- You do not use unsupported applications or dependencies
- You manage customer/user migration from older versions for each product and customer/user group
Description
Identify unused applications on an ad hoc basis, either by chance observation, or by occasionally performing a review. When you identify unused applications, process those findings for further action. If you have established a formal process for decommissioning unused applications, ensure teams are aware of and use it.
Manage customer/user migration from older versions of your products for each product and customer/user group. When a product version is no longer in use by any customer/user group, discontinue support for that version. However, at this level of maturity you may have a large number of product versions in active use across the customer/user base, requiring significant developer effort to back-port product fixes.
Endorsed Solutions for Mastering System Decommissioning / Legacy Management
Become a Recommended Vendor for System Decommissioning / Legacy Management! Are you a provider of cutting-edge products, processes, consultancy, or technology that aligns with System Decommissioning / Legacy Management? Showcase your expertise and connect with organizations seeking solutions like yours. Apply now to become an endorsed vendor and help others achieve mastery!
Do you want to recommend a vendor to appear here? Recommend a vendor
OWASP Team guidance
This is the official guidance provided by the OWASP SAMM Team.
Community guidance
This guidance is based on the approved community submissions.
- You document the status of support for all released versions of your products, in an accessible location
- The process includes replacement or upgrade of third-party applications, or application dependencies, that have reached end of life
- Operating environments do not contain orphaned accounts, firewall rules, or other configuration artifacts
Description
As part of decommissioning a system, application, or service, follow an established process for removing all relevant accounts, firewall rules, data, etc. from the operational environment. By removing these unused elements from configuration files, you improve the maintainability of infrastructure-as-code resources.
Follow a consistent process for timely replacement or upgrade of third-party applications, or application dependencies (e.g., operating system, utility applications, libraries), that have reached end of life.
Engage with customers and user groups for your products at or approaching end of life, to migrate them to supported versions in a timely manner.
Endorsed Solutions for Mastering System Decommissioning / Legacy Management
Become a Recommended Vendor for System Decommissioning / Legacy Management! Are you a provider of cutting-edge products, processes, consultancy, or technology that aligns with System Decommissioning / Legacy Management? Showcase your expertise and connect with organizations seeking solutions like yours. Apply now to become an endorsed vendor and help others achieve mastery!
Do you want to recommend a vendor to appear here? Recommend a vendor
OWASP Team guidance
This is the official guidance provided by the OWASP SAMM Team.
Community guidance
This guidance is based on the approved community submissions.
- Your end of life management process is agreed upon
- You inform customers and user groups of product timelines to prevent disruption of service or support
- You review the process at least annually
Description
Regularly evaluate the lifecycle state and support status of every software asset and underlying infrastructure component, and estimate their end-of-life. Follow a well-defined process for actively mitigating security risks arising as assets/components approach their end-of-life. Regularly review and update your process, to reflect lessons learned.
Establish a product support plan, providing clear timelines for ending support on older product versions. Limit product versions in active use to only a small number (e.g., N.x.x and N-1.x.x only). Establish and publicize timelines for discontinuing support on prior versions, and proactively engage with customers and user groups to prevent disruption of service or support.
Endorsed Solutions for Mastering System Decommissioning / Legacy Management
Become a Recommended Vendor for System Decommissioning / Legacy Management! Are you a provider of cutting-edge products, processes, consultancy, or technology that aligns with System Decommissioning / Legacy Management? Showcase your expertise and connect with organizations seeking solutions like yours. Apply now to become an endorsed vendor and help others achieve mastery!
Do you want to recommend a vendor to appear here? Recommend a vendor
OWASP Team guidance
This is the official guidance provided by the OWASP SAMM Team.
Community guidance
This guidance is based on the approved community submissions.