| ▲ | swiftcoder 9 hours ago | ||||||||||||||||
> Basically their SOC2 (or whatever) says they have to use GitHub Our SOC2 doesn't specify GitHub by name, but it does require we maintain a record of each PR having been reviewed. I guess in extremis we could email each other patch diffs, and CC the guy responsible for the audit process with the approval... | |||||||||||||||||
| ▲ | bostik 8 hours ago | parent | next [-] | ||||||||||||||||
Every product vendor, especially those that are even within a shouting distance from security, has a wet dream: to have their product explicitly named in corporate policies. I have cleaned up more than enough of them. | |||||||||||||||||
| ▲ | onraglanroad 9 hours ago | parent | prev | next [-] | ||||||||||||||||
The Linux kernel uses an email based workflow. You can digitally sign email and add it to an immutable store that can be reviewed. | |||||||||||||||||
| ▲ | sgt 8 hours ago | parent | prev [-] | ||||||||||||||||
Does SOC2 itself require that or just yours? I'm not too familiar with SOC2 but I know ISO 27001 quite well, and there's no PR specific "requirements" to speak of. But it is something that could be included in your secure development policy. | |||||||||||||||||
| |||||||||||||||||