Maksim Kabakou - Fotolia

Get started Bring yourself up to speed with our introductory content.

What do end-of-software development dates mean for security?

Expert Kevin Beaver explains how organizations should address end-of-software development dates, and what they ultimately mean to enterprise security.

Our organization has a legacy F5 FirePass SSL VPN product that is approaching its end-of-life date. F5 Networks isn't ending technical support until 2019, but the "end-of-software development" date is October 2015. Does "end-of-software development" mean software patches won't be released after that date? Should we expedite our migration off of the platform as a result?

As traditional security products start to show their age, the end-of-life dilemma seems to be impacting enterprises more and more. And it's a real one, given what's at stake in terms of security. Still, that doesn't seem to change many people's ways, with Windows XP still running on about 12% of computers.

F5 Networks Inc. states on its website that "F5 maintains generous lifecycle policies that allow customers to enjoy many years of both support and new software releases." This is good -- until the patches stop coming. The way I understand it, that is indeed occurring this coming October. According to F5, its end-of-software development marks the end of the "regular support" phase and the beginning of the "extended support" phase, during which the development "has ceased considering the repair/maintenance of confirmed software/firmware defects for the designated platform or software release." In other words, you'll still get tech support, but any security flaws will likely not be addressed. Although, I have seen exceptions to this by vendors in the past, if the vulnerability is bad enough.

In my work performing vulnerability scans, penetration tests and product security assessments over the years, I've found that F5 products have minimal security vulnerabilities. A search for "FirePass" in the National Vulnerability Database reveals 18 flaws over the past decade, with none in the past couple of years. However you read that, it doesn't mean you can just ignore the problem. You need to consider what vulnerabilities might exist in the product -- as deployed in your environment -- at this point in time, which ones might crop up after October 2015 and any compensating controls you might be able to put in place. After careful consideration, you might find that it's simply time for an upgrade.

Ask the Expert:
Have a question about network security? Send it via email today. (All questions are anonymous.)

Next Steps

Learn how running end-of-life software can lead to compliance violations

Does end-of-life software pose a big threat to security?

How to create an end-of-life policy for mobile products in the enterprise

This was last published in August 2015

Dig Deeper on Secure software development