I feel like I just discovered that my favourite old-time movie star became a broken, shambling, drink-soaked and bitter old person. It’s a time for remembering them as they were in their prime and for regretting that they never always shone as brightly as they once did.
I run a software consultancy and my broken, shambling old movie star is an open source software application called SugarCRM Community Edition. There was a period when it was one of the most used Customer Relationship Management applications globally. For about half a dozen years my company (SalesAgility), were one of the most active SugarCRM Community Edition consultancies in the world. We loved it and the love was reciprocated. We were active in the community support forums (in a community of half a million people, we were one of the five most active posters globally).
We wrote some great solutions for some great customers. We formed friendships with customers that endure to this day. We contributed code, bug fixes, time, ideas and passion to the project. We had customers from the startup to the enterprise and all points between. We travelled the world. We grew. It was hard work but it was open source and the possibilities were seemingly endless.
Then, in October 2013, SugarCRM announced that they were abandoning open source and Community Edition. Support would continue until an undefined date but there would be no more functional updates. They have now announced that date and it’s April 2017.
Today, some three years and a couple of months since that original announcement, SugarCRM Community Edition, even in it's most up-to-date version, has multiple vulnerabilities. Vulnerability and static code analysis scans suggest that users should be very concerned. It’s going to get worse. As the software languishes, more vulnerabilities will emerge. Today, a smart attacker can compromise either the application, the server it’s running on, or both. Tomorrow, it will probably be easier to attack.