|
|
|
|
|
|
by pseudohadamard
37 days ago
|
|
|
As the other respondent says, it's tricky but not impossible. We're a small custom shop, too small to have all the roles required, all of our software is open-source (Github/Codeberg), and we neither store nor process any customer data or PII. Almost every single item that SOC2 and similar are supposed to cover are a bad miss - https://www.youtube.com/watch?v=Utxu7pI8CeU. Not only do most things not apply to us but some are completely nonsensical, such as what physical and IT security measures we apply to keep our code confidential. At the moment things look a bit uncertain, we're both going to run into more and more situations like this but also hopefully lawmakers will eventually realise that this stuff just doesn't work for OSS code and orgs. |
|
|