Case Study - Reducing Security and Delivery Risk Across Two Out-of-Support Platforms

A company ran two large, business-critical platforms built on out-of-support technology. Both moved sensitive data through third-party integrations, neither was documented, and the engineers who built them had moved on. The company could not confidently say what the systems contained, how they worked, or how exposed they were. That is a difficult position for any business, and an expensive one the moment a security review, an audit, or an acquisition puts the systems under scrutiny.

The Situation

Years of growth had left both platforms without a current map of how they worked. Builds were manual and hard to reproduce, onboarding a new developer took weeks, and the technology underneath had passed end-of-life, so security patches and vendor support were gone. A first static-analysis pass made the exposure concrete: more than 1,500 potential SQL-injection paths across the two codebases, 64 credentials hardcoded directly in source, weak password hashing, and unauthenticated test endpoints reachable in production. None of it was quantified, prioritized, or owned. Leadership needed three things at once: a clear picture of what it owned, an honest read on the real risks, and a credible plan to reduce them without stalling day-to-day delivery.

Our Approach

Aligned built lightweight static-analysis tooling that read each codebase and produced a browsable catalog of its front-end, back-end, and database components, their dependencies, and their security hot spots, turning two opaque systems into something the team could navigate and reason about. With that map in hand, we stood up containerized local environments so any developer could bring up the full system in minutes, and we wired reproducible, multi-stage build and release pipelines with linting, static analysis, and container-image scanning into continuous integration, producing versioned artifacts traceable back to source.

On the security side, we hardened session handling with secure cookie flags and server-side token expiration, moved all 64 hardcoded credentials out of source and into managed configuration, remediated the highest-risk injection paths, and closed an unsafe file-access route. Where the integration layer had been copy-pasted, we refactored it behind a clean interface so new integrations are simpler and safer to add. Throughout, we documented what we found and ranked every remaining issue by risk, so the work that followed could be sequenced by exposure, not guesswork.

Value Delivered

The team came away knowing what it owned. Two previously undocumented platforms became a navigable map, and a sprawling, invisible risk surface became a prioritized, evidence-backed backlog leadership could plan and resource against. That is the kind of clarity that holds up in a customer security review or a diligence process.

• Onboarding dropped from weeks to minutes. A single command brings up a production-parity environment, eliminating bespoke setup and “works on my machine” drift.
• Secure defaults are now in place. Hardened sessions, server-side token expiration, and 64 secrets removed from source control shrink the blast radius of a compromise; the highest-risk injection paths and an unsafe file-access route are closed.
• Releases are reproducible and scanned. Linting, static analysis, and image scanning run on every change, with traceable versioned artifacts replacing manual builds.
• The integration layer is simpler and safer to extend, refactored behind a clean, testable interface.
• A risk-driven modernization roadmap carries the work forward, sequencing the move off end-of-life technology and the remaining remediation by exposure rather than guesswork.

• Legacy Modernization
• Application Security
• Reverse Engineering
• Developer Productivity