Many years ago, you got your first job and bought your first car. It was a reasonable price, sturdy, and you made sure always to wear your seatbelt and not to break the posted speed limit too badly. It did its job and served you well as you went to college and started your career.

Now, that car is quite old. The air conditioner broke three years ago and you just never got around to fixing it. It has a tape deck but no CD player, never mind an MP3 player. Every few months there’s another little problem that costs a little more money to keep it going. You couldn’t find a replacement for something that broke, so you superglued in a similar one from a different manufacturer. You hope no one notices that the passenger-side door doesn’t lock anymore.

On top of all that, you have three kids now. You can hardly fit them and their backpacks and lunchboxes into the car, and their safety in case of an accident is critical.

Face it, it’s time to give up and get a new car. No amount of TLC is going to keep that old thing running forever; the costs of trying to do so are growing. Newer cars, aside from trivialities like looking nicer, are much safer and have better mileage. There was nothing wrong with the decision to buy your old car at the time, but your needs have increased and time has inevitably worn it down.

The car’s make and model is Windows XP. Or IE6. Or whatever you’re running on your network, handling your critical data, that’s several upgrades behind because you don’t want to deal with the cost and effort of changing it. When you first set up the network, your website was a tiny fraction of its current size and you had far fewer applications to manage. It worked at the time. If you keep putting it off for too long, however, the ever-growing problems of trying to keep aging software systems on life support is going to surpass the pain you were avoiding. At some point, it will become an emergency.

Since software is abstract, we don’t really think of it as wearing down. After all, if I store a copy of a program on some long-term medium and come back in twenty years, the program itself will be exactly the same byte-for-byte. However, the context will have changed; software doesn’t run itself. Imagine finding a book written in Old English. You speak English, and so did the author, but English itself slowly changed. You would need to find a translator to rewrite the book for you if you hoped to understand it. Computing and networking have changed, are changing, and will be changing into the foreseeable future. We don’t run the internet on Commodore 64s, no matter how great a machine they were in their own context, and even though many thousands of them still work.

Plan on having to upgrade your systems at least every few years; take it into budget and time considerations before it’s a crisis. Each major release of Windows, to use an obvious example, has integrated the results of new research and innovation in application security to keep your users safer with less effort on your part. Sometimes, upgrading Windows isn’t trivial. Some internal application starts crashing and it’s easier, in the short term, to just stick with the setup you already have. In the meantime, you remain more prone to malware than you need to be, drivers for your aging OS stop being updated by third party companies, and the disaster clock is ticking. Allocate resources to begin the transition, even if it can’t be done immediately.

Don’t think I’m unfamiliar with the pain of upgrading. We just went through hell to get our compiling setup moved from Visual Studio 2005 to Visual Studio 2012, but it simply had to be done. It’s much better now; no more compatibility shims and odd crashes. Something which directly interacts with the internet is much more urgent, however, and many corporations are still using IE6 internally – which has VS2005 beat by several years. It’s so badly out of date that Microsoft has resorted to publicly celebrating the countdown to zero of its own product. IE7 is only slightly better. IE8 is kind of okay. You should be on IE9. You should be evaluating IE10. You should be investing in solutions based on standards so that you aren’t tied to the exact version of software you currently have. If your website only works in one major browser, it’s not a website, it’s a proprietary application on the train to Obsoletion Town.

Wash your hands, brush your teeth, upgrade your software within a reasonable timeframe – or I will come and beat you over the head with more heavy-handed analogies to deterioration.

About Melissa Elliott

Melissa Elliott is an application security researcher who has been writing loud opinions from a quiet corner of the Veracode office for two years and counting. She enjoys yelling about computers on Twitter and can be bribed with white chocolate mocha.

Comments (7)

xpclient | February 5, 2013 12:19 pm

Stop removing features, acknowledge these and fix them via hotfixes MS. It will only hurt more:

Windows 7 or 8 isn't bad for Grandmas though. Power users, no. Defending MS is going to hurt MS more. XP users will not upgrade unless these are fixed by hotfixes.

chort | February 5, 2013 12:51 pm

Hello xpclient, you seem to not understand software. It's OK, lots of people don't. However your assertion that removing features is bad and harmful is baseless.

Every feature is added complexity. It's more work to test it, more work to patch it, and exponentially more work when you start combining interaction between features. Software is adding features all the time, so the cost to support a feature isn't fixed, it increases every time you add more features.

All those extra interactions are difficult to model and test, which leads to bugs, some of which will be exploitable security flaws. Some times it's not possible to find a fix that allows two conflicting features to work, so the only options are to live with a known-insecure system, or remove a feature.

Removing features is actually a very good idea. It reduces complexity, or at least reduces the rate of increase in complexity. That avoids potential bugs and security flaws, and in most cases makes the system simpler to use.

If you want software where every single interface is exposed to tinker with, use Open Source and modify it yourself. Recognize that all the complexity you add will cause bugs and security flaws. Your freedom to use options & features no one else cares about shouldn't be a tax on everyone else who uses the software.

xpclient | February 5, 2013 12:19 pm

Hello chort. You seem to not understand the fundamental feature of computer software - that everyone uses PCs differently and that they should be customizable so users can work the way they want. Users should not have to adapt to software, it should be the other way round. You don't seem to understand backward compatibility nor how usability is broken when software abandons the backward compatible approach. This is what Microsoft is SUPPOSED to do. Never mind, it's beyond your understanding. You seem to have got *used to* accepting unacceptable design changes and actually endorsing the kind of bad UI changes and dumbing down done so the software is usable only by casual users, who use like 10% of its features. Telling power users to use open source is not only rude but mildly insulting. Not every power users wants to be a developer. So don't blame on me, Microsoft's inability to understand how well-designed, backward compatible, customizable software can suit all kinds of users.

PatrickAk | February 5, 2013 5:43 pm

Xpclient, chort, Both of you make some good points, BUT... there is a balance that has to be maintained, and not an easy one to find. The environment in and purposes for which we now use computers has changed dramatically since XP was introduced and will continue to change. Some of those features we have grown to hold dear can be serious security problems in today's heavily interconnected world. Others have just outlived their usefulness. While it has a nice feel to it, the idea of always maintaining backward compatibility while forever adding new features also means forever adding complexity. Complexity and security are *not* good friends, to put it mildly. Microsoft is trying to find that balance between keeping it's users safe in what is now a very hostile network environment while at the same time still providing a reasonably good set of features. I think MS deserves to be cut a little slack here. It doesn't take much of having ones credit card accounts stolen or social media accounts hacked to think again about the need for a more secure system. Stick with XP and quite likely you will sooner or later find this out.

@secolive | February 6, 2013 3:10 am

50 years ago there were no speed limits down here so I was able to drive at 250kph. Or I would have been able to if I had had the car I have now. And if I had been born at that time.

But now we have speed limits and it is an intolerable regression in functionality. Never mind that there's more traffic causing roads to be inherently less safe and that speed limits are effective ways to improve security. Speed limits are probably ok for grandpas but I am a power driver and want to go faster.

To be fair I hate some of the UI changes in Windows 7 vs XP especially with the explorer or all the configuration things. But hey, no system is perfect, and, since Windows 98 SE, I have accepted that there is always some kind of annoyance tax that comes with using a computer.


linuxclient | February 6, 2013 8:30 am

"Telling power users to use open source is not only rude but mildly insulting."


solak | February 13, 2013 10:10 am

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.