3

I'm working for a software company (offering 99% SaaS stuff) that needs to be SOC 2 compliant – in my understanding simply because the company's clients require it. I've recently been told that (among other things) this means that any and all software that anybody (including developers) install on their work machines needs to be "authorized". So now people are listing the programs they need to do their work.

I don't really know anything at all about SOC 2, but I'm quite sure that a requirement like this would kill a lot of developer productivity, when people who could "authorize" just can't be reached on a Friday night (or whatever), yet some serious work would actually need to be done.

I've already asked what exactly it is that this SOC 2 requires, but unfortunately there was no clear answer. I was told that there are no definitions or anything, just "tons of interpretations".

Does SOC 2 really require (in practice) that developers can't be trusted to choose on their own what programs they can run on their machines?

What alternative strategies are there that poor developers can effectively leverage, in order to try and argue that they would really need to be in control of their development machines?

Pukku
  • 149
  • 5
  • If this isn't the best Stack Exchange site to ask this question ... then what is? – Pukku May 06 '22 at 16:50
  • How much software do you actually need authorized on an ongoing basis? I can do all my work with a handful of applications: Visual Studio, Office, and some libraries. I haven't installed anything new in months. If you're referring to open source, yes: that stuff needs to be vetted. – Robert Harvey May 06 '22 at 17:03
  • Yes, I'm referring to open source as well. As a developer I have issues understanding how I can be trusted to write business-critical code, while some manager is seen more fit to vet the open source thingies I may need (to be as productive as possible). – Pukku May 06 '22 at 19:29
  • I'm a Dev going through a SOC2 audit right now. I don't recall hearing about that particular requirement BUT at my company, developers are not admins on their own machines, and a network guy has to remote in to install any software on my work PC that I need installed. Annoying, but like @RobertHarvey says, how often do you really need to install new stuff on your PC? – Graham May 06 '22 at 19:41
  • I've held a security clearance, security+ certification and studied for the CSSLP. Believe me when I say that, not only should you not be the only one responsible for your software's security, you *don't want to be* the only person responsible. – Robert Harvey May 06 '22 at 19:53
  • Why couldn't it be a fellow developer, similarly as in code reviews? – Pukku May 07 '22 at 05:41
  • @RobertHarvey: did you notive that VS updates nowadays arise every few weeks? – Doc Brown May 07 '22 at 06:59

1 Answers1

9

The requirements for SOC 2 are defined in the Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (pdf as of May 2022). This document is a set of very high level requirements that are satisfied by an organization implementing controls. It's an accurate statement that there is room for interpretation - since they apply to many organizations in many different fields, there is some need for organizations to be able to determine the best way to comply with the intent of each requirement. At the end of the day, the controls (processes, procedures, tools, tool configurations, etc.) that the organization puts into place are what get audited and assessed.

Controls around what software is approved for installation on a company-issued device or a device that connects to the company network or stores company (or client) data are probably designed to satisfy requirements around protecting information assets from security events (CC6.1), protecting against threats from outside the system boundaries (CC6.6), restricting moving and removing information to authorized parties (CC6.7), preventing and detecting unauthorized and/or malicious software from entering the system (CC6.8).

The characteristics around requirement CC6.8 in the Trust Services Criteria do specifically call out restriction of software installation, detecting unauthorized changes to system configurations, and having a defined change control process. If I had to pick a specific requirement that was being addressed, this would probably be the one.

There's nothing in SOC2 that says that certain people can't be approved to install software on their own computers. In fact, I've worked for organizations that did allow software developers to have limited administration rights on their company-issued devices for the purposes of installing software development tools. However, there were specific controls in place to limit the people with administrator rights to people who needed to regularly install non-standard software packages, monitor what was being installed, ensuring that installed software was up-to-date, and so on. However, the controls all documented this. Your organization's controls are probably written in a way that doesn't carve out giving software developers the access needed to install software or provide the ability to ensure that the software they are installing is safe and supports ongoing business operations.

It may be a bit annoying, but it's also a bit unusual if someone were to discover on a Friday afternoon that they are missing a key piece of software needed to carry out their work. When I've worked for organizations that do limit administrative access, they tend to compensate by making sure that a wide variety of software development tools are available in a trusted repository and available for easy (perhaps even self-service) installation and regularly refresh this list. Otherwise, you would typically have at least a couple of days lead time between realizing that you need a tool (or a new version of tool) and actually being in a position where you must use it.

Thomas Owens
  • 79,623
  • 18
  • 192
  • 283
  • Great answer, thank you! I think I probably didn't say it clearly enough, but I think that I _am_ in a position where I may be able to affect how exactly these controls are specified – as long as they comply with whatever the auditor may want to see. So will just need to try and get developers as many degrees of freedom as possible, I guess. – Pukku May 06 '22 at 19:20
  • 1
    I worked for an org where everything was very locked down - issued laptops for home use could _only_ use the VPN, USB external drives completely disabled, software updates controlled, etc. etc. _However!_ For software engineers there was an icon on the desktop that, when clicked, and the subsequent dialog agreed to, gave 15 minutes of local admin access - precisely so you could install/update/uninstall any tool you needed. And they didn't really care what you installed as long as it wasn't a VPN buster. Obviously, use of that icon left an audit trail. But it didn't slow you down at all. – davidbak May 07 '22 at 04:45