79% of organizations say that legacy applications hinder their progress and productivity.
To solve these hindrances, in-house developers and product consultants run complete modernization projects. In fact, the application modernization market is predicted to grow from $11.4 billion in 2020 to $24.8 billion in 2025, for a growth rate of 16.8%.
With new technologies and user expectations evolving fast, organizations will need to continually modernize applications that are outdated, whether they're 15 years old, or only 5 years old.
But what is a legacy application?
In this guide, we dive into the real definition and provide 9 examples. Depending on the severity of the problems caused by your own legacy application, these examples might make you feel a little less stressed out.
What is a legacy application?
A legacy application is a software product that is outdated or incorrectly architected to the point that it is prone to failure, causes frustration for users, presents security vulnerabilities, and is difficult to maintain and update.
To remedy these issues, over 80% of technology leaders are prioritizing the migration of legacy applications to modern cloud applications.
But 33% say that a lack of skills is the biggest hindrance to modernizing their legacy applications. This is why organizations of all sizes often outsource to modernization experts, who complete the project and either continue to own the product or hand it over seamlessly to the in-house team, providing upskilling and training along the way.
What constitutes an application as "legacy?"
Legacy systems and applications are typically experiencing one or more of these problems:
End of life – The technology used to build the application might be at the end of its life, meaning it is rarely used anymore and features and security are deprecated.
Outdated architecture – If the data architecture and code architecture of the platform are outdated, it will cause security vulnerabilities and make it challenging to use, maintain, and update the application.
Lack of application knowledge or skills – The internal team might lack the knowledge or skills necessary to maintain the application. This is usually related to end-of-life technology. Businesses need to retain the knowledge of the aging IT workforce and modernize their applications continuously to avoid the massive risks of complete knowledge loss.
Not scalable – Sometimes, an application will crash under heavy user loads. This can be detrimental to an organization's growth, whether for internal users or customers.
Nearly impossible to update – Many legacy applications are so rife with issues that it's nearly impossible for developers to deploy upgrades and new features.
9 top examples of legacy applications
These applications have all been modernized or are undergoing the process of modernization. But before the transformation, they caused a lot of problems for users and developers.
1. The US Ski and Snowboard Team's Legacy CRM
The US Ski and Snowboard Team not only manages and support Olympic athletes, but also tens of thousands of young athletes from over 500 ski clubs around the country. The organization was using an outdated legacy application to manage athlete data and take applications for the ski clubs. The system was causing a lot of internal struggles, such as slow productivity and the need to double up on work. Application data wasn't integrated with the rest of the system, forcing the need for manual data entry.
The US Ski and Snowboard team worked with DevSquad to modernize their application from the ground up. They built a new system for athlete data that seamlessly integrated with all other necessary applications and functionality.
Jon Larson, IT Director of US Ski and Snowboard Team, had this to say about the modernization project: “DevSquad was able to bring fresh ideas when we needed them to, and push back when we needed them to. They’re great at sprint planning and supporting every aspect of the development process. When you work with DevSquad, you don’t get an expert in one thing—you get an expert in every part of product development.”
2. Shopify's Monolithic Architecture
In 2019, the Shopify development team decided to rearchitect their outdated system, which is one of the largest Ruby on Rails codebases. Kirsten Westeinde from the engineering team explained, "It was initially built as a monolith, meaning that all of these distinct functionalities were built into the same codebase with no boundaries between them. For many years this architecture worked for us, but eventually, we reached a point where the downsides of the monolith were outweighing the benefits."
Here are some of the challenges that the legacy application was causing:
Increasingly difficult to build and test new features
The code was fragile, causing unexpected and prevalent failures
Difficult to onboard new developers
To resolve these issues, the team opted for a modular monolith, rather than the microservices approach. Here at DevSquad, we also avoid microservices because they cause communication challenges between the independently-deployed services.
3. The Archives and Records Centers Information System (ARCIS)
The US National Archives and Records Administration (NARA) has, like many government agencies, created a lot of technical debt over the past couple of decades. It was very hard for them to maintain and update the Archives and Records Centers Information System (ARCIS), and they were also plagued with many paper-based methods still in use.
The analog methods coupled with the outdated application resulted in slow case-processing times for veterans and their families inquiring about their benefits.
In May of 2022, NARA allocated $9 million to the modernization of this system and another outdated application in order to improve functionality, usability, and speed for veterans.
4. First American Financial Corp's Website
Known as one of the largest data briefs to date, First American Financial Corp dealt with the negative consequences of a legacy application on the worst possible scale. Their website application was allowing access to sensitive files to anyone who had the link. Think of the issue as if Google Docs allowed View access for every file for all users.
As a mortgage lender, the company lost millions of sensitive data of its customers (885 million files!). The website error is known as an Insecure Direct Object Reference (IDOR), and private information was visible without requiring verification or authentication procedures.
By continuing to operate with outdated technology, the company had failed to implement the basic authentication methods of more modern brands.
5. Equifax's Third-Party Web Portal
Equifax is one of the largest credit reporting agencies in the US. They were using an outdated third-party web portal called Apache Struts that had a backend vulnerability which gave users broad permissions instead of utilizing a zero-trust model. Even after patching it, Equifax provided the wrong level of permission for 76 days after the fact.
Equifax later invested $1.4 billion to fix the data breach, offering an excellent example of why organizations need to continuously monitor the modernity and security of their third-party tools.
6. Box's Employee Onboarding and Offboarding System
Antiquated internal-use tools can be just as cumbersome as customer-facing products.
Cloud storage provider Box had been using a legacy system to onboard and offboard new employees. It required cybersecurity professionals to track the onboarding and offboarding processes and handle much of the heavy lifting themselves. These professionals (who have a high salary) were wasting time on repetitive manual tasks instead of innovating and building the future.
Box partnered with DevSquad to build a modern application that would automate much of the work. The result was an application that the ticketing and service team could manage instead of the cybersecurity professionals.
“We were able to move from spreadsheets and a lot of work on the systems side to everything being handled by our ticketing system and help staff," says John Allen, a Senior Software Engineer at Box. "DevSquad made it so that Laravel was pulling information from our ticketing system for both people who were joining the company and leaving the company. It was actioning on those items after support staff clicked a button to start either process, and then it would give the support staff feedback on where they were in that process.”
7. The UK's NHS Legacy Application
The UK National Health System (NHS) is running on legacy technology. One general practitioner says it takes her 17 minutes after logging onto the application to use it for her practice. The problem is that the application is still designed for Windows 7, despite Windows 10 and 11 being the updated operating systems.
The reliance on outdated operating systems causes cybersecurity issues and makes the NHS's IT infrastructure even more complex. The organization is known for taking a long time to migrate technology to current operating systems, causing many analysts to say that they're always playing a game of catch-up and that there will always be vulnerabilities.
8. JBS Food's Vulnerable Applications
Legacy applications are prevalent in the food industry. Manufacturing facilities and processing plants continue to rely on outdated systems. Bad actors can use these vulnerabilities to undermine our nation's food security, which in turn can lead to food shortages, high food costs, political protests, localized theft, and more.
Russian criminals utilized the vulnerabilities of a legacy application to launch a ransomware attack. JBS Foods, a large meatpacker in the US, had to cease operations across several sites in Australia and the US due to the attack.
To prevent similar attacks, JBS Foods and other food manufacturers are implementing the zero-trust method to limit access to sensitive files and remote machine access. Operators need to be able to monitor plant performance, without leaving plants open to attack.
Bad actors will continue to prioritize the softest targets that deliver the largest ransomware payments, beginning with processing and utility plants that are core to supply chains. Locking up a supply chain with ransomware is the payout multiplier that attackers want because manufacturers often pay up to keep their businesses operating.
Any business that integrates OT, IT and ICS systems may want to examine the benefits of pursuing a ZTNA-based framework to secure its infrastructure. Implementing a ZTNA framework doesn’t have to be expensive or require an entire staff. - Louis Columbus
9. The Airforce's AEF Online Application
The United States Airforce recently modernized their AEF Online application, renaming it AFFORGEN Connect.
AEF Online worked as a single access point for all unclassified Air and Space Force readiness and deployment preparation. Airmen use it to get information no training events and pre-deployment actions.
The old system was clunky, difficult to use, and incredibly slow, leading to inconsistencies in communication with airmen.
Now, the newly modernized AFFORGEN Connect offers a much faster experience for finding readiness information, completing their readiness checklist, and uploading supporting documents for their mobility files. Airmen are able to complete these actions much faster than before, which improves user accessibility. And of course, with accurate readiness information and processes, national security is positively impacted as well.
Modernize your legacy application
Legacy applications can cause massive cybersecurity risks and lead to high rates of customer churn and employee frustration. Not only that, but they are costly to maintain.
Whether your users are staff or customers, you need to provide high-quality applications that keep pace with modern expectations and get the job done.
DevSquad specializes in modernization projects for enterprises and government organizations. We offer data architecture strategy, product strategy, and end-to-end product management.