Software escrow verification is an important complement to software escrow that helps protect the interests of both software users and developers. The verification process tests the source code and material held under the software escrow agreement to ensure it is correct, complete, and can be rebuilt into the working application, providing a higher level of resilience and business continuity assurance.
When a user licenses software from a developer, they often rely on that software to run their business or perform critical functions. If something were to happen to the developer, such as bankruptcy or failure to support the application, the user could be left without access to the software application they need.
Software escrow verification is a way to protect against this risk. In an escrow agreement, the developer deposits a copy of their software source code with a third-party escrow agent, such as NCC Group. The agent verifies that the source code is complete and unaltered and holds it in a secure location. Verifying the source code before it is deposited in escrow is an important part of the process. This gives the user confidence that they will be able to re-create a functional copy of the software if needed in the future.
We recently held a Deep Dive webinar on Software Escrow Verification. During the webinar, our verification experts Will Franks and Dave Bamber answered many of the questions we typically get from our customers on verification. Here, we’ll share summaries of those answers along with short video responses.
Source code is like a jigsaw puzzle – there are many pieces, and they all need to work together. In addition to the actual source code, supporting materials such as build instructions, any bespoke tools, and details about the environment and configuration are required. Having the source code in escrow is one thing. Knowing how to build it is another thing entirely. A correct and updated build guide needs to go with the deposit.
A thorough verification of the materials provides assurance that, in the event of a deposit release, the technology user (also known as the licensee or the escrow beneficiary) would be able to read, re-create and maintain the developer’s technology in-house — in essence, “step into the shoes” of their vendor. The big risk of not verifying your escrow deposit is that if the source code is released in the future, it might be unusable.
There are two main deliverables from a verification exercise. First, the deposit itself, and second, a detailed report that describes every detail of the process.
As part of the business continuity plan, verification makes sure the software user has all the necessary information to recreate the application. It also involves observing the transition from source code to a successful working application.
These are some of the best practices to consider around verification and determining the best level of verification for your application:
Software source code verification can reduce the risks when migrating to cloud-based applications. Holistically, we look at how a piece of software is put together. We can include infrastructure, hosting environment, as well as elements such as group level access credentials to a cloud environment and replicated tenancy. We verify that everything is complete and correct and can be built into the working system.
Verification can support the requirements for regulatory compliance for third-party outsourcing, such as the UK’s PRA regulations. It does so in the following ways:
As you consider software escrow verification services, we hope this Q&A and the short video responses provide some insight. For more information:
