Keep Calm and Update Your Software

Like (almost) everything in this world, a software package has a birthday and an eventual day when it kicks the bucket. Actually, engineers use more sophisticated terms, like official release date and end of support date. Anyhow, at the end of the day that’s exactly what they mean. The average software lifetime expectancy has recently decreased from a few years to a few months. It continues to shrink, and more money is being invested in the software industry. Some software packages live for only a few minutes or hours, some manage to reach preschool age, there are almost no teenagers and ….IT’S AS CERTAIN AS DEATH AND TAXES!

Why do they release so frequently?

Dynamic, actively developed products are released often. Their vendors react in agile and effective ways to change their requirements in the face of technical and security challenges. The more frequently they release and the more mature and reliable are the procedures that ensure final product quality; the less ‘fear’ there is while releasing. Frequent release strategy has a significant advantage. Once implemented, software vendors can offer SLA (Service Level Agreements) that warranty critical security vulnerability to be fixed, even within hours.

A security vulnerability is a weakness in a product that could allow an attacker to compromise the integrity, availability, or confidentiality of that product.

Contemporary software packages use, or depend on, dozens of third-party libraries and services developed and managed independently from the main product, usually by other companies or by the open source community. Each library has its own lifecycle, maintenance period and end of support date; as well as an issue list, bugs and security vulnerabilities. Each library influences the overall product stability and security. It is extremely important for software vendors to frequently update libraries used by their software.

Last year, the commonly-used SSL encryption library OpenSSL was compromised, causing a serious security issue of a majority of https services (including banks hosted). Many software products released a security update within a few days, protecting their users from a potential attack. Some still did not, even though the fix requires a simple update of a dependent library.

Since its release in September 2016 XTRF 6.0 had over 50 update releases addressing minor bugs and security improvements reflecting 3rd party library fixes.

A healthy company releases an update at least once a month and a new version of a product each year – at a very minimum.

Is my software slowly dying?

Usage of external libraries significantly decreases the cost of software development and maintenance. Despite this, keeping all the dependent libraries up-to-date is not free. The cost increases when a core library or technology needs to be upgraded. Because of close dependencies between the libraries and the application, source code modification is required to properly use new functions in place of old ones.

XTRF 7.0 fully operates on Java 8.0, finally leaving the outdated Java 7.0 environment for security reasons.

Attempts at short term savings on library upgrades just increases a technological debt which accumulates over time. Moreover, new functionality is built utilizing old libraries, making a future upgrade even more complex and costly. After a few years the debt is so high that nobody is willing to pay it. The vendor then starts to use some software make-up techniques to conserve an obsolete technology that should have been retired.

Core technology upgrades are expensive, so keep your eyes peeled for software vendors who try to keep you in a product based on outdated technology.

At this point, Java 7.0 usage is a non-starter, if only from a security perspective.

How often should I update?

Each software actualization requires an IT team effort and may potentially stifle your business continuity. So, the update frequency question is almost as important as your vendor release policy. Even when we want the vendors to release often we are not obligated to install each new release. To answer the question the terms update & upgrade need to be defined more precisely.

Update – is a replacement of system with a new one containing bug fixes and minor quality improvements of functionality delivered previously in major releases. In the 3 points numbering schema (x.y.z) it is an increment of the last number e.g. 3.4.1 to 3.4.2.

Upgrade – is a replacement of a system with a new one containing new features and major functional improvements delivered in major releases. In the 3 points numbering schema (x.y.z) it is an increment of a digit at the 1st or 2nd position e.g. 3.4.0 to 3.5.0 or 5.0.

System updates are usually very safe operations, not requiring any changes in IT infrastructure and most users don’t even notice the differences. It is strongly recommended to frequently install the latest updates. A good practice is to do it at least once a month with the exception of critical security updates, which should be installed immediately. Software vendors usually send dedicated emails recommending an immediate update in such cases.

XTRF cloud software is automatically updated within one day of the official update release.

System upgrades are more challenging and require the involvement of all stakeholders. An upgrade includes changes of the system functionality, so users need to be informed upfront not to be confused with a new system look and feel. The entire operation should be planned and communicated to all interested parties. Moreover, the upgrade may require IT infrastructure changes involving modification of a custom configuration and integrated software. Larger organizations use staging environments, enabling users to ‘play’ with new software versions. They also perform deep integration testing before the new version actually hits production.

So, how often should you upgrade? If you’re awaiting a new feature of the newly released version, compare the cost of the update with the potential benefits from the new functionality. If you are fine with the current version, you should still consider an update once a year. Try not to exceed a 2-year period. It may cost you some extra effort to update 2 or 3 versions up in one shot and may even be more costly than making smaller independent upgrades. In most cases, the two-year period is an absolute must to avoid staying on an outdated, unsupported version.

Good luck with your update/upgrades!

Dominik Radziszowski, PhD Eng.
Full stack IT analyst, technology visionary, cloud expert, solution architect, IT expert and auditor spanning the IT and business worlds, software localisation and internationalization practitioner. Architect, developer and IT team founder of XTRF Management System.