Skip to main content
February 5, 2013

Software Upgrade Hygiene: Stop Putting It Off, It Will Only Hurt More

Many years ago, you got your first job and bought your first car. It was a reasonable price, sturdy, and you made sure always to wear your seatbelt and not to break the posted speed limit too badly. It did its job and served you well as you went to college and started your career.

Now, that car is quite old. The air conditioner broke three years ago and you just never got around to fixing it. It has a tape deck but no CD player, never mind an MP3 player. Every few months there’s another little problem that costs a little more money to keep it going. You couldn’t find a replacement for something that broke, so you superglued in a similar one from a different manufacturer. You hope no one notices that the passenger-side door doesn’t lock anymore.

On top of all that, you have three kids now. You can hardly fit them and their backpacks and lunchboxes into the car, and their safety in case of an accident is critical.

Face it, it’s time to give up and get a new car. No amount of TLC is going to keep that old thing running forever; the costs of trying to do so are growing. Newer cars, aside from trivialities like looking nicer, are much safer and have better mileage. There was nothing wrong with the decision to buy your old car at the time, but your needs have increased and time has inevitably worn it down.

The car’s make and model is Windows XP. Or IE6. Or whatever you’re running on your network, handling your critical data, that’s several upgrades behind because you don’t want to deal with the cost and effort of changing it. When you first set up the network, your website was a tiny fraction of its current size and you had far fewer applications to manage. It worked at the time. If you keep putting it off for too long, however, the ever-growing problems of trying to keep aging software systems on life support is going to surpass the pain you were avoiding. At some point, it will become an emergency.

Since software is abstract, we don’t really think of it as wearing down. After all, if I store a copy of a program on some long-term medium and come back in twenty years, the program itself will be exactly the same byte-for-byte. However, the context will have changed; software doesn’t run itself. Imagine finding a book written in Old English. You speak English, and so did the author, but English itself slowly changed. You would need to find a translator to rewrite the book for you if you hoped to understand it. Computing and networking have changed, are changing, and will be changing into the foreseeable future. We don’t run the internet on Commodore 64s, no matter how great a machine they were in their own context, and even though many thousands of them still work.

Plan on having to upgrade your systems at least every few years; take it into budget and time considerations before it’s a crisis. Each major release of Windows, to use an obvious example, has integrated the results of new research and innovation in application security to keep your users safer with less effort on your part. Sometimes, upgrading Windows isn’t trivial. Some internal application starts crashing and it’s easier, in the short term, to just stick with the setup you already have. In the meantime, you remain more prone to malware than you need to be, drivers for your aging OS stop being updated by third party companies, and the disaster clock is ticking. Allocate resources to begin the transition, even if it can’t be done immediately.

Don’t think I’m unfamiliar with the pain of upgrading. We just went through hell to get our compiling setup moved from Visual Studio 2005 to Visual Studio 2012, but it simply had to be done. It’s much better now; no more compatibility shims and odd crashes. Something which directly interacts with the internet is much more urgent, however, and many corporations are still using IE6 internally – which has VS2005 beat by several years. It’s so badly out of date that Microsoft has resorted to publicly celebrating the countdown to zero of its own product. IE7 is only slightly better. IE8 is kind of okay. You should be on IE9. You should be evaluating IE10. You should be investing in solutions based on standards so that you aren’t tied to the exact version of software you currently have. If your website only works in one major browser, it’s not a website, it’s a proprietary application on the train to Obsoletion Town.

Wash your hands, brush your teeth, upgrade your software within a reasonable timeframe – or I will come and beat you over the head with more heavy-handed analogies to deterioration.

Melissa Elliott is an application security researcher who has been writing loud opinions from a quiet corner of the Veracode office for two years and counting. She enjoys yelling about computers on Twitter and can be bribed with white chocolate mocha.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.