Software escrow provides a method where a 3rd-party holds a copy of key software source code in trust for a user in the event that the vendor goes bust, or ceases to comply with terms of their license agreement.
The traditional software release model
Most applications that have been around for a while were developed with a waterfall approach. Code updates were made as and when, or strategically due to competitive feature releases. Updates might be expected annually.
Agile development through SCRUM or kanban enabled releases to be made much more frequently – typically 3 or 4 times per year.
Applications used to be monolithic, running native code or Java on Windows or Unix OS. These apps would be run on each endpoint or on servers within the customer’s own datacenter.
The customer’s own IT admin team would evaluate each update and internally pilot before going live to users. They would take the responsibility for rollout and rollback in the event of issues.
Escrow coverage of code discretely released can be clearly and simply explained; copies of the source code for apps are made available for secure storage by a 3rd party, subject to terms of the escrow agreement. Updates must be allowed for and delivered into the storage solution for immediate access in the event of vendor failure.
The brave new world of SaaS
Software escrow companies currently offer assurance to speedily get up and running on an alternate SaaS platform provider, but the next step will be to cover dynamic code release offered through Continous Integration/Continuous Delivery (CI/CD).
Cloud-based delivery of applications in a SaaS model and, more importantly, CI/CD enables developers to merge updates through development, staging and production servers on a daily basis.
Potential customization of applications on a per-customer or regional basis is provided for by CI/CD.
Interdependence on other, cloud-based services and apps, together with 3rd-party developed libraries may also be included in the CI/CD model.
The software itself and associated libraries may be provided under a number of software agreements, commercial and open-source.
CI/CD allows rolling update across cloud servers and full history for rollback in the event of a code update failure/error.
Secure delivery into and recovery from escrow storage must make use of the same CI/CD solution, which may be dependent on key orchestration applications from a number of providers, such as Jenkins, Atlassian Bamboo, AWS CodeDeploy, Microsoft VSTS, etc.