Examining the Risks of Running Unsupported Software

How do you secure critical business software when no patch is coming?

There are a lot of reasons for businesses to run software that is no longer supported by the OEM, despite the fact that running unsupported software, also commonly called end of support (EOS) software, has undeniable risks.

But at the end of the day, is the standard operating procedure – waiting for something to break, then for the OEM to develop and roll out a patch – that much more secure?

Misconfiguration risks of unsupported software

It’s important to remember that no computer system is perfectly securable. Even technologies with well-deserved security reputations, such as IBM® Z mainframes or advanced encryption protocols, can still be misused and improperly accessed under certain circumstances.

Attackers constantly attempt to take advantage of those circumstances while enterprises attempt to reduce the number of incidents. This is the high-level idea behind best practices like attack surface reduction.

But with legacy and unsupported software, the idea of an attack surface isn’t exactly the same.

In 2022, more than 4 out of 5 cyberattacks worldwide involved misconfiguration – preventable mistakes and oversights that often start early in the product’s lifecycle and might go years before being noticed by the primary user or an attacker. And misconfiguration becomes a much higher hurdle to clear when legacy apps are a part of the HCL® and IBM® security conversation because they typically require extra consideration to continue using in a modernizing tech estate.

Misconfiguration can be mitigated without the inherent need for code-level changes like software patches. Indeed, some of the highest-impact vulnerabilities to hit the headlines in the past five years have been directly addressed through user-initiated changes. That includes flaws in open-source components large software OEMs routinely implement within their offerings, such as the ubiquitous Apache logging tool Log4j. If most cybersecurity issues come from preventable or locally fixable errors, why is legacy software considered unsuitable for use just because it won’t receive another patch from the OEM?

When it comes to legacy and unsupported software, the idea of an attack surface isn’t exactly the same.

Looking at the other side of allegedly unsupported software

In some cases, a business might think a use case is so small or disconnected from nominal business processes that using unsupported software isn’t a risk. In others, companies only find out they’re noncompliant or unsupported when adverse outcomes like cyberattacks or external security audits occur; for example, they might assume they’re supported under a given configuration profile until they take a deeper look as a response to an audit notice.

Make no mistake. If EOS software is part of your estate, securing it must be a part of your technology planning.

But that also means many EOS software implementations can be secured and hardened without need for the OEM’s direct intervention. Even if the software can’t be patched, a combination of predictive intelligence and forward-thinking practice can reduce any potential security risk to an acceptable, manageable level, since risk can never be zero.

Make no mistake. If EOS software is part of your estate, securing it must be a part of your technology planning.

Reduce unsupported software risk with third-party software maintenance

Businesses choose to keep using their unsupported/EOS software for a reason. Maybe employees understand the current product and its quirks better than newer offerings on the market. Maybe the software supports critical processes and can’t be easily replaced, such as a mainframe-based solution powering a utility provider’s billing and delivery systems or keeping track of a global bank’s transactions. Or maybe the company simply saves a significant amount of money by holding onto certain parts of the infrastructure legacy and modernizing the rest, a perfectly viable motivator in a time where large tracts of the enterprise are reconsidering their heavy investments into public and even hybrid cloud technology.

Independent third-party software maintenance (TPSM) providers help companies keep their current software investments secure by deploying a tailored, multilayered cybersecurity approach that suits the user’s highly individual technology context. That includes measures, which are informed and maintained by threat intelligence and expert engineering insights, that restrict unnecessary access and presumptively seal off insecure points of access before they contribute to adverse outcomes.

As Origina Head of Security Services Benjamin Lipczynski says in “Effective Cybersecurity Strategies: Going Beyond Patch Management,” independent support providers excel at keeping the business secure in its current context. While some business stakeholders might think updating is a fast way to achieve the desired level of security and support, changing versions often introduces new vulnerabilities into the equation.

If your approach to legacy security focuses on reaction instead of prevention, you’re setting some of the most trusted and important parts of your infrastructure up for poor cybersecurity outcomes. Watch the webinar and see what three seasoned business technology experts say about the need for a new outlook.

Learn viable strategies to keep long-serving software secure in “Effective Cybersecurity Strategies: Going Beyond Patch Management,” our latest on-demand webinar.

Effective Cybersecurity Strategies Going Beyond Patch Management on demand webinar promo image for social media


Gain insight into industry-only news, access to webinars, tips and tricks, blog posts, podcasts, and guides, surrounding topics like cybersecurity, reducing software support and maintenance costs and much more, all delivered to your inbox each month.