Had quite a discussion with NCC the other day about software escrows. The net result was that software escrows might as well be a dinosaur with respect to Internet gaming.
Often in a contract you might require a vendor to escrow their software in case the vendor suddenly disappears. On the surface this seems sensible, but lets take a closer look.
Reasons to not use an escrow service:
- How does the customer verify that the auditing firm has the correct version of software?
- How frequently does the vendor update the auditor with new software? As frequently as the software is updated in the production environment?
- A lot of software for web based systems is interpretive (ASP, Java, PHP). You have working source code on your production systems already.
- Also the working environment you have... works. You have no guarantee that whatever is with the escrow service actually works.
- Say the escrow service takes in regular snapshots of the vendors source base. What about all the build, configuration, and deployment tools required to create a working production system? What about related documentation?
- How many vendors have you worked with in your career that have suddenly disappeared? Even if they did, likely someone will still be around to make a few quid and offer you the source.
- Escrows are sold via sales FUD, which should generally indicate you don't need them.
- They cost money that could be better spent on pizza (A LOT of pizza) for the IT team
One possible reason might be that you are dealing with a two-guys-and-a-dog software company and they really could disappear tomorrow. Will a company like that really have the time to play nice with a big-boys escrow service? Unlikely. If the software their supplying isn't interpretive code (e.g., big C++ poker server application) then you ought to think about buying the source and having the vendor build the image on your systems. Or only buy software with interpreted code (Java, PHP). There should be a practical/commercial approach that is much more suitable that an escrow service in this case.
Regardless, if you have an operating system in production, the source likely isn't immediately needed.
And if there was a loss of vendor, followed quickly by a catastrophic systems failure, what good is the source going to do you? It's likely you need the expertise behind the source.
I came up with three reasons why we might work with a company like NCC:
- A customer of ours insists the third party elements of our software stack have the source code held by an escrow company
- Our statutory auditor advises our board that an escrow service is a really good idea (NB: look for new statutory IT auditor).
- A cheap way to acquire source if you thought the vendor was likely to fail (although this sounds more like a Sith mind trick!).
Conclusion: Don't bother with software escrow services.