Maksim Kabakou - Fotolia

Get started Bring yourself up to speed with our introductory content.

What do end-of-software development dates mean for security?

Expert Kevin Beaver explains how organizations should address end-of-software development dates, and what they ultimately mean to enterprise security.

Our organization has a legacy F5 FirePass SSL VPN product that is approaching its end-of-life date. F5 Networks isn't ending technical support until 2019, but the "end-of-software development" date is October 2015. Does "end-of-software development" mean software patches won't be released after that date? Should we expedite our migration off of the platform as a result?

As traditional security products start to show their age, the end-of-life dilemma seems to be impacting enterprises more and more. And it's a real one, given what's at stake in terms of security. Still, that doesn't seem to change many people's ways, with Windows XP still running on about 12% of computers.

F5 Networks Inc. states on its website that "F5 maintains generous lifecycle policies that allow customers to enjoy many years of both support and new software releases." This is good -- until the patches stop coming. The way I understand it, that is indeed occurring this coming October. According to F5, its end-of-software development marks the end of the "regular support" phase and the beginning of the "extended support" phase, during which the development "has ceased considering the repair/maintenance of confirmed software/firmware defects for the designated platform or software release." In other words, you'll still get tech support, but any security flaws will likely not be addressed. Although, I have seen exceptions to this by vendors in the past, if the vulnerability is bad enough.

In my work performing vulnerability scans, penetration tests and product security assessments over the years, I've found that F5 products have minimal security vulnerabilities. A search for "FirePass" in the National Vulnerability Database reveals 18 flaws over the past decade, with none in the past couple of years. However you read that, it doesn't mean you can just ignore the problem. You need to consider what vulnerabilities might exist in the product -- as deployed in your environment -- at this point in time, which ones might crop up after October 2015 and any compensating controls you might be able to put in place. After careful consideration, you might find that it's simply time for an upgrade.

Ask the Expert:
Have a question about network security? Send it via email today. (All questions are anonymous.)

Next Steps

Learn how running end-of-life software can lead to compliance violations

Does end-of-life software pose a big threat to security?

How to create an end-of-life policy for mobile products in the enterprise

This was last published in August 2015

Dig Deeper on Secure software development

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Have you run software past its end of life date?
Yes and still do. There are some apps and programs I like that just will not run on newer platforms. I still Have a Win98 and an XP machine that I still use occasionally.
Wow, I'm not alone. I also keep WinXP PC. I even have a DosBox utility to run old MS-DOS programs.
With Microsoft announcing the end of life for IE 8,9 and 10 on Jan 12th of this year, there will be millions of us using outdated software.
Sometimes it just has to be that way because of old legacy code that cannot be updated easily without an entire re-write.
Whether its hardware or software, companies must be on guard for products that are being replaced.  The answer I believe is not necessarily that everything needs to be  retired when that happens.  A good process in place should evaluate what software does, where it could be vulnerable and determine if that risk of patching  no longer being available increases that risk.  There are some environments where I think keeping even an old system in place can be mitigated to an extent.
If something has reached it' end of life / end of cycle, then there must be a reason beside just not being supported. There may be performance improvements, enhanced security or other features you may want to take advantage of. It's time to move on unless you want to remain stagnant.
The fact is taht many company's, expiration dates notwithstanding, will very likely keep old systems running as long as a critical app is viable. It's only when the system has been completely replaced and all users updated that those systems really go away. As someone who has recently gone through the challenge of updating a system to a newer stack, and seen first hand how much work goes into it, I am not surprised that systems remain online for years to keep being productive long after updates for those systems cease.
We still have some very old apps running. They do not need any new features so we leave them. IF we had the luxury of more free time, maybe they would get upgraded but until then we still have some outdated apps.