Samrat Neupane

Fractional CTO & Technical Co-Founder

Software Maintenance

Software Maintenance Checklist for Growing Businesses

Most businesses don't know their software is falling behind until something breaks. By then, what should have been a routine check becomes an emergency.

I've watched this happen many times. A team builds something solid, ships it, and then moves on to the next thing. Nobody's job becomes keeping an eye on what's already running. Six months later, a dependency hasn't been updated, the SSL cert is about to expire, and the error logs are full of warnings that nobody reads. Then one morning a customer can't log in and everyone's scrambling.

Maintenance is keeping what you have working. Bugs fixed, security patched, dependencies current. It's not glamorous, and nobody celebrates a dependency update. But skipping it long enough turns a codebase into a liability.

What this checklist coversThis is a practical software maintenance checklist organized by category: security, reliability, performance, code health, and business fit. Go through it once a quarter. If you find multiple reds, treat that as a signal, not just a to-do list.

Security

Security is where ignored maintenance causes the most damage. Vulnerabilities don't announce themselves. They sit in your dependency tree until someone exploits them.

Run through these first. Everything else can wait if security is failing.

Here's a real example. A client came to us after a data incident. Their Node.js app was running on a version that had a known RCE vulnerability, patched eighteen months earlier. The fix was one command. The cost of not running it was substantial. Not because anyone was lazy. Because nobody owned it.

That's what unattended software does.


Reliability

Reliability problems are quiet until they're catastrophic. You don't notice them until a user tells you something's broken, or until the whole thing goes down at the worst possible moment.

The backup question catches people every time. Most teams have backups running. Almost nobody has tested restoring from them.

Running a backup and verifying a restore are two different things. You want to know the second one works before you need it.

"Backups that haven't been tested are just hope stored on a server."

Performance

Performance degrades slowly. A page that loads in 400ms this month might load in 1.2 seconds next quarter. No single change caused it. It just drifted. And users notice before you do.

Your business moved. The software didn't. That gap shows up first in performance. Users change behavior, volume increases, new features add joins to queries that used to be fast. If you're not checking, the slowdown is already happening.


Code Health

Code health is the hardest category to take seriously because nothing breaks immediately when you ignore it. The cost shows up when you need to move fast and can't.

The onboarding question is a reliable proxy for code health. If it takes three days for a new developer to get things running, that's not an onboarding problem. It's a documentation and environment problem that your existing team is just too familiar to notice.

If technical debt lives only in people's heads, it doesn't get addressed. It gets inherited.


Business Fit

This is the category most technical checklists skip. Software doesn't just need to run. It needs to still match how the business works.

Businesses change faster than software does. That's the gap worth checking.

I've watched teams accumulate three or four spreadsheets running alongside their software because the software stopped fitting how they work. Nobody killed the software. Nobody updated it either. They just routed around it. That's expensive in a way that doesn't show up on any invoice.

If you're doing software maintenance in Nepal or anywhere else at scale, the business fit check often surfaces more actionable work than the technical checks.


What to Do With the Results

Going through this checklist produces one of four situations. Each has a clear response.

Green on most items: Schedule a review in 90 days. Don't let it slip past that. Make it a calendar event that doesn't get moved.

Red on security: Fix it now. Not this sprint. Not after the current feature ships. Now. A security vulnerability doesn't care about your roadmap.

Red on reliability: Fix it within the week. A system without working backups, monitoring, or error tracking is one incident away from a very bad day. Reliability is not a background priority.

Multiple reds across categories: This is no longer a checklist situation. It's an audit. You need someone to go through the codebase properly, understand the full scope of what's been deferred, and build a prioritized plan. Trying to fix everything at once without that context usually makes things worse.

At Asteroid Studio, we run this kind of check for every client on retainer. Not as a formality. Because catching a failing dependency or an expiring certificate before it causes an incident is worth far more than the time it takes. We stay on the codebase, watch how it's holding up as the business grows, and flag things before they become emergencies.


Common questions

How often should software be maintained?

Security patches and dependency updates should be reviewed every 30 to 90 days. A broader health check covering reliability, performance, and business fit should happen quarterly. If your software is customer-facing or handles financial data, monthly reviews are worth it.

What’s the cost of ignoring software maintenance?

The costs compound. Ignored dependencies become security vulnerabilities. Slow queries become outages. Small bugs become customer churn. By the time the cost is obvious, the bill to fix it is three to five times what steady upkeep would have cost.

Should I handle software maintenance myself or hire someone?

If you have a developer on staff who has ownership of this, do it internally. If your developer is heads-down on new features, or if you’re a non-technical founder, someone needs to own maintenance as a separate concern. It doesn’t get done when it’s everyone’s problem and nobody’s job.

What’s the difference between a bug fix and maintenance?

A bug fix is reactive: something broke, you fix it. Maintenance is proactive: you check for things about to break before they do. Both matter, but maintenance is the one most teams skip.

What’s the first thing to check in a software maintenance audit?

Security first. Run a dependency audit, check SSL certificate expiry dates, and confirm your package manager isn’t flagging known vulnerabilities. That’s where the most immediate risk lives.

Samrat Neupane

Fractional CTO and Founder at Asteroid Studio. Works with growing businesses on software that stays healthy after launch.

neupanesamrat.com.np

Not sure where your software stands?

Get a proper look at what’s running, what’s drifting, and what needs attention before it breaks.

See how we handle maintenance