Exiger Announces New CRO Christian Woodward

The High Cost of Neglected Software Maintenance

February 5, 2025

Article

A casual glance around your home, office, a hospital, or a factory will reveal that software enables every aspect of our lives, from business operations to consumer applications. It is everywhere and it is crucial. And just like physical infrastructure, software requires regular maintenance to stay reliable and secure.

JC Herz, Exiger’s SVP of Cyber Supply Chain, explored this topic in her recent paper in Henry Stewart Publications’ Cyber Security: A Peer-Reviewed Journal Volume 8 Number 2. ‘Crumbling Bridges: The Failed Economics of Software Maintenance’ takes a critical look at why software — enterprise software in particular — isn’t getting the maintenance investments it deserves. The article also appears in The Business and Management Collection as a professional development resource.

The following is a synopsis of the paper’s findings and the conclusions about improving enterprise software maintenance.

‘Crumbling Bridges’ in Software Resilience

In the case of consumer products, the suppliers typically bear the brunt of maintenance — your phone gets updated automatically, or you get a recall notice for your car — thanks to a healthy fear of lawsuits. For enterprise software, however, it is typically the software customers (the businesses) who are on the hook for maintenance. This is especially true for enterprises writing and using their own software.

Unfortunately, many organizations undervalue this necessity, leading to “crumbling bridges” in software resilience.

Why Software Maintenance Gets Dropped as a Priority

Bottom line: Enterprise software maintenance is costly and time-consuming, often falling outside the scope of a company’s immediate priorities. Developers and product managers are incentivized to prioritize new marketable features, rather than decidedly unglamorous maintenance tasks. Moreover, customers rarely demand transparency about the quality and maintenance of the software they buy, encouraging vendors to cut corners.

The Real-World Impact of Unmaintained Software

Undervaluing software maintenance leads to high-profile failures, like the 2019 Baltimore ransomware attack. The city’s outdated software systems, combined with years of inadequate investment in IT infrastructure and personnel, left it highly vulnerable. The attack caused widespread disruptions, with recovery costs exceeding the ransom demanded. And this isn’t just a public-sector issue; private companies, particularly those in critical infrastructure industries, face similar risks when software maintenance is neglected.

A Path Forward: Software Supply Chain Transparency

The solution lies not in technology alone but in shifting the economic incentives. By increasing transparency in the software supply chain, businesses can make informed purchasing decisions and hold vendors accountable. For example, the software bill of materials (SBOMs) — an ingredients list of components in a software product — is emerging as a critical tool for assessing risk and encouraging vendors to prioritize active maintenance.

Some regulatory bodies, like the U.S. Food and Drug Administration (FDA), have already made SBOMs mandatory for certain products, such as medical devices, and are creating market pressure. (See more in our on-demand webinar: Building a Trusted Supply Chain.) Vendors are more likely to address vulnerabilities when they know their customers can easily identify risks.

Investing in software maintenance isn’t just about avoiding cyber threats — it’s also good business. Well-maintained software reduces downtime, improves customer trust, and ultimately enhances a company’s competitiveness.

Conclusion

The neglect of software maintenance is a business problem masquerading as a technical one. By rethinking how we value and incentivize maintenance, companies can break the cycle of technical debt and build a more resilient digital future. Transparency, accountability, and smarter economic choices will pave the way for lasting success.

Contact us to learn how Exiger’s Ion Channel can help your organization create and validate SBOMs as well as assess and mitigate cyber supply chain risks.

More Resources: