Firms warned to verify source code when using escrow as compliance drives uptake

Pressure to comply with corporate governance regulations such as Basel 2 and Sarbanes-Oxley is driving demand from IT departments...

Pressure to comply with corporate governance regulations such as Basel 2 and Sarbanes-Oxley is driving demand from IT departments for escrow agreements with software suppliers.

The number of escrow agreements in force has risen by 20% over the past six months, as IT departments take steps to ensure they will still have access to vital source code if suppliers go out of business, according to escrow specialist the NCC Group.

There has also been a dramatic rise in the number of IT departments insisting that suppliers not only lodge source code into escrow, but that the source code is verified and tested.

"In the past year we have heard much more about the legislative requirements relating to corporate governance. There have been a lot of clients coming to us saying 'I need to take out escrow because I need some way of showing I am taking compliance seriously'," said Jon Leigh, director of escrow solutions at the NCC Group.

Over the last six months of 2004, the number of IT departments requesting that software placed in escrow be tested to ensure that applications can be rebuilt rose by 30%. The figure has more than doubled over the past two years.

Under the NCC Group's verification service, experts can attend the software supplier's site, build the application and test it. They are then able to put not only the source code, but also any batch files, build files and details of the build utilities into escrow to enable IT departments to completely rebuild applications if a supplier goes out of business.

"We have had a full verification service available for three or four years. But what we have seen is an exponential growth in that area," said Leigh.

The verification checks have shown that with an 8% failure rate, escrow alone is not enough to guarantee that IT departments will be able to continue to have access to their applications.

"Sometimes suppliers are really bad at building their own product. If you have poor source code you can get into a very bad patch-and-fix culture. When you go back to the source code two years later, you cannot rebuild it," said Leigh.

Among the errors uncovered by the NCC Group are examples of suppliers that have sent in pop CDs rather than program CDs and back-up tapes that contain errors, or are protected by an unknown password.

Problems found in escrow software

  • Software suppliers submitted blank disc, rather than source code
  • One software supplier's back-up script contained errors, which was not spotted until escrow verification
  • One supplier could not find the source code to submit it
  • Personal e-mails and confidential memos, including details of which staff were to face redundancy, have been found on discs sent for escrow
  • Discs containing computer games, such as Doom, Duke Nikem, and the Leather Goddesses of Phobos have been sent in for escrow
  • Suppliers lock software with a password, then forget the password.

Source: NCC Group

Read more on IT risk management