RE: RE: Why are legacy apps be forgotten?

Last Update: 23.11.2018. By Jens in Newsletter

Let’s see if I can finish my thoughts on this today. I am bit distracted, so bear with me.

In apps still under development, the dev team could declare version upgrades as mandatory. So, either in a specific interval or on published security flaws (+ evaluations if your app is at risk). As long it are minor version upgrades without big changes, one can count that under refactoring time. And in the worst case, aka biz don’t care, just hide it in other estimations.

The problems often come with a major upgrade which breaks things. This involves more work and we need a go from the product owner, biz responsible or however that is named at your place. Here you need to tune out of the tech jargon and explain the problem in plain language and show the risk and dangers to the business. Now, both of your gut feelings are combined and after a risk assessment, you either upgrade or not. If your industry is under high regulation, this might benefit your point. For example, if sensitive data are at risk, and fines of GDPR might be convincing enough. The first penalty in Germany was given yesterday, 20k Euro for a leak of ~2k users - email and clear text password - for a hat system. They got hacked, so it might have been a security issue. And no, the clear text password was stored for another feature, it was hashed for login.

Anyways, your best cards for discussing those issues are regulations or reputation damage - like an insurance company losing patience data.

Sounds easy if the people discuss such topics and do the assessment. So, why don’t they do them?

A couple of reasons I can think of:

• tech vs biz jargon, culture, etc
• devs don’t care
• devs lack skills
• build under deadline with external consultants who will never maintain the app
• devs are afraid to change anything in the code base (like spaghetti-code or spaghetti-microservices)
• development stopped but app still running
• niche part of the business, nobody cares as long as it is working Of some apps I knew, their lifetime looked like: 2. external devs hired to develop the app
• development with a tight deadline
• going live
• rush handover to internal devs as the externals are expensive
• docs missing or bad
• Many bugfixes in the beginning and after some time maintenance is reduced
• Eventually reduces to a single dev doing occasional maintenance
• single dev quits
• hire a new dev, but nobody knows the app anymore.
• new dev won’t change anything than necessary because of fear and/or budget Not to speak about the biz side, it is the same and the planing is often very short term. Yet, that’s no excuse of not trying. So, address this security vulnerabilites and upgrade issue early on. And remember to talk the language of the person you are talking too :-)

-