Why is it so important to use up-to-date software versions?
Using outdated software versions may bring severe consequences to a product, from security problems to increased complexity in its maintenance/evolution. This article will explain how software versioning works and how we can avoid these problems.
Understanding the life cycle
Most software we use every day has some sort of life cycle. From operating systems like Android, iOS, and Windows to smaller components and libraries that compose our applications.
The life cycle is important for evolving software and applications, that means, life cycles provide the ability to add new features and make architectural changes in applications, following the market’s new technologies and trends.
This information is usually available on the releases page of any given application/library/framework. Let’s take for example the Django Framework:
Understanding Semantic Versioning
To navigate in the software development world, we need to understand the most commonly used versioning guideline: Semantic Versioning. Quoting from the official website:
Given a version number MAJOR.MINOR.PATCH, increment the:
1. MAJOR version when you make incompatible API changes,
2. MINOR version when you add functionality in a backwards compatible manner, and
3. PATCH version when you make backwards compatible bug fixes.
Let’s take a look at some examples of what this means in practice:
- Given we have a current version of 2.8.1
- If we update it to 2.8.2, this means we fixed something and backward compatibility is maintained.
- If we update it to 2.9.0, this means there are new features available and they are compatible with the older features (meaning: it shouldn’t break anything)
- If we update it to 3.0.0, this means we have new features and bug fixes, but also breaking changes, which are changes not compatible with the previous version.
In our day-to-day, we need to keep an eye out when updating versions to avoid having problems with breaking changes (explained below).
Dealing with Breaking Changes
Over the life cycle of a given piece of software, there will be times when an update will no longer have compatibility with previous versions, which requires the end user to make adjustments in order to update to newer versions.
From the maintainer's standpoint, backward compatibility is a quite challenging and complex problem. This way, but choosing to drop compatibility with previous versions, maintainers will have more freedom and capacity to create new features and enhancements, without worrying about legacy parts of the code. An excellent example of this is React’s Versioning Policies.
Long-term support (LTS)
Long-term support is a period in the software life cycle where the maintainers will continue working actively on the product, making improvements and bug fixes.
If a critical problem is found in an LTS version, it is expected that the issue will be fixed by the maintainers with a new version.
Using Django’s life cycle as an example we can see that version 2.2 will have support until the beginning of 2022. After that, the new LTS version will be 3.2. Having this in mind is crucial for planning our own updates, especially when the new version contains breaking changes.
How different software components relate to each other
It is interesting to note that many software components will be related in some way. Let’s take python 2 as an example, which has been completely discontinued in January 2020.
This means that even if security problems are found in python 2, these problems will not be fixed. This is why it is so important to update to the LTS versions as soon as possible.
As soon as python 2 was discontinued, many python libraries like Django and Flask started dropping support for Python 2, along with many other libraries.
Note the “cascade effect”: if you are using a library in a version that is no longer in LTS, all related/depending libraries will also drop support for that.
What happens if I don’t update?
As we can see cvedetails (security vulnerability data source), new problems may be found at any time.
Given that, if we are using an outdated software version that is no longer in Long-term support, we will not have an available patch to fix the security vulnerabilities.
We might have the option to update to a newer version, but if there are breaking changes, this will make it a lot harder to update to the newer versions, as we have to adapt some parts of our own software before updating.
Case study: Log4j vulnerability in 2021
It can get a little abstract to speak about the importance of using up-to-date software versions looking only to the future. For that reason, let’s take a look at a recent case:
In December 2021, a severe security vulnerability was found in Log4j, a logging tool for Java. This vulnerability allowed access to a remote server, simply injecting a command in the forms, headers, or URLs.
The Elastic Stack was quite affected by this vulnerability and on this page https://www.elastic.co/support/eol, we can see which versions no longer offer support. Note that:
Versions 7.x are the newest versions with active support, so they will be updated accordingly. Version 6.8.x had support until 2022, so in December of 2021, it still had updates.
This means that any person using older versions like 5.x will have a lot of work to update: they’ll first have to make adjustments for the breaking changes, then update to 7.x, where the fix is available. That’s a lot of work.
Speaking of a critical security vulnerability, there is very little time to lose, so the best scenario is to always be using up-to-date versions to be able to quickly update and be secure.
Other references
OWASP is an organization that works to map the main security vulnerabilities in the web and make them available for all the software development community, which ensures we’ll be all building secure software.
The project “Owasp Top 10” maps the 10 principal security vulnerabilities and item #6 of the list speaks directly to the fact that using outdated components is a security risk. Check the full list at:
