There’s a saying in project management that been attributed to Jack Bergman, “there’s never enough time to do it right the first time, but there’s time to dot it over.” Sadly, many leaders and organizations appear to operate by this maxim.
According to a report by ZDNet, somewhere between 200,000 and 240,000 online stores running Adobe’s Magento v1.x technology will reach end of life in June 2020.
Why is this a problem? Well, when a vendor solution gets to End of Life (EOL), it no longer gets any code fixes or other support. And given that eCommerce sites are notoriously attractive to attackers, it behooves store owners to be able to patch their sites quickly when issues are identified.
All these sites pose an attractive attack surface as they are, today. Once Magento 1.x goes EOL in June 2020, they’ll be even more attractive to hackers, who will focus more efforts in finding bugs in the 1.x branch, knowing the Magento team won’t be around to fix them.
While I am not generally an Adobe fan, I see no reason to blame them in this particular scenario. They introduced version 2.0 of the Magento platform way back in 2015. While it is true that at the time, there were disincentives to upgrading because the substantial architectural changes between versions 1.x and 2.0 would have resulted in extended downtime for online merchants and their customers, that was four years ago.
Online merchants have had more than enough time between 2015 and today to plan for a migration to a safer, and in this case, a more customizable platform, yet they have overwhelmingly chosen not to do so.
Now, they have less than 7 months to both plan and implement such a change, or it will be a matter of time before a vulnerability is found in the old version of the platform for which Adobe will not be providing a fix.
So many organizations fail to see that while regular maintenance is somewhat annoying in its frequency and requirements, the costs associated with delaying or ignoring maintenance activities are much worse.
In some cases, organizations stick to favored version of their software for so long that by the time they are “ready” to move, there is no simple or straightforward migration path from the version they are running, to the currently supported versions. In other cases, there are so many changes between the versions in question that it represents a massive retraining effort for their staff or users.
The Magento platform is a very popular one for eCommerce, so it is to be expected that there will be a lot of probing of that platform for vulnerabilities the moment Adobe says that the End of Life date has arrived.
Online merchants need to plan now, and execute soon, so that they do not end up having to move under duress.
And they, like other users of technology, need to get into a ritual of regular maintenance updates. Yes, we live at a time where someone is updating something every day (yes, mobile app vendors, I’m looking at you). I’m not suggesting that we need to roll out every single change that arrives, as soon as it arrives. There is a middle ground: I am suggesting that each person, and each organization, needs to develop a regular cadence for maintenance activities in the technology realm, and address them consistently according to that cadence.
Anything else is just delaying the inevitable, and if you think it is a problem to have to patch your systems and applications on a regular basic, consider the problem of recovering from a breach which was based on code you did not update in a timely manner…