Why Do We Need Software Escrow?
The practice of software escrow consists of the deposit of the source code of an application with a third party, indicated as the escrow agent.
Software escrow is usually requested by the buyers, who intend to ensure the continuity of the software maintenance over time, even if the software house that has developed the application goes out of the business or fails to maintain and update the code.
The buyer has two options when acquiring software: he can request the developers to give the source code of the up-to-date versions they release, or request that the source code is assigned to a third party under an "escrow agreement."
The first option is usually not practicable because the source code of an application is considered by software vendors a precious asset that can include corporate secrets, like the algorithms implemented by a specific source code.
Business continuity and maintenance of custom software is a critical aspect of the software lifecycle. The operation of an application must be resilient to every kind of event, including the bankruptcy of the company that has developed the software.
The second option is usually more feasible for companies that provide a custom software to their clients, and it is made by distributing a copy of the up-to-date source code to a company to ensure that the buyer, also known as licensee, may obtain access to the source code only when the maintenance of the software is interrupted for different reasons.
The software escrow allows software owners to protect intellectual property rights for their applications, and at the same time it ensures the long-term availability of software.
Of course, the conditions that allow access to the software must be formally defined in a specific contract.
The escrow agreement must involve at least three actors:
- one or several licensors;
- one or several licensees;
- the escrow agent.
The escrow agent is usually a business specialized in the provisioning of this kind of service. Its main task is the custody of the source code from the licensor and releasing it to the licensee only under a specific condition listed in the escrow agreement.
Figure 1 - Software escrow
The practice of software escrow is suggested in one of the following scenarios:
-
The software used by the licensee supports a vital function of its organization.
-
The software has a direct impact of the revenues of the organization.
-
The application is customized for the licensee's organization and it is difficult to replace because alternative solutions are developed by few vendors and require time to be deployed in the organization.
-
The price of the software is particularly high.
The software escrow agreement
There are various options for the formalization of a software escrow agreement. Below is the information typically included in this kind of contract.
Subject and scope of the escrow – The software escrow agreement includes the requests of the licensee over time, which may include the overall code of an application, specific components and/or libraries, the documentation produced by the licensor, and in some cases, the technical specification of a specific hardware running the custom software.
Software escrow conditions – The conditions that must be met for the escrow agent to release the source code to the licensee. Conditions are among the most important sections in the software escrow agreement, they define the circumstances that oblige the escrow agent to release the latest version of source code provided by the licensor.
Obligations for the licensor – The licensor is obliged to provide the escrow agent updated versions of the source code every time they are available.
Obligations for the licensee – This section defines the possible use of the source code once released by the escrow agent. It is important to define which operations are allowed to the licensee, such as source code modifications for conservative and evolutionary maintenance. This section also establishes the right of the licensee to resell the software, to allow its modification by third-parties, and to continue independent development of the code.
Obligations and rewards for the escrow agent – In some cases the licensee and the licensor may request the escrow agent to verify the availability of the source code and its proper functioning. The agreement establishes the rewards for the various services provided by the escrow agent.
Benefits of the software escrow agreement
There are various reasons that make it convenient to adopt a software escrow process. The presence of an escrow agent represents an incentive for a licensee in investing in the source code. On the other end, the company that developed the software can provide its services without exposing its secrets and intellectual property.
The definition of a software escrow agreement helps the parties to plan the evolution of the software over the time by establishing responsibilities, even if the licensor goes out of business.
The choice of optional services provided by the escrow agent could help the licensee to certify the evolution of the software and maintain and upgrade functionalities over time. It also gives the licensee the ability to maintain an application in-house indefinitely or gives the licensee the luxury of taking its time until a replacement technology can be identified and implemented with a new vendor.
The adoption of a software escrow allows the licensor to protect the intellectual property of the software, even in case of termination of the company. It also improves the reputation of the company, as the organization appears to the licensees to be a reliable business partner. Usually an escrow contract is easy to establish and is cost effective for both licensor and licensee.
Another element to consider is that a software protected by a software escrow agreement has a greater value on the market, because developers offer in this way continuity of the application they have developed over time and adverse circumstances. In some cases, software covered by an escrow agreement are subject to strict controls operated by the escrow agent that constantly monitor the software versioning and the efficiency of the various versions released by the licensor.
By establishing a software escrow procedure, it is possible to prevent the loss of functionality, a circumstance particularly dangerous for critical applications or for software that are difficult to test.
Software escrow represents an advantage also for end users, whose investments in software are protected by the continuity ensured by the practice. The escrow also helps end users to ensure business continuity.
Software escrow agreement options
There are numerous companies operating on the market that provide escrow services covered by different options. Below are the principal types of escrow agreements available:
Single user software escrow agreement
In this escrow scenario, the escrow agent provides its service for a single licensor and only one licensee. The source code owner provides the application, and related documentation, to the escrow agent. In case of the software owner's demise, the source code can be accessed by the licensee in order to ensure continuity of maintenance and development activities. This kind of software escrow agreement is usually adopted for any custom-made applications.
Multi user software escrow agreement
In a multi user escrow agreement, the procedure involves multiple user applications and multiple users in different organizations. The source code owner provides the application, and related documentation, to the escrow agent. In case of the software owner's demise, the source code can be accessed by the licensees.
Tailored software escrow agreement
Software escrowing could be customized according a licensee's need. The terms and conditions of a software escrow agreement could be very different based on a number of factors, such as the features of the applications or reseller channels.
The differentiation for the escrow agreement depends on the roles assigned to the various actors involved in the software lifecycle (i.e. software owner, entities in charge of maintenance, escrow agent).
Example of software escrow procedure
Although a software escrow procedure could be implemented in different ways, there is a minimum number of steps that is common in every scenario. Below are the principal steps composing the escrow procedure:
- The licensor delivers the source code and other deposit materials (i.e. software documentation) to the escrow agent.
- Licensor includes an inventory document related to the material under escrow.
- Once the escrow agent receives the material and the inventory document, it sends a confirmation of receipt of deposit material to both licensor and licensees. Usually the confirmation includes the inventory document.
- The deposit materials are stored in secure facilities for long term safekeeping for the entire duration of the escrow agreement.
- Licensor can periodically update the deposit material including the source code. In this case, a notification is sent by the escrow entity to both licensor and licensee.
- If the "Release Condition" is matched (i.e. licensor goes out of business or licensor bankruptcy) the deposit material is released by the escrow agent to the licensees that can use it according the rules established in the software escrow agreement. If a release condition occurs, the licensee can request the escrow agent to release the material. The escrow agent then informs the licensor and in the absence of abjection releases the material. Usually a software escrow agreement allows the licensor to produce an objection within a specific period of time. If the case of a licensor's objections, the escrow agent must retain the deposit material until the dispute resolution. In some specific cases, the licensor and the licensees can agree on a mandatory release procedure for the immediate release of the material in case a release condition is matched.
References
http://en.wikipedia.org/wiki/Source_code_escrow
http://www.softic.or.jp/en/articles/escrow-e.html
http://www.totalescrowsolutions.com/software-escrow/
http://www.slideshare.net/philomole/ncc-group-software-escrow-services
http://www.s-e-suk.co.uk/software-escrow/software-vendor-benefits/
https://escrowtech.com/download_understanding_software_escrows.php
In this Series
- Why Do We Need Software Escrow?
- DevSecOps: Moving from “shift left” to “born left”
- What’s new in the OWASP Top 10 for 2023?
- DevSecOps: Continuous Integration Continuous Delivery (CI-CD) tools
- Introduction to DevSecOps and its evolution and statistics
- MongoDB (part 3): How to secure data
- MongoDB (part 2): How to manage data using CRUD operations
- MongoDB (part 1): How to design a schemaless, NoSQL database
- Understanding the DevSecOps Pipeline
- API Security: How to take a layered approach to protect your data
- How to find the perfect security partner for your company
- Security gives your company a competitive advantage
- 3 major flaws of the black-box approach to security testing
- Can bug bounty programs replace dedicated security testing?
- The 7 steps of ethical hacking
- Laravel authorization best practices and tips
- Learn how to do application security right in your organization
- How to use authorization in Laravel: Gates, policies, roles and permissions
- Is your company testing security often enough?
- Authentication vs. authorization: Which one should you use, and when?
- Why your company should prioritize security vulnerabilities by severity
- There’s no such thing as “done” with application security
- Understanding hackers: The insider threat
- Understanding hackers: The 5 primary types of external attackers
- Want to improve the security of your application? Think like a hacker
- 5 problems with securing applications
- Why you should build security into your system, rather than bolt it on
- Why a skills shortage is one of the biggest security challenges for companies
- How should your company think about investing in security?
- How to carry out a watering hole attack: Examples and video walkthrough
- How cross-site scripting attacks work: Examples and video walkthrough
- How SQL injection attacks work: Examples and video walkthrough
- Securing the Kubernetes cluster
- How to run a software composition analysis tool
- How to run a SAST (static application security test): tips & tools
- How to run an interactive application security test (IAST): Tips & tools
- How to run a dynamic application security test (DAST): Tips & tools
- Introduction to Kubernetes security
- Key findings from ESG’s Modern Application Development Security report
- Microsoft’s Project OneFuzz Framework with Azure: Overview and concerns
- Software maturity models for AppSec initiatives
- Best free and open source SQL injection tools [updated 2021]
- Pysa 101: Overview of Facebook’s open-source Python code analysis tool
- Improving web application security with purple teams
- Open-source application security flaws: What you should know and how to spot them
- Android app security: Over 12,000 popular Android apps contain undocumented backdoors
- 13 common web app vulnerabilities not included in the OWASP Top 10
- Fuzzing, security testing and tips for a career in AppSec
- 14 best open-source web application vulnerability scanners [updated for 2020]
- 6 ways to address the OWASP top 10 vulnerabilities
- Ways to protect your mobile applications against hacking
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Application security
Application security
Application security
DevSecOps: Continuous Integration Continuous Delivery (CI-CD) tools
Application security