Whenever your business makes a significant investment in a software license, you have to consider the question, what if the developer goes out of business or refuses to properly support the software. Imagine a million dollar investment in software and then your developer goes under. How would you maintain the software without them? Could you add features as needed? Could you continue to upgrade your million-dollar investment to keep up with the latest and greatest?
The starting point in answering these questions is for you to understand what it is you licensed. Generally, when you license software, you receive the object code. In plain English, "object code" is code that only your computer can read. Mere humans don't program using object code.
Humans write programs using what's called "source code." "Source code" is simply human-readable code. Generally, you can't do anything about rewriting software code unless you have the source code. Therefore, if your developer goes bankrupt and you don't have the source code, it would be fair to say that you have a disaster in the making.
This problem isn't easily resolved because developers generally won't give you their source code because it's their ultimate trade secret. With the source code, a competitor could steal their work and build on it.
The generally accepted solution is that you and your software developer agree to place the source code in escrow with a trusted third party like DSI Technology Escrow Services (www.ironmountain.com/services/service.asp?svc1_content=6). The deal is essentially that you don't see or have access to the source code unless certain release conditions occur. Typically, these release conditions include things like the developer's bankruptcy or failure to provide support as required by your agreement with them.
There are many factors that you and your technology lawyer need to consider in deciding whether you should escrow your source code. While having that discussion, you also need to consider what type of verification you'll do if you escrow the source code.
"Verification" is something you need to consider because a CD, which is purported to have the source code for your software, is not something you can hold up to the light, like your parent's old Super 8 movies, and say, "Yup, it's the source code."
The fact is that when your escrow company receives what it thinks is the source code, it has no way of knowing what's on the media (like a CD) without going through some kind of verification process. Typically, verification is an additional service escrow companies would like to sell you - and that you should buy.
Could you imagine this scenario? You choose the vendor. Your company invests lots of money in licensing software from them based on your decision. Then, the company goes in bankruptcy. Your personal stock in the company is losing value because, "You chose them and it's your fault."
Ah, but you have your ace in the hole. You escrowed the source code!
So now, you request a release from escrow. You receive your source code. You stick the disk in your CD drive and you find Bugs Bunny cartoons playing on your computer where source code should be. Oops. At this point, I'm glad I'm not you and I'd suggest that you dust off that resume.
The point is that you have no way of knowing what's on that disk without verification. My take on verification is that it's not worth doing an escrow without at least some minimal form of verification.
According to John Boruvka, Vice-President and General Manager of DSI Technology Escrow Services, "About 80% of verifications fail."
Think about that statistic for a moment. It means that you only have a one in five chance of your escrowed source code working right when and if you need it. Precisely why you need to verify!
Verification is a time consuming process that will cost several thousand dollars at a minimum. Your actual cost will vary depending on things like the complexity of the software and the degree of verification you want.
Most escrow companies offer varying levels of verification with increasing cost. A basic verification might include things like confirming the program content, reading the media, identification of third-party libraries and virus scanning.
At its most intense level, verification is a series of tests on your premises that validates that the source code is actually the source code for the software you use and that you have everything you need to deal with a disaster like your developer's bankruptcy. Here, your costs escalate because of the labor-intensive nature of this process.
There is no single right answer to the question, what level of verification do you need. It's a complex cost-benefit analysis that you must undertake with your IT folks, key end-users within your organization and your tech lawyer.
While an escrow and expensive verification may not be the correct decision every time, not properly walking through the cost-benefit analysis is always the wrong answer.
|