Every product vendor, especially those that are even within a shouting distance from security, has a wet dream: to have their product explicitly named in corporate policies.
replyI have cleaned up more than enough of them.
The Linux kernel uses an email based workflow. You can digitally sign email and add it to an immutable store that can be reviewed.
replyDoes SOC2 itself require that or just yours? I'm not too familiar with SOC2 but I know ISO 27001 quite well, and there's no PR specific "requirements" to speak of. But it is something that could be included in your secure development policy.
replyYeah, it’s what you write in the policy.
replyAnd it's pretty common to write in the policy, because its pretty much a gimme, and lets you avoid writing a whole bunch of other equivalent quality measures in the policy.
reply