Skip to navigation Skip to main content Skip to footer

10 January 2023

Your Software Escrow Verification questions answered

Sector IT Software Resilience NCC Group

Software escrow verification is an important complement to software escrow that helps protect the interests of both software users and developers. The verification process tests the source code and material held under the software escrow agreement to ensure it is correct, complete, and can be rebuilt into the working application, providing a higher level of resilience and business continuity assurance.

When a user licenses software from a developer, they often rely on that software to run their business or perform critical functions. If something were to happen to the developer, such as bankruptcy or failure to support the application, the user could be left without access to the software application they need.

Software escrow verification is a way to protect against this risk. In an escrow agreement, the developer deposits a copy of their software source code with a third-party escrow agent, such as NCC Group. The agent verifies that the source code is complete and unaltered and holds it in a secure location. Verifying the source code before it is deposited in escrow is an important part of the process. This gives the user confidence that they will be able to re-create a functional copy of the software if needed in the future.

We recently held a Deep Dive webinar on Software Escrow Verification. During the webinar, our verification experts Will Franks and Dave Bamber answered many of the questions we typically get from our customers on verification. Here, we’ll share summaries of those answers along with short video responses.

What are the risks of not verifying your software source code escrow deposit?

Source code is like a jigsaw puzzle – there are many pieces, and they all need to work together. In addition to the actual source code, supporting materials such as build instructions, any bespoke tools, and details about the environment and configuration are required. Having the source code in escrow is one thing. Knowing how to build it is another thing entirely. A correct and updated build guide needs to go with the deposit.

A thorough verification of the materials provides assurance that, in the event of a deposit release, the technology user (also known as the licensee or the escrow beneficiary) would be able to read, re-create and maintain the developer’s technology in-house — in essence, “step into the shoes” of their vendor. The big risk of not verifying your escrow deposit is that if the source code is released in the future, it might be unusable.

How does software escrow verification support ongoing continuity for critical applications?

There are two main deliverables from a verification exercise. First, the deposit itself, and second, a detailed report that describes every detail of the process.

As part of the business continuity plan, verification makes sure the software user has all the necessary information to recreate the application. It also involves observing the transition from source code to a successful working application.

What are some best practices around verification?

These are some of the best practices to consider around verification and determining the best level of verification for your application:

  • Frequency of verification – it is recommended to repeat the verification every time the vendor makes any material update to the application source code.
  • Required level of verification – different levels of verification are available. You should choose the level that is in line with your exit strategy, relevant regulations, risk appetite, and criticality of software.
  • Reviewing outputs post-exercise – lessons learned, gaps in knowledge or deposit material, remediation.
  • Building verification into future software procurement to approach it systematically.
  • Determining which party pays for the verification exercise.
  • Stressed exit planning.

How can verification reduce cloud migration risk?

Software source code verification can reduce the risks when migrating to cloud-based applications. Holistically, we look at how a piece of software is put together. We can include infrastructure, hosting environment, as well as elements such as group level access credentials to a cloud environment and replicated tenancy. We verify that everything is complete and correct and can be built into the working system.

How can I use verification to demonstrate regulatory compliance?

Verification can support the requirements for regulatory compliance for third-party outsourcing, such as the UK’s PRA regulations. It does so in the following ways:

  • Provides independent assurance and safeguards investments.
  • Ensures ongoing continuity for critical applications.
  • Reduces the risks associated with migrating to the cloud.
  • Helps demonstrate compliance with regulations.

As you consider software escrow verification services, we hope this Q&A and the short video responses provide some insight. For more information:

Skip to navigation Skip to main content Skip to footer