- Auditing the contents of the escrow significantly increases its usability and the efficiency of the escrow release procedure in defined situations.
- A baseline audit should be performed at virtually every custody receipt.
- The level of audit can be chosen particularly with regard to the importance of the software to the user.
- An audit can greatly simplify the work on the vendor and user side of the software implementation process.
Source code auditing includes the following activities:
- inventorying the files in the repository and verifying their integrity
- identification of tools for maintaining and compiling source code
- compiling the product and creating executables
- verifying that the application can be installed and configured
- basic functional testing of the application
- confirming the validity of the source code.
Audit levels
Verification of the content of the escrow.
This is only a basic verification of the readability of the escrow content, antivirus test and validation of any content encryption.
Inventory and analysis of escrow content
includes a complete audit of the custody content. It identifies the escrowed source code, software documentation, compilation instructions and the necessary elements to perform the compilation.
Source code compilation
This level tests whether the source code can be compiled from the repository content. A full development environment is created and the stored libraries and modules are checked with a documented compilation procedure. The output is successfully compiled source code.
Binary Output Comparison
the output of the compilation of the stored source code and the executable files of the software under custody is verified.
Full functional testing
This is the most comprehensive verification of the contents of the escrow. After the full compilation has been performed, testing of specific software functionality is performed according to specified requirements.
Obviously, performing an audit precludes the use of a secure version of the escrow software because the source code must be readable by DEPONEST. Therefore, in this case, the emphasis is on contractually ensuring their security.