Shane Ryan, manager of
Verification Services for Iron
Mountain’s Intellectual Property
Management group.
business continuity. But there’s a second step that’s
perhaps even more important: the verification and
validation of those source code deposits.
An escrow stipulates that software be released in
accordance with the agreement, but there is no guarantee that the deposited software will be usable. The
deposit could turn out to be incomplete, unreadable,
without compiling instructions, infected with a virus
or worse—like it just doesn’t work.
“One of the leading misconceptions in escrowing is the assumption that the escrow agent is doing
something to technically verify the completeness and
accuracy of the deposit,” says Boruvka. According to
statistics that Iron Mountain compiled from hundreds
of verification tests, the unfortunate reality is that 82
percent of analyzed technology escrow deposits were
deemed incomplete, while an astounding 91 percent
required additional input from the depositor (
developer) in order to compile.
Verification of escrow deposits, though, validates
the completeness and accuracy of software and significantly increases confidence levels in the usability
of that software. So much so, in fact, that 46 percent
of respondents report that they consider it critical or
very important that their escrow agreement includes
the right to perform verification/validation services
by a third party.
One can choose from any number of verification
services, including:
n Cataloging the files contained in escrow and
confirming the ability to read the media
n Identifying the tools needed to maintain the
technology escrow deposit
n Compiling the product and building the
executable code
n Testing the functionality of the compiled deposit
n Confirming the usability of files built when
installed
Verification helps companies avoid certain risks—
for example, the cost associated with replacing
software, disruption in business continuity, lost time,
breach of contract, noncompliance, and consultancy
and court fees.
The survey indicates that IT and business leaders
are taking escrow arrangements to the next level in
terms of verification services; they are most often
validating that necessary files have been deposited.
But respondents are also ensuring that the software
compiles, confirming build instructions and performing usability testing. Other services, such as checking
for the presence of encryption mechanisms around
the code and performing virus scans, are being used,
but with less frequency.
That commitment to validating code deposits is
paying off. Just consider this telling survey finding: The respondents who verify their deposits show
much greater confidence in their escrow applications.
That’s because they know they’ll be able to put that
software to work immediately upon release, with little
or no disruption in business activity.
“If you truly believe that escrowing mission-critical, complex and costly applications is important,
then verification is a logical component of that process,” Boruvka concludes. “Without it, you’re still at
risk, escrow or not.” ▲
KARYN MURPHY is a freelance technology writer based
in Massachusetts.
