> Basically their SOC2 (or whatever) says they have to use GitHub
replyOur SOC2 doesn't specify GitHub by name, but it does require we maintain a record of each PR having been reviewed.
I guess in extremis we could email each other patch diffs, and CC the guy responsible for the audit process with the approval...
Every product vendor, especially those that are even within a shouting distance from security, has a wet dream: to have their product explicitly named in corporate policies.
replyI have cleaned up more than enough of them.
The Linux kernel uses an email based workflow. You can digitally sign email and add it to an immutable store that can be reviewed.
replyDoes SOC2 itself require that or just yours? I'm not too familiar with SOC2 but I know ISO 27001 quite well, and there's no PR specific "requirements" to speak of. But it is something that could be included in your secure development policy.
replyYeah, it’s what you write in the policy.
replyAnd it's pretty common to write in the policy, because its pretty much a gimme, and lets you avoid writing a whole bunch of other equivalent quality measures in the policy.
reply