12 May 2019
For the following text, let us assume that we created a fictional application named Our Awesome App (OAA) on the basis of the Microsoft technology stack. OOA runs on top of the Windows 2008 R2 Server OS. Microsoft stops the support for this version in January 2020, thus we may have some migrations to do.
What is application lifecycle management?
“Application lifecycle management (ALM) is a continuous process of managing the life of an application through governance, development and maintenance.”(1)
I prefer this brief definition of ALM of 2010 although the current Wikipedia definition(2) is more comprehensive.
It is the restriction to applications that creates the trouble in both definitions because applications are bound to a Web or Technology Stack.(3)
Each product in the technology stack has a life cycle, usually independent of the life cycle of the other layers and of OAA. With this, application life cycle management cannot be considered independently from the technology stack. Even if no development takes place on the application layer, changes in the technology stack might demand changes in the application.
Usually, ALM deals with Layers 1 to 4 of the technology stack. Neither the database nor the server is in focus of ALM. For the LAMP (Linux, Apache, MySQL, PHP) stack, this creates no big trouble because the middleware (Apache) and the database (MySQL) are largely immune to changes in the Linux OS.
Microsoft Technology Stack
But in the case of OAA we face some trouble because the Internet Information Server (IIS 7.5) is a component of the Windows 2008 R2 Server OS. A change in the server OS might have a great impact on the application.
What’s the trouble with the Windows 2008 R2 Server end of life?
Every day new vulnerabilities in IT products are published. All layers in the technology stack are impacted. The Windows update service takes care that newly detected vulnerabilities on layers 2 – 5 are automatically patched because we built OAA on top of the Microsoft technology stack. So, the application manager has to deal only with vulnerabilities in OAA.
Microsoft provides no longer patches once a product goes beyond the end of its life. But new vulnerabilities for such products are still discovered and published. This increases the number of unpatched vulnerabilities on the server and middleware layer. With this, the security level of the whole network is lowered because unpatched Windows systems facilitate, in the worst case, the propagation of malware like WannaCry or NotPetya.
What’s the trouble with application life cycle management?
ALM is a tedious and costly task. Getting ALM right requires continuous study of the life cycle of all products on the technology stack and continuous planning, development, integration and testing across all layers of the application stack. Therefore, application managers care often only of the first layer. Developers are responsible for the second, the third and to some extend also for the fourth layer. Someone from IT operations takes care of layers 4 to 6, but no one cares of the entire technology stack.
Eventually, someone realises that some hundred Windows 2008 R2 Servers are still in operation, and only few months left for migration. Migration of applications including the middleware is a lengthy process. Thus, it is obvious to spend some money for extended support, just to buy time to get the migrations done.
What are the costs for extended support?
For the following calculation, let us assume that 20 Windows 2008 R2 servers running the Datacenter Edition and 400 servers running the Standard Edition are still in use. The price for extended on-premise support is at 75% annually of the full license price of the latest Windows server version, provided either software assurance or a subscription is available.(4) Let us assume that the IT team works hard on the migrations and the number of servers to go is reduced every year.
A brief sample calculation based on the regular price sheet(5) shows that a large amount of money is spent just for some security patches.
Sample Windows 2008 Server Extended Support Calculation
It is very important to note that these expenses are unplanned costs. They reduce the company’s earnings. Fortunately, this cost can be avoided if ALM is extended to the whole technology stack.
How to tackle the application life cycle management challenge?
(1) Move the accountability for ALM to the board.
The board is accountable for revenues and earnings. Since unplanned expenses for ALM lower the earnings the CFO should take control.
(2) Embed ALM in your daily business.
ALM is no project. It is a continuous activity that requires coordinated planning across all stakeholders in the business and IT groups. The application development budget should be extended to cover cost caused by changes in the technology stack.
(3) Start early, at least 2 years before the end of life of a product.
Minimize down times to keep the users happy.
(4) Set up and maintain an asset repository.
The asset repository should provide details on the technology stack of each application and the interfaces between applications. Is the repository up-to-date it takes only few minutes to become an idea of the effort related with the next life cycle change.
(5) Develop a concept for applications that cannot be migrated.
In some application areas, such as manufacturing, it is often not possible to migrate to newer versions in due time, for example due to technical restrictions by the vendor. For these applications, concepts must be developed to ensure secure operations beyond the end of life of tech stack components.
(6) Develop an application design guide to simplify ALM and security operations.
Applications should be developed such that they are to a large extent immune against changes in the technology stack. Procurement should take care that off-the-shelf solutions comply to the guidelines.
(7) Foster the change towards DevOps in the IT organisation.
DevOps teams should be responsible for the entire technology stack. At least the testing process should be automated. This will speed-up the roll out of security patches as well.
By the way, Microsoft announced the end of life of Windows 2012 R2 Server for 2023. This change will also affect the whole technology stack, thus start at least in 2021 with preparations.
Have a great week.