Confirmation of the software escrow account is an important addition to software escrow that helps protect the interests of both software users and developers. The verification process tests the source code and material held under the software escrow agreement to ensure that it is correct, complete and can be rebuilt into a working application, providing greater assurance of durability and business continuity.
When a user licenses software from a developer, they often rely on that software to run their business or perform critical functions. If something were to happen to the developer, such as going bankrupt or ceasing to support the application, the user could be left without access to the software application they need.
Confirming a software escrow account is a way to protect against this risk. In an escrow agreement, a developer provides a copy of the source code of their software to a third-party escrow agent, such as NCC Group. The agent verifies that the source code is complete and unmodified and keeps it in a secure location. Checking the source code before depositing it into an escrow account is an important part of the process. This gives the user confidence that they can recreate a working copy of the software if needed in the future.
We recently held a Deep Dive Webinar on Software Escrow Validation. During the webinar, our verification experts Will Franks and Dave Bamber answered many of the questions we typically get from clients about validation. Here we share summaries of these answers with short video answers.
What are the risks if your software source code escrow is not approved?
Source code is like a puzzle – there are many pieces and they all have to work together. In addition to the actual source code, supporting materials such as build instructions, any custom tools, and details about the environment and configuration are required. Having source code in escrow is one thing. Knowing how to build one is another matter. The deposit must be accompanied by a correct and up-to-date construction manual.
A thorough review of the materials ensures that, upon release of the escrow, the user of the technology (also known as the licensee or escrow recipient) is able to read, recreate and maintain the developer’s technology in-house. essentially “stepping into my seller’s shoes”. The big risk of not confirming an escrow deposit is that if the source code is released in the future, it may be unusable.
Click here for video.
How does software escrow validation support continuous continuity of critical applications?
The inspection has two main results. First, the deposit itself, and secondly, a detailed report that describes all the details of the process.
As part of a business continuity plan, verification ensures that the user of the software has all the necessary information to rebuild the application. This also includes tracking the transition from source code to a successful working application.
Click here for video.
What are the best practices for validation?
These are some of the best practices to consider when verifying and determining the best verification level for your application.
- Frequency of testing – It is recommended that testing be repeated every time the vendor makes a significant update to the application’s source code.
- Verification Level Required – Various verification levels are available. You should choose a level that is consistent with your exit strategy, relevant regulations, risk appetite, and criticality of the software.
- Post-exercise review of outputs – lessons learned, gaps in knowledge or stock, remediation.
- Integrating validation into future software procurement for a systematic approach.
- Determining which party pays for the inspection.
- Stressful exit planning.
Click here for video.
How can validation reduce the risk of cloud migration?
Controlling software source code can reduce risks when migrating to cloud-based applications. Let’s take a complete look at how the piece of software is put together. We can cover the infrastructure, the hosting environment, and also elements such as group-level access credentials to the cloud environment and replicated tenancy. We check that everything is complete and correct and that it can be built into a working system.
Click here for video.
How to use auditing to demonstrate compliance?
Validation may support compliance requirements for third-party outsourcing regulations, such as the UK PRA Regulations. This is done in the following ways.
- Provides independent assurance and protects investments.
- Ensures continuous continuity of critical applications.
- Reduces risks associated with cloud migration.
- Helps demonstrate regulatory compliance.
Click here for video.
When it comes to software escrow verification services, we hope these questions and answers and short video answers provide some insight.
[View source.]