Software escrow validation is an important complement to software escrow and helps protect the interests of both software users and developers. The validation process tests source code and materials held under software escrow agreements to ensure that it is correct, complete, and can be rebuilt into a working application, resulting in a higher level of resilience and business integrity. Provides continuity guarantees.
Once a user licenses software from a developer, they often rely on that software to run their business or perform critical functions. If something happens to the developer, such as bankruptcy or failure to support the application, users may lose access to the software they need.
Software escrow verification is a way to protect against this risk. In an escrow agreement, the developer deposits a copy of the software source code with a third party escrow agent such as her NCC Group. The agent verifies that the source code is complete and unaltered and keeps it in a safe place. Validating source code before placing it in escrow is an important part of the process. This gives the user confidence that a functional copy of the software can be recreated if necessary in the future.
We recently hosted an in-depth webinar on software escrow verification. During the webinar, verification experts Will Franks and Dave Bamber answered many of our customers’ most frequently asked verification questions. Here we share a summary of those answers and a short video response.
What are the risks of not verifying an escrow deposit for software source code?
Source code is like a jigsaw puzzle. There are many pieces and they all have to work together. In addition to the actual source code, supporting materials such as build instructions, custom tools, environment and configuration details are required. Putting source code in escrow is one thing. Knowing how to build it is another thing altogether. An accurate and updated build guide must be submitted with your deposit.
Thorough examination of the materials confirms that users of the technology (also known as licensees or escrow beneficiaries) can read, recreate, and maintain the developer’s technology internally if the deposit is released. You get a guarantee—essentially, “stepping into the shoes” of the vendor. The big risk of not validating the escrow deposit is that the source code may become unusable in future releases.
Click here for video.
How does Software Escrow Validation support continuous continuity for critical applications?
There are two main deliverables from the validation exercise. The first is the deposit itself and the second is a detailed report explaining all the details of the process.
As part of your business continuity plan, ensure that your software users have all the information they need to recreate their applications. It also involves observing the transition from source code to a working application.
Click here for video.
What are some validation best practices?
These are some of the best practices to consider when it comes to validation and determining the best level of validation for your application.
- Validation Frequency – We recommend that you repeat validation whenever the vendor makes a significant update to your application’s source code.
- Required Level of Verification – Different levels of verification are available. You should choose a level that aligns with your exit strategy, relevant regulations, risk appetite and importance of the software.
- Post-exercise output review – lessons learned, knowledge gaps, material accumulation, remediation.
- Embed verification into future software procurement and approach it systematically.
- Determining which party will bear the cost of the verification exercise.
- Emphasized exit plan.
Click here for video.
How can validation help mitigate cloud migration risk?
Software source code verification reduces risk when migrating to cloud-based applications. Overall, we look at how the software is put together. Can include elements such as group-level access credentials and replicated tenancies to infrastructure, hosting and cloud environments. Make sure everything is complete and correct and can be incorporated into a working system.
Click here for video.
How can I use validation to demonstrate regulatory compliance?
Validation can support regulatory compliance requirements for third-party outsourcing, such as the UK’s PRA regulations. This is done by:
- We provide an independent guarantee to protect your investment.
- Ensure continuous continuity of critical applications.
- Reduce the risks associated with moving to the cloud.
- Helps demonstrate regulatory compliance.
Click here for video.
We hope that the answers in this Q&A and short video have been helpful as you consider software escrow verification services.
[View source.]
