Skip to navigation Skip to main content Skip to footer

A False Sense of Security is not a Contingency Plan

Most businesses that license software know a software escrow agreement is an important part of a contingency plan. If something unforeseen happens to the provider of your business-critical software application, it's paramount to have an exit strategy from the business relationship to avoid disruption to your operations. With control of the software source code, you can continue to maintain the software yourself, or find another provider to take over support. It is also essential to verify the escrow deposit and supporting materials are all in place and could successfully recreate the application if necessary. Without escrow verification, you may have a false sense of security about the contents of your escrow account.


Since verifying source code and materials is such a prudent step, it makes even more sense to create a repeatable process around verification with a subscription-based plan. Much like Amazon's "Subscribe and Save" service, an escrow verification subscription lets you set up a regular schedule for verification to simplify the process and make sure it happens regularly — all at a discounted rate. I've subscribed on Amazon to get trash bags, batteries, air conditioner filters, and dog food delivered regularly to my home. These are all basics that I know I will need, and now I don't have to give it another thought. In much the same way, once an escrow agreement is finalized and the initial escrow deposit has been submitted, monitoring the escrow deposit is no longer a challenge if there is a subscription verification plan.


In the world of Agile software development, technology is constantly changing, systems are always being updated, and the details to manage these solutions continue to be a work in progress. Today, source code deposits can be submitted electronically to your escrow account using a GitHub integration so that your source code is always the most up-to-date version. To keep up with the pace of change, it just makes sense to routinely audit the contents of your escrow account to better manage the escrow materials and the ability of those materials to be able to recreate your business-critical applications if required.


A subscription-based escrow verification service is a lot like a bank statement from your financial institution. Software licensees will receive a detailed summary of the files, tools, and supporting documents that were deposited into the escrow account during escrow submission.


The audit includes:

  • Analyzing deposit media readability
  • Scanning for viruses
  • Developing file classification tables
  • Confirming the presence/absence of build instructions
  • Identifying materials required to recreate the depositor's software development environment

If any information is absent, the escrow agent may notify the software developer to request the missing information for the process. With a frequent, basic level of monitoring, companies licensing software will be able to see if the deposit information looks reasonable and sufficient to support their continuity plan, or if there are any flags that would indicate a higher level of escrow verification needs to be completed.


The benefits of an escrow verification subscription include:

  • Flexibility: Software developments are inconsistent. A verification subscription will provide between 3 and 5 escrow verification audits per year. These are performed on every new deposit received at any time over the course of 12 months.
  • Scalability: Once all the information is available, the licensee can determine whether the changes are significant enough to perform higher levels of verification testing. These significant software changes are typically known as milestones that are usually measured by version numbers (i.e. Version 1 vs. Version 2).
  • Stronger Relationships: The autopilot simplicity of the escrow verification subscription makes the process for managing escrow relationships that much easier. By performing these audits on a routine basis, it mitigates your risk of missing critical pieces of information at that particular development cycle of the application.

Of course, nobody wants their software vendor to disappear or discontinue support for their product. However, a contingency plan is basically a false sense of security unless you verify the feasibility of your plan. While having an escrow agreement is a good start, it is important to manage the process by auditing the account on a routine basis to confirm you have everything you need, if by chance something does happen to your vendor.

 

NCC Group Software Resilience has acquired Iron Mountain’s Intellectual Property Management (IPM) business. For more information on the acquisition, please visit our dedicated information hub, or contact Iron Mountain IPM.

Get in touch

Skip to navigation Skip to main content Skip to footer