Why “If it ain’t broke…” needs to be abandoned
Before you read the rest of this, I want you to read this: https://www.us-cert.gov/sites/default/files/publications/AA20-133A_Top_10_Routinely_Exploited_Vulnerabilities_S508C.pdf
It’s not terribly long, or hard to read, but I want to note some things. First, out of ten listed items, four of them pertain to Office 2007. That’s over 13 years old, yet evidently, in widespread enough use to still be a problem. There’s items for Windows Vista on that list.
It’s not just Office. There’s people using Apache Struts versions that are three years old. The last version of Visual FoxPro was in 2007. Versions of Flash that are years old. Flash. One of the biggest security holes in the world, and people are a) still running it and b) running old versions. Over and over, and over…old software. not months old, but *years* old. Many years in some cases, and I guarantee you one of the justifications for this?
“It still works”
“It’s too much work to update”
There’s more, but you see the point. All of it tends to be driven by the “If it ain’t broke, don’t fix it” philosophy, which is usually driven by desires to reduce costs, either labor or fiscal. But does it work? Really? I have severe doubts that it ends up saving time. Because when you hang on to old software across that many years or decades, the cost to update, to move on, gets higher every year. I mean, I hope no one is still running critical software based on Visual Foxpro, but if they are, the cost premium to move that application, those applications off 13-year-old database software to something modern? Supported? It won’t be small. It’s never small.
And before I hear the “you don’t know…” nonsense start up, yeah Seymour, I do know. I know real well, I have since the mid 1990s. I’ve known since I moved from DOS to Windows to OS/2 to Windows. I’ve known since I moved from System 6 to System 7 to MacOS 8 to MacOS 9 to every version of OS X and macOS since. Solaris, ditto. AIX. OS/400. Linux. I’ve known on a loooot of platforms. In a lot of different industries. At a lot of different levels. I know, all too well.
But that’s part of IT, of tech. You have to stay current. Yes, that’s a pain. Y’all, I’ve been in the Mac ecosystem for a long time, I am well-aware of how people can expect that vendors support old versions of software forever for no cost whatsoever. But that can’t happen. Codebases have to be updated to stay current. That means moving on. It means accepting that even if it’s working correctly, you may have to change it, or “fix” it, or update it. Because if you don’t, you find yourself with ransomware. Or a dead server. Or network.
You have to stay current.
Part of not being “broke” has to include “up-to-date”. Even when that’s inconvenient, or expensive. And sometimes, that means having to move away from something that works well, and is easy to maintain. It means changing platforms. Sometimes it means moving from on-prem to cloud which is even more complicated, because now your security posture, your DR/BCP, your procedural stuff, all of it gets so much more complicated. Deployment gets easier with cloud-based software, sometimes, but other things get worse.
And yes, I get it. Sometimes, there’s stuff you have to stick with longer than you want. But there’s ways to manage that too. Virtualization is your friend there. Yes, that’s more complicated, but again, look at that list. Look at the shear number of years-old software. Sometimes decades-old. I have extreme, extreme doubts that none, or even most of the installs of Office 2007 are necessary, that there’s a hard reason that can’t be overcome.
This can’t continue. This isn’t a case of Company A’s network is completely disconnected from Company B’s like it was when I started in IT. With rare exception, every network is connected, on some level, to every other network. The cheese does not in fact, stand alone. As well, everything happens too fast for humans now. A ransomware attack, a DDOS attack, they happen far too fast for human reaction and response speed. A great example is the Maersk attack from a few years ago. There is no way for humans to respond at all to a modern attack, much less well. I don’t care how smart you are, you’re a human, you’ve evolved in a world where milliseconds are your speed limits. Meanwhile, the computing world is operating in nanoseconds. You’ve lost before you start.
You have to stay current.
If you don’t stay up to date, even with all the pain that can involve, you’re at risk. If you have customers, their data is at risk. If you’re a medical company in any way, that data is at risk. I’m not just talking about someone stealing the data either. What happens to a hospital when their entire EMR system is encrypted by ransomware that has no unlock key? Where you pay up and the thieves run off with their bitcoins and you’re screwed. Backups can help there, but if you’re not planning on how to do network-wide restores, that’s still a non-zero amount of time, and depending on your industry, even if there’s no data exfiltration, you still have a lot of explaining to do.
I am also aware that often, the software you use is based on multiple packages, and those vendors don’t always keep up to date, or vet the sources they use when building their software. Open source can be even more annoying, because “you have the source just build it yourself” is so often the refrain of lazy, well, assholes, who want the fun part of being a software vendor, the cool parts, but not the boring, dull grind that is support and updates to avoid problems.
“Just build it yourself” only works if you have the ability, time, and skills to do so. As well, if I’m going to do all the work to build and maintain software, why would I pay someone else to do it? There’s an economic downside to being an asshat here, people should stop. If my company is an auto repair shop, I’ll do your work for you for free when you show up and fix my customer’s cars for free and pay my rent. (Funny how no one ever takes up that offer. They get all “MY time has value” about it. Well Seymour, so does mine.)
Customer support, software support sucks. The economics, in most cases are awful. I read a while back that the third support call on a given piece of software effectively erases any profit made from that sale. Subscriptions may have changed this, but not by much. It’s tedious, but that’s part of the gig. Which means keeping all your stuff current, even that really cool framework you got from someone’s site. Which can be really hard when the person who made that framework decides “nah, i’m done” and punches out.
(There are many reasons why I am not convinced the “build your software from 49087435 remote distribution sites is as good as people think. The above is one of them. So is security.)
It’s even worse when you consider the lackadaisical approach to secure coding in CompSci/Coding Bootcamp programs. Too many effectively ignore it beyond trite warnings, a big chunk of the other have a token class or lecture on it. It’s treated like a bolt-on rather than an integral part of coding starting at the most basic levels. I sometimes think ethics gets taken more seriously.
But you can’t do anything about that. You can’t fix how the people writing your software were taught, how they view things. You have no power there, other than that of the checkbook (assuming you’re paying for your software.) If you do have a “I’m paying you money” relationship, then you have more power than you think. Don’t be an ass about it, but if you’re paying money, then I think you have a reasonable expectation that the company/person accepting your money will keep their stuff up to date so you can as well. But that does mean that when they update, you have to update too.
(No, not immediately. Did I say be stupid? No, I did not. But 13 years is not a reasonable amount of time to test an update.)
Ultimately, if you don’t want to be on the “list of companies that got hacked because of old stuff”, you have to stay current. There’s no other option.