06-17-2014 1:45 PM
I have inherited a server running SQL-Anywhere Version 9, I believe that version is end-of-life. I'm trying to come up with good arguments for replacing that version with a newer one, but the boss isn't interested in replacing it. Can anyone help me with arguments?
07-18-2014 4:10 PM
I'm not sure if this question is directly (SAP) security related, but End of live normally means:
- no patching/bug fixing
- no patching of security vulnerabilities
- no support from vendor
So it may continue to work, unless it breaks and/or you need assistance of the vendor, they most likely will:
- refuse/ ask you to upgrade to a valid version
- ask a lot of money for "extensive support", and will likely be "on best effort", success not guaranteed.
What you could do is to indicate the risk. But ask "formally" that the application owner acknowledges/accepts these risks.
According to the vendor version 9.X is already EoL since 2010 (End of Life Notice for SQL Anywhere Version 9.0.x End of Life Notice: Mobile Enterprise, Database Ma...
07-21-2014 1:45 AM
I assume that it's running on Windows XP or Windows 2000. Just kidding. It seems like the end of life for this product was in January 2010. What could go wrong? Running unpatched components made it into OWASP Top 10 for 2014. If you want something more management friendly then NIST has some documents about importance of patch management. I would try to quantify risk of breaching this DB. It really depends on what's stored in DB.
Cheers