Switch To Mobile Version

Source code: compromise the way to go

September 9th, 2016, Published in Articles: EE Publishers, Articles: EngineerIT

by Guy Krige, Escrow Europe

 

esorow-179-09-2016
A recent article in an American publication highlighted a problem facing chief information officers (CIOs) worldwide. In fact, TechLaw called this problem a “nightmare” and wished the CIO all the best of luck attempting to explain why his company’s sweet dreams had turned.

The piece went a little like this: “Here’s a nightmare you’ll wish would end with you waking up. Your company spends $500 000 to license some software. Then the company you paid goes bankrupt. Now you have $500 000 worth of orphaned software. We’ll take a rain check on being you while you’re explaining this one to the board”.

Here’s a more detailed explanation of the problem of this “orphanware”, and a simple yet effective solution.

The problem

When a company licenses software, it often gets a licence to use the machine-readable object code but not access to the source code.

The difference between the two codes is vast: machines read object code, any changes that need to be made to a system must be done using the source code, which is the only computer code humans can read.

If the developer goes bankrupt or refuses to support the software, the only way the licensee company can hire its own programmer to fix any glitches and make any changes or enhancements needed, is if it have access to the source code.

But, here’s the rub. Developers don’t easily part with their source codes because they perceive it akin to giving Robin Hood the keys to the Tower of London.

A solution

There is, however, a compromise which means that developers don’t have to part with their source codes unless absolutely necessary, yet gives licensee companies peace of mind that, when it becomes necessary, they will be able to get their hands on that source code.

The compromise is active software escrow. Under an escrow agreement, the supplier and end-user of the software product agree that the source codes of the vital software product and related documentation are deposited with a neutral third party – the escrow agent – who is authorised to release the materials to the end-user under conditions as agreed by the supplier and the end-user in a written agreement.

Such conditions may relate to operational risk, technical malfunction or even failure of the supplier who tailored and contextualised the software to the end-user’s business requirements.

The key objectives of escrow are:

  • Continuity of use of the software by the end-user under circumstances where that would be impossible without escrow.
  • Safeguarding the underlying business process.
  • Protection of end-users’ investment in the software, related hardware and staff training.
  • Limiting the end-users’ total dependency on supplier for support and maintenance of the software.

There’s another consideration. A passive approach to escrow or intellectual property custodianship involves passive custodians (such as banks, notaries, legal firms) that may physically “hold” a copy of the software, source code and documentation et al, but these custodians do not warrant that it is the correct or up-to-date versions.

Unfortunately, nine out of ten traditional unverified source code deposits held in escrow by passive custodians such as banks and attorneys, are useless. They are therefore unable to meet the requirements of the IT component of the company’s business continuity plan should the original software supplier no longer be in a position to continue to support the system it provided.

However, with active escrow, the escrow agent verifies the property held at least once a year to warrant that the deposit contains what the supplier has committed to lodge so as to provide proper reassurance that it is up-to-date and usable.

For example, Escrow Europe offers three levels of technical verification and reporting depending on how mission-critical the client considers the business application to be.

Inevitably, there are numerous CIOs and their boards who do not believe they need to invest in escrow.

They should ask themselves some questions and consider the consequences certain events may have on the financial success, let alone continuity, of their business:

  • Is the technical or IT know-how it uses everyday critical to its business processes?
  • Is this know-how not easily replaceable by an alternative?
  • Is the conversion to an alternative too costly or too lengthy?
  • What if the company that developed and now maintains one of the business- critical software applications becomes insolvent?
  • What if the company that developed and maintains critical software applications is taken over by a competitor and changes business direction?
  • A virus or hacker destroys critical operational software?

Contact Guy Krige, Escrow Europe, Tel 021 852-9365, guy.krige@escroweurope.co.za

 

Related Tags

Related Articles

  • South African Government COVID-19 Corona Virus Resource Portal
  • Ministerial determinations propose 13813 MW of new-build by IPPs, none by Eskom
  • Crunch time for South Africa’s national nuclear company, Necsa
  • Dealing with the elephant in the room that is Eskom…
  • Interview with Minerals & Energy Minister Gwede Mantashe