COBOL Application Development Security | Secure Code Warrior
It seems almost comical that in 2019, we should be talking about working with a computer language that was invented in 1959. There arent too many seminars or conventions these days devoted to the art of rethreading classic Singer sewing machines, or swapping out the oil pan on a Chevrolet Parkwood or a Triumph Herald. Most of those aging tools have long since been retired, upgraded to new and more efficient models. Yet over here in technology land, which is supposed to be cutting-edge compared to other industries, we are still working with languages like COBOL, which was released around the same time.
Of course, there are very good reasons for this. The Common Business Oriented Language (COBOL) may be 60 years old, but it was so well constructed that it's still relevant and in widespread use today.
COBOL was created as a relatively simple way, using plain language grouped into specific sentences and syntax, to program backend systems to perform mathematical and formulaic tasks. Why does it live on today? Put simply, it is very good at its job. In a sense, it has become a part of the computing fabric for many mainframe and core systems in industries as diverse as the financial sector and manufacturing.
There have been incremental updates to COBOL over the years, most notably in 2002 when it was turned into an object-oriented language to make programming new applications a little bit more fluid. But for the most part, COBOL remains today what it was back then: an unsung hero, and a workhorse kind of programming language that works on the back-end to underpin many modern mainframe-level applications.
How secure is COBOL?
Unfortunately, there was not much in the way of security considerations when COBOL was first created. For example, many COBOL applications have a password program protecting them, but they are almost never hardened against things like brute-force protection to prevent cracking. Couple this with the fact that many modern security tools that monitor network traffic don't know how to deal with or evaluate functions happening within programs written in business languages like COBOL, and you have a real problem waiting to happen. Quite a few modern breaches have been successful because of a lack of security oversight for systems running classic computer languages. In 2015, the data of over four million US federal employees was exposed when the Office of Personnel Management (OPM) was hacked, with the blame falling to their usage of COBOL, citing an inability to implement modern security measures on such an archaic system.
Years ago, security was provided by an army of programmers who knew COBOL and other hot languages of the time. Back in the 1960s, COBOL was like todays Java or .Net, and those who knew about it were the rockstars of their departments. As of 2019, those folks have likely long since retired, even though the systems they protected have not.
Expanding COBOLs front lines of defense
Quite a few of these so-called greybeards were brought back to their organizations as contractors to defend the same mainframes they worked on before. In more than a few places, they existed as a bit of an anomaly: a secretive cabal of aging sorcerers in some back corner of the office, their strange dress (wide ties and three-piece-suits) and oddly polite mannerisms not quite fitting in with all the modern hipsters sporting skinny jeans and man buns. Yet, they were absolutely necessary, because few modern programmers sling code in COBOL and other ancient languages. Sadly, even these final wizard sentinels are fading away, finally giving up the ghost and moving to Boca Raton, and enjoying a true retirement.
As such, there is a dire need for people who understand older languages, and the security vulnerabilities that they contain. Even if younger people don't know how to write code in classic languages, they should at least understand how they work and their potential vulnerabilities. Because while COBOL development has remained relatively static, the threats leveled against networks have continued to evolve. Trying to use ancient cybersecurity techniques programmed sixty years ago, like the aforementioned COBOL password application, to defend a mainframe against modern attackers is akin to deploying a phalanx of spearmen to fight a platoon of space marines - short of a Hollywood-esque miracle, it's going to end badly for the dudes with the spears.
No matter old or new, it must be secure too.
That is why we believe in the importance of an advanced training system that covers a wide gamut of programming languages and frameworks. You see, one of the glaring issues with a lot of security training options is that the information is simply too generic, or worse - completely irrelevant in the day-to-day jobs of the developer partaking in it. Spending half a day learning about vulnerabilities that only apply to Java isn't going to help a COBOL developer fortify their system, and it just perpetuates the idea of "security'as a tick-the-box exercise to be forgotten about once the mandatory course has been completed. I might add that training someone in Java security bugs is not always applicable for a Java Spring developer. Secure coding is simply different in every language, even up to the framework level.
In our mission to empower all developers to become security superheroes, we won't overlook a valid computer language that is still in use at some of the worlds most targeted and critical facilities. Exploring our platform, you will find modern, hands-on challenges and training relating to COBOL offered alongside some of the most modern programming tools available today, like Googles Golang. This flexibility ensures that training is relevant to an individual and contextual, mimicking their work environment for maximum engagement and effectiveness. After all, building a robust security culture is paramount in the fight against cyber threats, so training should be practical (and fun, of course!).
We want our industry to get to the stage where it doesn't matter if security threats are made against systems running aging languages, or against the most modern mobility apps. We want every developer to be armed with the best information about those vulnerabilities, the tools and techniques used by attackers to exploit them and how to stop them cold. We will never surrender or waiver in the face of cybersecurity threats. No matter how modern or how long ago threats or vulnerabilities were created, you can always turn to Secure Code Warrior to learn how to defeat them, every single time.
PS: Think an ancient language escapes susceptibility to SQL injection? Think again. See if you can locate and fix one in COBOL right now.
Legacy COBOL, although an older computer language, is still effective to this day. Learn more about COBOL secure application development from Secure Code Warrior.
Chief Executive Officer, Chairman, and Co-Founder
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoChief Executive Officer, Chairman, and Co-Founder
Pieter Danhieux is a globally recognized security expert, with over 12 years experience as a security consultant and 8 years as a Principal Instructor for SANS teaching offensive techniques on how to target and assess organizations, systems and individuals for security weaknesses. In 2016, he was recognized as one of the Coolest Tech people in Australia (Business Insider), awarded Cyber Security Professional of the Year (AISA - Australian Information Security Association) and holds GSE, CISSP, GCIH, GCFA, GSEC, GPEN, GWAPT, GCIA certifications.
It seems almost comical that in 2019, we should be talking about working with a computer language that was invented in 1959. There arent too many seminars or conventions these days devoted to the art of rethreading classic Singer sewing machines, or swapping out the oil pan on a Chevrolet Parkwood or a Triumph Herald. Most of those aging tools have long since been retired, upgraded to new and more efficient models. Yet over here in technology land, which is supposed to be cutting-edge compared to other industries, we are still working with languages like COBOL, which was released around the same time.
Of course, there are very good reasons for this. The Common Business Oriented Language (COBOL) may be 60 years old, but it was so well constructed that it's still relevant and in widespread use today.
COBOL was created as a relatively simple way, using plain language grouped into specific sentences and syntax, to program backend systems to perform mathematical and formulaic tasks. Why does it live on today? Put simply, it is very good at its job. In a sense, it has become a part of the computing fabric for many mainframe and core systems in industries as diverse as the financial sector and manufacturing.
There have been incremental updates to COBOL over the years, most notably in 2002 when it was turned into an object-oriented language to make programming new applications a little bit more fluid. But for the most part, COBOL remains today what it was back then: an unsung hero, and a workhorse kind of programming language that works on the back-end to underpin many modern mainframe-level applications.
How secure is COBOL?
Unfortunately, there was not much in the way of security considerations when COBOL was first created. For example, many COBOL applications have a password program protecting them, but they are almost never hardened against things like brute-force protection to prevent cracking. Couple this with the fact that many modern security tools that monitor network traffic don't know how to deal with or evaluate functions happening within programs written in business languages like COBOL, and you have a real problem waiting to happen. Quite a few modern breaches have been successful because of a lack of security oversight for systems running classic computer languages. In 2015, the data of over four million US federal employees was exposed when the Office of Personnel Management (OPM) was hacked, with the blame falling to their usage of COBOL, citing an inability to implement modern security measures on such an archaic system.
Years ago, security was provided by an army of programmers who knew COBOL and other hot languages of the time. Back in the 1960s, COBOL was like todays Java or .Net, and those who knew about it were the rockstars of their departments. As of 2019, those folks have likely long since retired, even though the systems they protected have not.
Expanding COBOLs front lines of defense
Quite a few of these so-called greybeards were brought back to their organizations as contractors to defend the same mainframes they worked on before. In more than a few places, they existed as a bit of an anomaly: a secretive cabal of aging sorcerers in some back corner of the office, their strange dress (wide ties and three-piece-suits) and oddly polite mannerisms not quite fitting in with all the modern hipsters sporting skinny jeans and man buns. Yet, they were absolutely necessary, because few modern programmers sling code in COBOL and other ancient languages. Sadly, even these final wizard sentinels are fading away, finally giving up the ghost and moving to Boca Raton, and enjoying a true retirement.
As such, there is a dire need for people who understand older languages, and the security vulnerabilities that they contain. Even if younger people don't know how to write code in classic languages, they should at least understand how they work and their potential vulnerabilities. Because while COBOL development has remained relatively static, the threats leveled against networks have continued to evolve. Trying to use ancient cybersecurity techniques programmed sixty years ago, like the aforementioned COBOL password application, to defend a mainframe against modern attackers is akin to deploying a phalanx of spearmen to fight a platoon of space marines - short of a Hollywood-esque miracle, it's going to end badly for the dudes with the spears.
No matter old or new, it must be secure too.
That is why we believe in the importance of an advanced training system that covers a wide gamut of programming languages and frameworks. You see, one of the glaring issues with a lot of security training options is that the information is simply too generic, or worse - completely irrelevant in the day-to-day jobs of the developer partaking in it. Spending half a day learning about vulnerabilities that only apply to Java isn't going to help a COBOL developer fortify their system, and it just perpetuates the idea of "security'as a tick-the-box exercise to be forgotten about once the mandatory course has been completed. I might add that training someone in Java security bugs is not always applicable for a Java Spring developer. Secure coding is simply different in every language, even up to the framework level.
In our mission to empower all developers to become security superheroes, we won't overlook a valid computer language that is still in use at some of the worlds most targeted and critical facilities. Exploring our platform, you will find modern, hands-on challenges and training relating to COBOL offered alongside some of the most modern programming tools available today, like Googles Golang. This flexibility ensures that training is relevant to an individual and contextual, mimicking their work environment for maximum engagement and effectiveness. After all, building a robust security culture is paramount in the fight against cyber threats, so training should be practical (and fun, of course!).
We want our industry to get to the stage where it doesn't matter if security threats are made against systems running aging languages, or against the most modern mobility apps. We want every developer to be armed with the best information about those vulnerabilities, the tools and techniques used by attackers to exploit them and how to stop them cold. We will never surrender or waiver in the face of cybersecurity threats. No matter how modern or how long ago threats or vulnerabilities were created, you can always turn to Secure Code Warrior to learn how to defeat them, every single time.
PS: Think an ancient language escapes susceptibility to SQL injection? Think again. See if you can locate and fix one in COBOL right now.
It seems almost comical that in 2019, we should be talking about working with a computer language that was invented in 1959. There arent too many seminars or conventions these days devoted to the art of rethreading classic Singer sewing machines, or swapping out the oil pan on a Chevrolet Parkwood or a Triumph Herald. Most of those aging tools have long since been retired, upgraded to new and more efficient models. Yet over here in technology land, which is supposed to be cutting-edge compared to other industries, we are still working with languages like COBOL, which was released around the same time.
Of course, there are very good reasons for this. The Common Business Oriented Language (COBOL) may be 60 years old, but it was so well constructed that it's still relevant and in widespread use today.
COBOL was created as a relatively simple way, using plain language grouped into specific sentences and syntax, to program backend systems to perform mathematical and formulaic tasks. Why does it live on today? Put simply, it is very good at its job. In a sense, it has become a part of the computing fabric for many mainframe and core systems in industries as diverse as the financial sector and manufacturing.
There have been incremental updates to COBOL over the years, most notably in 2002 when it was turned into an object-oriented language to make programming new applications a little bit more fluid. But for the most part, COBOL remains today what it was back then: an unsung hero, and a workhorse kind of programming language that works on the back-end to underpin many modern mainframe-level applications.
How secure is COBOL?
Unfortunately, there was not much in the way of security considerations when COBOL was first created. For example, many COBOL applications have a password program protecting them, but they are almost never hardened against things like brute-force protection to prevent cracking. Couple this with the fact that many modern security tools that monitor network traffic don't know how to deal with or evaluate functions happening within programs written in business languages like COBOL, and you have a real problem waiting to happen. Quite a few modern breaches have been successful because of a lack of security oversight for systems running classic computer languages. In 2015, the data of over four million US federal employees was exposed when the Office of Personnel Management (OPM) was hacked, with the blame falling to their usage of COBOL, citing an inability to implement modern security measures on such an archaic system.
Years ago, security was provided by an army of programmers who knew COBOL and other hot languages of the time. Back in the 1960s, COBOL was like todays Java or .Net, and those who knew about it were the rockstars of their departments. As of 2019, those folks have likely long since retired, even though the systems they protected have not.
Expanding COBOLs front lines of defense
Quite a few of these so-called greybeards were brought back to their organizations as contractors to defend the same mainframes they worked on before. In more than a few places, they existed as a bit of an anomaly: a secretive cabal of aging sorcerers in some back corner of the office, their strange dress (wide ties and three-piece-suits) and oddly polite mannerisms not quite fitting in with all the modern hipsters sporting skinny jeans and man buns. Yet, they were absolutely necessary, because few modern programmers sling code in COBOL and other ancient languages. Sadly, even these final wizard sentinels are fading away, finally giving up the ghost and moving to Boca Raton, and enjoying a true retirement.
As such, there is a dire need for people who understand older languages, and the security vulnerabilities that they contain. Even if younger people don't know how to write code in classic languages, they should at least understand how they work and their potential vulnerabilities. Because while COBOL development has remained relatively static, the threats leveled against networks have continued to evolve. Trying to use ancient cybersecurity techniques programmed sixty years ago, like the aforementioned COBOL password application, to defend a mainframe against modern attackers is akin to deploying a phalanx of spearmen to fight a platoon of space marines - short of a Hollywood-esque miracle, it's going to end badly for the dudes with the spears.
No matter old or new, it must be secure too.
That is why we believe in the importance of an advanced training system that covers a wide gamut of programming languages and frameworks. You see, one of the glaring issues with a lot of security training options is that the information is simply too generic, or worse - completely irrelevant in the day-to-day jobs of the developer partaking in it. Spending half a day learning about vulnerabilities that only apply to Java isn't going to help a COBOL developer fortify their system, and it just perpetuates the idea of "security'as a tick-the-box exercise to be forgotten about once the mandatory course has been completed. I might add that training someone in Java security bugs is not always applicable for a Java Spring developer. Secure coding is simply different in every language, even up to the framework level.
In our mission to empower all developers to become security superheroes, we won't overlook a valid computer language that is still in use at some of the worlds most targeted and critical facilities. Exploring our platform, you will find modern, hands-on challenges and training relating to COBOL offered alongside some of the most modern programming tools available today, like Googles Golang. This flexibility ensures that training is relevant to an individual and contextual, mimicking their work environment for maximum engagement and effectiveness. After all, building a robust security culture is paramount in the fight against cyber threats, so training should be practical (and fun, of course!).
We want our industry to get to the stage where it doesn't matter if security threats are made against systems running aging languages, or against the most modern mobility apps. We want every developer to be armed with the best information about those vulnerabilities, the tools and techniques used by attackers to exploit them and how to stop them cold. We will never surrender or waiver in the face of cybersecurity threats. No matter how modern or how long ago threats or vulnerabilities were created, you can always turn to Secure Code Warrior to learn how to defeat them, every single time.
PS: Think an ancient language escapes susceptibility to SQL injection? Think again. See if you can locate and fix one in COBOL right now.
Click on the link below and download the PDF of this resource.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
View reportBook a demoChief Executive Officer, Chairman, and Co-Founder
Pieter Danhieux is a globally recognized security expert, with over 12 years experience as a security consultant and 8 years as a Principal Instructor for SANS teaching offensive techniques on how to target and assess organizations, systems and individuals for security weaknesses. In 2016, he was recognized as one of the Coolest Tech people in Australia (Business Insider), awarded Cyber Security Professional of the Year (AISA - Australian Information Security Association) and holds GSE, CISSP, GCIH, GCFA, GSEC, GPEN, GWAPT, GCIA certifications.
It seems almost comical that in 2019, we should be talking about working with a computer language that was invented in 1959. There arent too many seminars or conventions these days devoted to the art of rethreading classic Singer sewing machines, or swapping out the oil pan on a Chevrolet Parkwood or a Triumph Herald. Most of those aging tools have long since been retired, upgraded to new and more efficient models. Yet over here in technology land, which is supposed to be cutting-edge compared to other industries, we are still working with languages like COBOL, which was released around the same time.
Of course, there are very good reasons for this. The Common Business Oriented Language (COBOL) may be 60 years old, but it was so well constructed that it's still relevant and in widespread use today.
COBOL was created as a relatively simple way, using plain language grouped into specific sentences and syntax, to program backend systems to perform mathematical and formulaic tasks. Why does it live on today? Put simply, it is very good at its job. In a sense, it has become a part of the computing fabric for many mainframe and core systems in industries as diverse as the financial sector and manufacturing.
There have been incremental updates to COBOL over the years, most notably in 2002 when it was turned into an object-oriented language to make programming new applications a little bit more fluid. But for the most part, COBOL remains today what it was back then: an unsung hero, and a workhorse kind of programming language that works on the back-end to underpin many modern mainframe-level applications.
How secure is COBOL?
Unfortunately, there was not much in the way of security considerations when COBOL was first created. For example, many COBOL applications have a password program protecting them, but they are almost never hardened against things like brute-force protection to prevent cracking. Couple this with the fact that many modern security tools that monitor network traffic don't know how to deal with or evaluate functions happening within programs written in business languages like COBOL, and you have a real problem waiting to happen. Quite a few modern breaches have been successful because of a lack of security oversight for systems running classic computer languages. In 2015, the data of over four million US federal employees was exposed when the Office of Personnel Management (OPM) was hacked, with the blame falling to their usage of COBOL, citing an inability to implement modern security measures on such an archaic system.
Years ago, security was provided by an army of programmers who knew COBOL and other hot languages of the time. Back in the 1960s, COBOL was like todays Java or .Net, and those who knew about it were the rockstars of their departments. As of 2019, those folks have likely long since retired, even though the systems they protected have not.
Expanding COBOLs front lines of defense
Quite a few of these so-called greybeards were brought back to their organizations as contractors to defend the same mainframes they worked on before. In more than a few places, they existed as a bit of an anomaly: a secretive cabal of aging sorcerers in some back corner of the office, their strange dress (wide ties and three-piece-suits) and oddly polite mannerisms not quite fitting in with all the modern hipsters sporting skinny jeans and man buns. Yet, they were absolutely necessary, because few modern programmers sling code in COBOL and other ancient languages. Sadly, even these final wizard sentinels are fading away, finally giving up the ghost and moving to Boca Raton, and enjoying a true retirement.
As such, there is a dire need for people who understand older languages, and the security vulnerabilities that they contain. Even if younger people don't know how to write code in classic languages, they should at least understand how they work and their potential vulnerabilities. Because while COBOL development has remained relatively static, the threats leveled against networks have continued to evolve. Trying to use ancient cybersecurity techniques programmed sixty years ago, like the aforementioned COBOL password application, to defend a mainframe against modern attackers is akin to deploying a phalanx of spearmen to fight a platoon of space marines - short of a Hollywood-esque miracle, it's going to end badly for the dudes with the spears.
No matter old or new, it must be secure too.
That is why we believe in the importance of an advanced training system that covers a wide gamut of programming languages and frameworks. You see, one of the glaring issues with a lot of security training options is that the information is simply too generic, or worse - completely irrelevant in the day-to-day jobs of the developer partaking in it. Spending half a day learning about vulnerabilities that only apply to Java isn't going to help a COBOL developer fortify their system, and it just perpetuates the idea of "security'as a tick-the-box exercise to be forgotten about once the mandatory course has been completed. I might add that training someone in Java security bugs is not always applicable for a Java Spring developer. Secure coding is simply different in every language, even up to the framework level.
In our mission to empower all developers to become security superheroes, we won't overlook a valid computer language that is still in use at some of the worlds most targeted and critical facilities. Exploring our platform, you will find modern, hands-on challenges and training relating to COBOL offered alongside some of the most modern programming tools available today, like Googles Golang. This flexibility ensures that training is relevant to an individual and contextual, mimicking their work environment for maximum engagement and effectiveness. After all, building a robust security culture is paramount in the fight against cyber threats, so training should be practical (and fun, of course!).
We want our industry to get to the stage where it doesn't matter if security threats are made against systems running aging languages, or against the most modern mobility apps. We want every developer to be armed with the best information about those vulnerabilities, the tools and techniques used by attackers to exploit them and how to stop them cold. We will never surrender or waiver in the face of cybersecurity threats. No matter how modern or how long ago threats or vulnerabilities were created, you can always turn to Secure Code Warrior to learn how to defeat them, every single time.
PS: Think an ancient language escapes susceptibility to SQL injection? Think again. See if you can locate and fix one in COBOL right now.
Table of contents
Chief Executive Officer, Chairman, and Co-Founder
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoDownloadResources to get you started
Benchmarking Security Skills: Streamlining Secure-by-Design in the Enterprise
The Secure-by-Design movement is the future of secure software development. Learn about the key elements companies need to keep in mind when they think about a Secure-by-Design initiative.
DigitalOcean Decreases Security Debt with Secure Code Warrior
DigitalOcean's use of Secure Code Warrior training has significantly reduced security debt, allowing teams to focus more on innovation and productivity. The improved security has strengthened their product quality and competitive edge. Looking ahead, the SCW Trust Score will help them further enhance security practices and continue driving innovation.
Resources to get you started
Trust Score Reveals the Value of Secure-by-Design Upskilling Initiatives
Our research has shown that secure code training works. Trust Score, using an algorithm drawing on more than 20 million learning data points from work by more than 250,000 learners at over 600 organizations, reveals its effectiveness in driving down vulnerabilities and how to make the initiative even more effective.
Reactive Versus Preventive Security: Prevention Is a Better Cure
The idea of bringing preventive security to legacy code and systems at the same time as newer applications can seem daunting, but a Secure-by-Design approach, enforced by upskilling developers, can apply security best practices to those systems. It’s the best chance many organizations have of improving their security postures.
The Benefits of Benchmarking Security Skills for Developers
The growing focus on secure code and Secure-by-Design principles requires developers to be trained in cybersecurity from the start of the SDLC, with tools like Secure Code Warrior’s Trust Score helping measure and improve their progress.
Driving Meaningful Success for Enterprise Secure-by-Design Initiatives
Our latest research paper, Benchmarking Security Skills: Streamlining Secure-by-Design in the Enterprise is the result of deep analysis of real Secure-by-Design initiatives at the enterprise level, and deriving best practice approaches based on data-driven findings.