A Better Way to Do Software Lifecycle Management
You know what we don’t talk about enough in vulnerability management? The concept of lifecycle management. There’s this perception out there that we can’t do anything about end-of-life software. But we can – and there’s even a model that we can follow. Let me explain.
The Problem of Lifecycle Management
End-of-life software exists because software vendors don’t support software forever. That said, the major vendors don’t cut off support without warning – and while rules vary, the major ones all have them. Apple may not announce how long they intend to support a new version of software, but their general rule is that when they release a new operating system, they continue to support the two immediate predecessors and drop support for the third. And it’s not like when Apple releases a new operating system, it’s any surprise.
Microsoft’s rule of thumb is typically about 10 years. When there’s an exception, they almost always extend the support window. This is true of not only their operating systems, but also Office and enterprise software like SQL Server. It pays to look it up, because some versions of SQL Server end up being supported longer, and Windows 8 ended up being a bit less. It’s generally Microsoft flops – like Windows 8 and Vista that enterprises avoided anyway – that end up with a shorter support timeframe.
A Model of Lifecycle Management Planning
The United States Navy takes a lot of flak for running end-of-life Microsoft software. But they shouldn’t, because they’re doing it right, and they planned it that way from the beginning.
The Navy still has Windows XP and Server 2003 in use. I won’t get in trouble for telling you that, however, because they purchased extended support. They’re still getting updates, and they’re deploying them every month, with a success rate that would make the private sector jealous.
A retired Navy captain explained this to me when I was working in government contracting. The Navy rebuilds their ships every 20 years – that includes the computer systems. So, when a ship comes in for its scheduled rebuild, it gets new computer hardware with the most current software. Figuring out how much extended support to purchase to run that operating system for two decades is built into the re-build planning process. The Department of Defense is good about testing and deploying the current supported operating system in a rolling thunder process; it’s not like they were deploying Windows 7 systems in 2019 and getting stuck with buying 19 years of extended support.
Yes, extended support is expensive, but it’s a lot less expensive than shortening the ship’s lifecycle.
Other branches, which don’t have to deal with ships, deploy more aggressively. When a new version comes out, they start migrating to it. When I was an Air Force contractor, I actually had Vista on the computer on my desk. Part of their plan for migrating to an operating system includes their plan to migrate to its successor. That means they are rarely deploying an operating system that is five years old and halfway through its life expectancy. When a system reaches that age, it’s on its way out. While they can end up with some stragglers, those are isolated exceptions, not the rule.
Adapting the DoD Example
My recommendation for the private sector is to work off the expected 10-year lifecycle. We know that any given piece of software has a 10-year life expectancy. The replacement comes out sometime around the halfway point. So, if we take Windows Server 2016 as an example, its life expectancy is half over in 2021. That means 2021 is the time to stop deploying new Windows Server 2016 systems, and deploy the current version in its place, which would be Windows Server 2019. We have five years to replace the existing fleet of Windows Server 2016 systems with the newest viable version.
It’s much easier to manage the Windows Server 2016 end-of-life problem at the halfway point then it is when the product only has a year of support left.
Windows 10 will be a little bit harder, as its end-of-life is in October 2025 and Windows 11 isn’t out yet. But your plan for migrating to Windows 11 should ideally start in 2022, not 2024 or 2025. And you can absolutely be testing Windows 11 in your lab. The Microsoft Insider Program is intended to enable early testing.
Building Lifecycle Management into Your Software Procurement Process
Let’s say now in 2021 you’re buying a piece of software that runs on Windows Server and interfaces with Microsoft Office. It needs a server with both Windows Server and Microsoft Office. Write it into the contract that it’s going to be the current version of each, in this case the 2019 version. Far too frequently, the private sector gets stuck buying a system that has software with only a year or two of support remaining. We would make fun of the Navy if they deployed Windows 8.1 and Office 2013 today. But the dirty secret is that as you read this, someone somewhere in the private sector is deploying a brand-new system with those pieces of software on it. And someone elsewhere is finishing up negotiations to purchase that very same piece of software. Their deployment will be next week. And that system is going to spend its lifetime as a professional headache for both the IT and security teams in that organization.
There may be additional testing involved. It may cost more money. It may require talking to competitors. But in the long run, it’s cheaper than extended support. And it’s cheaper than dealing with more incidents.
The Benefit of Building the Process
For many organizations, retiring Windows XP and Server 2003 was a long project that took two to three years to complete, and on top of all that project management expense, required buying extended support from Microsoft in the interim. For a large organization, the overall cost could easily reach seven figures – and when Windows 7 and Server 2008R2 reached end-of-life, they had to do it all over again.
Building lifecycle management into the process has the potential to increase your costs in any given year – but it saves you that 7 figure surprise every decade. Given that last minute upgrades almost always have something unexpected go wrong, the hidden costs can increase that much more.
It can often require a culture change to implement this approach – but if your company is ready for it, you do have options. One developed by an internationally known organization over the course of several decades, which your tax dollars helped pay for. It would be a shame not to take advantage of it.