One of the most overlooked aspects of software development projects is the maintenance phase. A project is rarely ever truly finished; it will continue to require a non-negligible amount of work over time. In this article, we will demystify the why and how of this crucial phase.

A Bit of Philosophy

People often say that code rusts, drawing an analogy with materials in the physical world. At Thirdbridge, we’ve never really liked that comparison. In reality, source code is a set of deterministic commands—when executed under the same conditions, it will produce the same results, even 50 years later.

The real issue is that the outside world evolves, making interactions with outdated code increasingly difficult. Take security vulnerabilities, for example: they do not arise from the degradation of code, like steel that oxidizes. Instead, the vulnerability has been there from day one—it is our understanding of security risks that has evolved, while the code itself has remained unchanged.

The Maintenance Plan

A maintenance plan typically covers three key aspects:

• Updating core components and external dependencies

• Changes driven by external factors

• Changes driven by internal factors

Core Components & External Dependencies

Whether it’s the Android SDK version for a mobile app or the Node.js version for a web server, the vast majority of digital projects rely on components that are constantly evolving. Additionally, many projects depend on third-party libraries, which often require even more attention, as they tend to be less actively maintained than core technologies.

Keeping these components up to date is essential for two main reasons:

Security

Security is a never-ending battle. Regardless of the technology, new vulnerabilities are constantly being discovered. Having a predefined update cadence reduces the chances of using outdated, insecure versions. At Thirdbridge, we continuously monitor security vulnerabilities in the technologies we use, allowing us to take proactive action before bad actors can exploit them.

Development Speed

If a project is not maintained, future development slows down over time. While the short-term impact may seem minimal, developers will become less and less efficient as time goes on.

A great (and extreme) example is the banking sector. Today, banks are forced to spend massive amounts to hire programmers skilled in COBOL. Even worse, these aging systems are incompatible with modern technologies, making any updates painfully slow. To be clear: it takes decades to reach such an extreme situation. However, the decline in development speed starts much sooner.

External Factors

Sometimes, external factors force us to update a project. These factors vary widely. Here are a few examples we’ve encountered at Thirdbridge:

• AWS EKS now charges $400 per month for Kubernetes clusters running outdated versions.

• As of April 24, 2025, Apple will reject apps that do not use iOS SDK 18.

• Quebec's Bill 25 required businesses to update their websites to include privacy policies.

Internal Factors

In other cases, internal needs drive updates. Examples include:

• Small UI adjustments on a website

• Minor API configuration updates

• Updating app store images for a mobile app

The Financial Model

At Thirdbridge, our maintenance plan is structured as a non-expiring annual hour bank. Since the hours never expire, clients can spread out their maintenance costs over time. If there are unused hours, they can be applied as a credit toward future development projects.

The goal is simple: peace of mind. Unexpected security fixes shouldn’t disrupt your budget. With our approach, clients can maintain financial stability while keeping their software secure and up to date.

ROI Matters

A maintenance plan isn’t a blank check for developers to experiment with the latest trend every six months. Every maintenance effort must align with the long-term strategy of the project.

A recent example: Less than a month ago, React officially announced the end of Create React App. Several of our projects were built using this technology, but for some clients, migration isn’t even on the table. If future development is unlikely and security risks are minimal, the ROI simply isn’t there.

Conclusion

A digital project is rarely ever “done”. The tech landscape evolves so quickly that inaction can lead to major security risks and development slowdowns—sometimes in just a few years. This is why having a maintenance plan is critical, yet often overlooked.

With Thirdbridge's non-expiring hour bank, we provide technical stability and financial predictability. By rolling over unused hours, clients avoid budget surprises while ensuring their software remains up-to-date and secure.

Beyond the code itself, our mission is to deliver the best possible experience when building digital solutions. A well-planned maintenance strategy is a key part of achieving that goal.

Let me know if you’d like any refinements.