I advocate that we should get a long life from our database platforms. In fact, I like to think about a 7-10 year lifetime for many of my database instances. That means I’ll get beyond the 5 year lifetime that Microsoft provides and move into the extended support. Actually, for most of my career, I’ve run instances without support and haven’t had issues. We invest a lot in databases, and I want companies to invest a lot because they are important. That means I need a good payback.
Microsoft should provide security patches for products throughout the Extended Support period, which means that I should be able to run SQL Server and Windows securely for 10 years. that probably stretches the lifetime, but certainly that gives me time after five years to begin planning and prepping for an upgrade.
The problems for many customers come when other vendors don’t bother to keep supporting older software and providing patches. Even if Microsoft releases a security fix for your OS, the vendor that makes software you run on top of Windows or SQL Server might not. That’s an issue, and it’s one that will become more of an issue as companies become reluctant to change software that works well.
This article shows that older ATM machines running XP and Windows 7 are having issues. Some of this is physical access, but some is related to issues in the OS. While Windows 7 should be getting patches, Windows XP is not and needs to be upgraded. In fact, I’d argue that any losses here should be born by ATM owners and not covered by insurance for not having upgraded their systems.
While I like to get as much time as I can from a system, it’s irresponsible to expect software to run without security patches being actively applied, which includes any upgrades from vendors. In some cases, this might be negligent by the companies doing so, especially for embedded systems. I don’t know that I want governments to force vendors to provide patches, but I’d like companies to write contracts that ensure that patches will exist for come lifetime of the products. In the event the company can’t provide patches (or certification), then they’d need to release their code as open source so that someone can provide a patch.
The world becomes more intertwined and dependent on computing, from things like convenience services or core systems. We can’t have those systems becoming more vulnerable because companies are unwilling to upgrade and vendors abandon older software. Some sort of compromise is needed to ensure that computer systems are protected from known vulnerabilities.