Linux distribution through a polymorphic compiler to scramble the low-level machine code to generate a Linux stack that has a unique binary makeup, is impervious to memory-based attacks, and that functions, performs, and operates according to user expectations. Polyverse’s solution enables agencies to own the polymorphic compiler and control the supply chain of protected packages and updates to their systems with increased visibility and management capacity. Moreover, agencies can generate and deploy new instances of the Linux distributions every 24 hours and prevent cyber attackers from developing a foothold on the network [9].


Legislators and government officials recognize the technological insufficiencies and security deficiencies of the legacy systems deployed at local, state, and federal agencies. It remains unclear if widespread modernization is possible or if funding will be readily available in the foreseeable future.  Polyverse solutions for legacy infrastructures can mitigate the most severe threats while diminishing the race to patch.


[1] A.  Mazmanian, “In COVID relief, lawmakers look to help states with legacy IT”, FCW, 2020. [Online]. Available: [Accessed: 23- May- 2020].

[3] M.  Bucy, A.  Finlayson, G.  Kelly and C.  Moye, “The ‘how’ of transformation”, McKinsey & Company, 2016. [Online]. Available: [Accessed: 23- May- 2020].

[4] “Businesses Will Spend Nearly $1.2 Trillion on Digital Transformation This Year as They Seek an Edge in the Digital Economy, According to a New IDC Spending Guide”,, 2019. [Online]. Available: [Accessed: 23- May- 2020].

[5] “Digital Transformation Failure: Avoiding Fatigue”, Impact Networking, 2019. [Online]. Available: [Accessed: 23- May- 2020].

[2] “74% Of Organizations Fail to Complete Legacy System Modernization Projects, New Report From Advanced Reveals”,, 2020. [Online]. Available: [Accessed: 28- May- 2020].

[6] “Polymorphing – The Ultimate Linux Security Solution | Polyverse Corporation”, Polyverse Corporation, 2020. [Online]. Available: [Accessed: 23- May- 2020].

[7] “Embedded and IOT Security”, Polyverse Corporation, 2020. [Online]. Available: [Accessed: 23- May- 2020].

[8] “Improve PHP Security with Polyscripting | Polyverse Corporation”, Polyverse Corporation, 2020. [Online]. Available: [Accessed: 23- May- 2020].

[9] “Build Farm for Government – Polyverse”, Polyverse Corporation, 2020. [Online]. Available: [Accessed: 23- May- 2020].

Interested in learning more?

Be the first to hear about the latest product releases and cybersecurity news.

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.