[tptacek]

It's frustrating because the supercilious "what, you don't do code review!" comments the post attracted put me in the position of having to explain that we do in fact do code review, like every other mature dev shop, but that cuts against the point the post is making, which is that SOC2's understanding of code review is black-and-white and complicated dev projects have occasionally complicated dev processes --- and, importantly, your dev process can and should win the argument with the SOC2 auditor.

The third party dependency point is the best rebuttal I think you could come up with. It's exactly right: in the SOC2 view of how code works, you can't commit a 3rd party dependency without every line of its code being reviewed and approved. Nobody does that. It was my job for 15 years to do that for other people, and nobody came close to 100% coverage. Or 50%. SOC2 demands that you pretend you're achieving that. That's stupid. We're not doing stupid stuff for SOC2.

I reserve the right to be unproductive and standoffish with people going out of their way to misconstrue what this post is saying. I'm grateful that other people can contribute the productivity instead. Thank you!