transmissions from a free roaming agent of kaos: Software Escrow Services

02 November 2009

Software Escrow Services

Had quite a discussion with NCC the other day about software escrows. The net result was that software escrows might as well be a dinosaur with respect to Internet gaming.

Often in a contract you might require a vendor to escrow their software in case the vendor suddenly disappears. On the surface this seems sensible, but lets take a closer look.

Reasons to not use an escrow service:

How does the customer verify that the auditing firm has the correct version of software?
How frequently does the vendor update the auditor with new software? As frequently as the software is updated in the production environment?
A lot of software for web based systems is interpretive (ASP, Java, PHP). You have working source code on your production systems already.
Also the working environment you have... works. You have no guarantee that whatever is with the escrow service actually works.
Say the escrow service takes in regular snapshots of the vendors source base. What about all the build, configuration, and deployment tools required to create a working production system? What about related documentation?
How many vendors have you worked with in your career that have suddenly disappeared? Even if they did, likely someone will still be around to make a few quid and offer you the source.
Escrows are sold via sales FUD, which should generally indicate you don't need them.
They cost money that could be better spent on pizza (A LOT of pizza) for the IT team

One possible reason might be that you are dealing with a two-guys-and-a-dog software company and they really could disappear tomorrow. Will a company like that really have the time to play nice with a big-boys escrow service? Unlikely. If the software their supplying isn't interpretive code (e.g., big C++ poker server application) then you ought to think about buying the source and having the vendor build the image on your systems. Or only buy software with interpreted code (Java, PHP). There should be a practical/commercial approach that is much more suitable that an escrow service in this case.

Regardless, if you have an operating system in production, the source likely isn't immediately needed.

And if there was a loss of vendor, followed quickly by a catastrophic systems failure, what good is the source going to do you? It's likely you need the expertise behind the source.

I came up with three reasons why we might work with a company like NCC:

A customer of ours insists the third party elements of our software stack have the source code held by an escrow company
Our statutory auditor advises our board that an escrow service is a really good idea (NB: look for new statutory IT auditor).
A cheap way to acquire source if you thought the vendor was likely to fail (although this sounds more like a Sith mind trick!).

Conclusion: Don't bother with software escrow services.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Why this Blog?

I write a lot. I write to get my head around a subject. I write about technology I figure out and use. I write "how we're going to do things" in email and documents to provide advice, guidance, policy and leadership for IT. At some point I realized that most of what I wrote was not proprietary and I was repeating myself as new people joined the team and repeating similar situations. So while my postings are mostly just common sense, it does help me figure things out, give me a stock set of thoughts and "how-to" for future reference and maybe even someone else might find value in them as well.

Views expressed on this website are my own and may or may not reflect the views of my employer.

I reserve rights to all content appearing in this blog if I'm the one that wrote it.