End of Life Definition - Application / Software

I’d like to poll my peers here to hear back your definition for Application / Software end of life (EOL). I’m crafting a more complete and comprehensive definition that will be introduced into my company’s global standards. Appreciate any sharing what you crafted or provide feedback. Before you respond consider the following

  • Application / Software seen separately in my environment. Application is the business application having multiple components. Software can be one of other software or components making up application. For this discussion I’m focused on the publisher software

  • EOS, EEOS I don’t see same as end of life. That is a publisher’s decision to no longer provide support, however the software may still offer business value that offsets risk, etc beyond EOS, EEOS

  • Software Publisher EOL I don’t see same as end of life. Again for the same reasons. They may no longer produce the product doesn’t mean it no longer provides business value for the company

  • Overall I see Software EOL from a business perspective when the software no longer serves a business value and should be decommissioned/retired and removed from the environment. Triggers that might prompt EOL are introduction of newer software releases adopted by the company, risks or vulnerability that outweigh the business benefit. Has business value but not supported by current technologies, OS, etc.

Thanks in advance for your feedback,



My suggestion would be to adopt the publishers definitions. Your organization does not need to abide by EOS/EOL dates but it will need to accept the RISKS of running the software without formal support.

EOS/EOL dates from the publisher are their way of trying to keep organizations on a constant treadmill of new features, capabilities, etc. They influence that adoption via the ability to access patches, call support, and/or get critical vulnerabilities corrected. It is a strategy at the end of the day.

Even if SW is EOS/EOL you are possibly able to get 3rd party support which maybe a good idea if it is a application/system/sw that is critical to your operations. Additionally, I would suggest discussing this with your CISO as they have a vested interest in understanding this and accepting or remediating IT risk.



Thanks Kris, appreciate the opinions

@Bryant I second @kristopher.j.wong Kris’ statements. End of life consideration for me is crucial for managing risks to resilience and operational stability for those applications that are critical for business delivery. Whilst in reality the risk of an incident may be low, the appetite for risk depends on the criticality of the business application that the software supports.

1 Like