The four pillars of web application maintenance

We have been developing, supporting and maintaining Ruby on Rails web applications for over 10 years here at Foxsoft. In that time we’ve learned a few things about how best to approach securing and maintaining applications for the long term.

We have distilled our experience into what we call our four pillars of application maintenance. They are four lenses with which to view an application. Each component contributes toward building a stable and robust foundation for a maintainable Ruby on Rails web application. We use it for the applications we maintain and develop, and is one of the first activities we will perform when a prospect asks us if we’d be interested in supporting and maintaining their web application. For us, this primarily applies to applications written using Ruby on Rails; however, we believe our tenets are universal and can be applied to any application.

When we audit an application, we review it from the four different angles. Each pillar has an extensive checklist of items we evaluate the application against to come up with a rating for it. Each of these is then aggregated to form an overall rating for the codebase. The scores provide our clients with an easy to understand snapshot of the health of their system, and helps to indicate where they should focus their efforts. Over time, they provide a benchmark to monitor progress and how you compare to codebases. For example, a brand new Ruby on Rails codebase today would start out with a high rating, but over time if updates and upgrades don’t get addressed your grade will drop.

The four pillars are Safety, Resilience, Adaptability, and Documentation. These are the defined focus areas that we consider to be the mainstays of a sound application.

If one or more of these pillars are missing, or crumbling, then there is a real risk which must be addressed to ensure that your application remains stable and able to serve your business effectively for the long term.


The safety pillar is centred around how well your application is defended against malicious or accidental damage. For example, in the case of Rails applications, we look at the versions of Ruby and Rails and assess how up to date they are with security patches. We apply the same logic to the operating system and lower level components such as the web server and database, along with all the application dependencies. We also review the codebase to identify areas where coding practices may have introduced vulnerabilities, such as unchecked user input.


The resilience pillar indicates how stable your application is under current operating conditions and how well it will cope with decay. Here, in web applications, this looks more at the hosting environment and how well your application is able to deal with errors and failures. We look for single points of failure, backup and recovery strategies and the ability of the system to keep running in adverse conditions.


The adaptability pillar is a measure of how easy and safe it is to undertake further development and enhancements. We take an in-depth look at coding style and practices, evaluate technical debt, and assess metrics such as cyclomatic and cognitive complexity.


Over the years of providing support and maintenance, we’ve come across a wide variety of codebase quality, but the area that is most often lacking is documentation. It’s rarely given priority, but it’s critical to the long term health of the application.

We look at how well documented the application is concerning its setup and configuration, what it does, the architecture, support and maintenance procedures and workarounds. We also look for better practices such as decision documents, like Architecture Decision Records (ADRs).

Would you like to get a better handle on the health of your Ruby on Rails web application? We’ll audit your code, rating your application against each of these pillars and deliver a comprehensive, but easy to understand, report on the current health of your codebase with our recommendations for how to improve. Contact us today.