logoalt Hacker News

swiftcoderyesterday at 4:59 PM3 repliesview on HN

> Basically their SOC2 (or whatever) says they have to use GitHub

Our SOC2 doesn't specify GitHub by name, but it does require we maintain a record of each PR having been reviewed.

I guess in extremis we could email each other patch diffs, and CC the guy responsible for the audit process with the approval...

Replies

bostikyesterday at 6:39 PM

Every product vendor, especially those that are even within a shouting distance from security, has a wet dream: to have their product explicitly named in corporate policies.

I have cleaned up more than enough of them.

onraglanroadyesterday at 5:15 PM

The Linux kernel uses an email based workflow. You can digitally sign email and add it to an immutable store that can be reviewed.

sgtyesterday at 6:26 PM

Does SOC2 itself require that or just yours? I'm not too familiar with SOC2 but I know ISO 27001 quite well, and there's no PR specific "requirements" to speak of. But it is something that could be included in your secure development policy.

show 1 reply