Technology in the modern era moves fast. Historically, new technologies emerged quickly as well, but novelty in the age of computing occurs in a matter of days, sometimes even minutes. Do you use the same computer or cell phone that you did five years ago? And how often do you run software updates or patches on your devices?
When you really start to think about the pace of invention in the modern computing era, you might recognize that hardware and software may only be in use for a limited period of time. Due to a variety of reasons, those tools will reach what is referred to as their end-of-life (EOL), at which point support and maintenance for the tool will no longer be maintained. When software reaches its end-of-life, you must determine whether to update to a newer version or replace it with an alternative that is actively supported.
If you choose not to update or replace your product at its end-of-life, your software may stop functioning without notice. Without maintenance updates, the product could introduce new vulnerabilities, bugs, and security risks into your software supply chain.
All these possibilities lead to one conclusion: pay close attention to your software's end-of-life provisions and ensure a process for maintenance or migration. Software tagged with an end-of-life finding can lead to security vulnerabilities in your technical stack. Identify risks owing to end-of-life findings and coordinate updates alongside your attack surface management and third-party risk management processes to limit your risk exposure due to end-of-life software.
How End-of-life Software Impacts Your Business
When new vulnerabilities are identified in a product impacted by an end-of-life software deprecation, there won't be a patch available to fix them. Those vulnerabilities will remain vulnerable, and hackers and other malicious actors may try to exploit these vulnerabilities to gain access to your system for nefarious purposes. Outdated software can introduce a backdoor into your system, which may result in data breaches like the WannaCry exploitation on Microsoft Windows systems. You can manage some risk mitigation through firewalls and anti-virus support, but those offer limited protection for ongoing vulnerabilities and unpatched bugs.
Relying on outdated software is not just an issue for cybersecurity. Your organization may risk data loss or bitrot during system migration. If your product is built with an outdated tool that only a few people know how to use, it becomes difficult to iterate and innovate your product. If those individuals move on to other projects, you might even lose access to your tooling. It may even be that no one is managing the system updates at all, so migrating off the EOL version could require more work than migrating off a more recent version. Your operating costs for technical support will likely increase as you try to manage software past its support lifecycle.
When software reaches its end-of-life date, it may become incompatible with other software that you use, or it could mean that your product cannot meet certain compliance regulations like PCI-DSS, HIPAA, and GDPR. Software incompatibility can cause potential data loss, and workloads may begin to strain against unpatched bugs.
Your customers' experience may also suffer from outdated software. Without maintenance to ensure that the outdated software continues working at its expected level, the apps built with that software may suffer from performance drops, loss of reliability, or unexpected downtime. Your system won't be patched with bug fixes or security updates. Because customers of cloud services rely on high uptime and self-service, it's crucial to keep your system available for users.
Experience UpGuard’s attack surface management features with this self-guided product tour >
Identifying Your End-of-life Software Risks
It is increasingly difficult to keep track of all release updates and end-of-life software dates, particularly for cloud services that are built with a variety of software tools. While you can review release notes and versioning information for all software manually to identify the product life cycle, that can be time-intensive and hard to keep track of. Manual evaluation is only possible with a complete asset inventory, which is likewise difficult to maintain if software is only periodically added to the inventory.
You can incorporate a scanning tool into your software ecosystem to automate the process so that you don't need to wade through the information manually in order to find out which version of the software is currently in use. For example, UpGuard BreachSight provides an automated scan of your public-facing assets, which can help you identify when certain software versions may be coming up to their end-of-life deprecation. Scanning tools help you track both the end-of-life deprecation date and the end-of-support (EOS) service date. External attack surface scanning solves the issue of maintaining asset inventory, as the automated scanning can identify products you may not have known were in use.
The United States government has released federal laws that regulate data security standards, including FISMA. FISMA 44 § 3551 defines Software Bill of Materials (SBOM) as "a formal record containing the details and supply chain relationships of various components used in building software." SBOMs have been further defined by the US government with Executive Order 140258, which sets out the standard category requirements for an SBOM: data fields with supplier information, automation support for specific data formats, and operational processes. You can learn about the details of your software ecosystem when you review the SBOM for any software vendors incorporated into your business practice. Some software providers will also publish an end of sale notice, after which that piece of software will no longer be available for purchase (even if it may remain in use).
Once you know how to identify software with an upcoming end-of-life cycle, you can plan your end-of-life mitigation process, whether by updating to a newer version, switching to a different tool, or phasing out that piece of software entirely.
Planning Your End-of-life Software Updates
To avoid exposing your software supply chain to new vulnerabilities that result from end-of-life deprecation, you can run a regular end-of-life assessment review to identify what software has recently reached its end-of-life or what might be coming up. Updating your EOL software ensures your system and any software dependencies maintain functionality.
Start by reviewing your inventory of IT assets, or creating one if you don't already have one. You might include the software's version number and any licensing information, such as the license expiration date, alongside the different operating systems in use for your system. Keep this inventory up-to-date so that you always know which software is in use across your organization.
With your software inventory in place, you can evaluate when software needs updating, whether due to security patches, compatibility updates, or the end of service notice. Run a regular end-of-life assessment to ensure that your system is up-to-date and that you remove apps that are no longer supported. Because different software providers maintain various EOL cycles and policies, you need to keep track of the supported duration for each provider and where they provide that data. You can use a software vulnerability scanner to identify known vulnerabilities, such as end-of-life software reminders. UpGuard BreachSight provides continuous monitoring for vulnerabilities, including EOL software notice.
When end-of-life software is identified, you can migrate to an updated version (if available) and deinstall the end-of-life version. Some software providers offer extended support for a brief duration following the EOL date, during which the product will receive security updates for longer than the typical EOL policy. If the software is being fully deprecated, be sure to export your data for migration to a new tool. Software migration can be a major project, so it is critical to detect upcoming EOL/EOS deprecation in advance of when the product will no longer be supported. To ensure that your system is protected, be sure to implement access control for updates and limit privileged access on the network to only those necessary tools and individuals.
If new risks are introduced due to an end-of-life software deprecation, you may need to incorporate vulnerability remediation into your end-of-life assessment so that you can ensure your system is fully protected from threat actors.
All of these activities can be part of your risk management process, whether in your attack surface management or your third-party risk management. As you coordinate processes with your procurement team (or, if you are the procurement team), make sure that you have a reliable vendor risk management process in place. If you're still considering your TRPM and VRM options, read on to understand how UpGuard can aid your software EOL mitigation needs.
Resolving End-of-Life Risk Findings
Before you can coordinate best practices for your organization's security plan, you need to know the full extent of external risks facing your organization but identifying these risks manually can be time-consuming and labor-intensive. You can conduct an asset inventory analysis across your operating systems, software stack, and subsequent dependencies. Use the asset inventory to identify software no longer in use that can be phased out, as well as any software in need of an update.
Troubleshooting errors and mitigating risk findings will go faster if you don't have to seek each one out yourself. As your business scales, it becomes more difficult to complete manual software lifecycle management and end-of-life updates. Streamline that process with an automated service that can identify needs for your software lifecycle management.
How UpGuard Can Help
With continuous monitoring in one platform, you can use UpGuard's scanning capabilities and automated risk detection to identify what software may create new risk exposures due to an upcoming end-of-life cycle. UpGuard collects data using non-intrusive techniques, identifies severity in accordance with the Common Vulnerability Scoring System (CVSS), and provides security ratings based on the data collected.
You can proactively review your Risk Profile and filter vulnerabilities in UpGuard BreachSight to examine your risk exposure in the platform. In UpGuard Vendor Risk, you can view vendor risk exposures by filtering the Portfolio Risk Profile. You can also interface with the UpGuard API to retrieve risks detected for your account or detected for vendors programmatically. These risk details are accessible both within the platform and via the command line, providing additional information for any given risk. You can use severity levels to triage areas for improvement.
UpGuard communicates end-of-life software with an End-of-life version of software detected finding, specifying which type of software in each individual risk. Current UpGuard users with the BreachSight feature can log in and access their Risk Profile to search for end-of-life software notices among their assets. If you're not a current UpGuard user and you want to scan your assets for end-of-life software notices, sign up for a trial.
