DevX SOC 2 compliance

[taylorsperry]

Problem to solve

Achieving SOC2 compliance is a company-wide priority; failure to do so could cost millions of dollars in missed deals. The DevX team is responsible for the following controls:

• GN-98: Sourcegraph has a formal software development life cycle methodology and supporting procedures to help manage application and infrastructure changes.
• GN-104: Code changes are systematically required to be peer-reviewed and approved prior to merging code into the main branch.
• GN-105: Application and infrastructure changes are required to undergo functional, security, unit, integration, smoke, regression, and SAST testing prior to release to production.
• GN-106: Sourcegraph uses a continuous integration and delivery tool to help ensure a consistent build, test and deploy process. Software changes are systematically required to complete all steps within the continuous integration tool workflow prior to production deployment.

Measure of success

• GN-98: We have documentation that describes the SLDC in its entirety.
• GN-104: Any PR that has been merged to main without a peer review is documented.
• GN-105 and GN-106: An auditor can point to how a given PR was tested and passed CI. In the case of an exception to the normal testing process, the auditor sees documentation of the exception.

Solution summary

Gather information about where our process are today, identify and find solutions for gaps, and update documentation accordingly. Leverage the DevX SOC2 documentation Notebook to make it easy to find information about how Sourcegraph addresses these controls.

Artifacts:

• SOC2 Overview and Plan
• GN-98: Sourcegraph SDLC
• RFC: 568 Testing process to ensure SoC2 compliance (GN-105)

What specific customers are we iterating on the problem and solution with?

Sourcegraph security and infrastructure teams

Impact on use cases

SOC2 compliance is aligned with the overarching goal to scale our business.

Delivery plan

• [x] GN-98 Add complete SDLC to the handbook
• [x] GN-106 Add documentation to our Continuous Integration page that describes soft failures as temporary exceptions that result from experimental or in-progress work.
• [x] GN-105 Solicit testing process information from infrastructure teams
• [x] GN-104 and GN-105 Require all PRs to include a "Test Plan"
• [x] GN-105 Communicate new requirements to engineering
• [x] Roll out requirements to critical repos

See the tracking issue for this body of work.

[taylorsperry]

@jhchabran Will you please help me flesh this out?

[jhchabran]

@taylorsperry I'm not sure to understand what we want to cover here, do you have some examples in mind? Or are we referring to the fleshed-out list of testing techniques that were referenced in https://docs.google.com/document/d/1lqd8pMrv2oc3XxC8QxT_4aU_o4Q7FEO8OU_tkT5AEMw/edit ?

[jhchabran]

Edit, all good, the plan is accurate 👍

[jhchabran]

Update: we're waiting for feedback from the auditors.

[taylorsperry]

We've received feedback from the auditors and are moving forward with RFC 686, which addresses GN-98 (SLDC) documentation.

[jhchabran]

See https://github.com/sourcegraph/handbook/pull/3947 for a draft impl!

[jhchabran]

See https://github.com/sourcegraph/handbook/pull/3947 for a draft impl!

[jhchabran]

We merged the changes in the SDLC in https://github.com/sourcegraph/handbook/pull/3947, closing this.