The Stack Overflow podcast is a weekly conversation about working in software development, learning to code, and the art and culture of computer programming. Hosted by Paul Ford and Ben Popper, the series features questions from our community, interviews with fascinating guests, and hot takes on what’s happening in tech. Founded in 2008, Stack Overflow is empowering the world to develop technology through collective knowledge. It’s best known for being the largest, most trusted online community for developers and technologists. More than 100 million people come to Stack Overflow every month to ask questions, help solve coding problems, and develop new skills.

Getting through a SOC 2 audit with your nerves intact

March 23, 2022 00:26:03 25.0 MB Downloads: 0

Once a company reaches a certain size, their customers might start asking for proof that it has good security and data habits. They want to know if there’s a business continuity plan in place in case disaster strikes. For many companies, formalizing this proof means submitting to an auditing process known as SOC 2. If you’re a developer at one of these companies, particularly if you provide or use SaaS applications, you’ll end up having to implement the controls these audits require. 

On this sponsored episode of the podcast, Ben and Ryan talk with James Ciesielski, CTO and co-founder, and Megan Dean, information security and risk compliance manager, both of Rewind. We talk about how you can prep for and successfully get through a SOC 2 audit, how backing up your SaaS data can provide business continuity, and the benefits of establishing a relationship with your auditor. 

A SOC 2 report shows your customers the level of security controls that you have in place. It’s based on the auditing standards set by the American Institute of Certified Public Accountants. You tell them what controls you have in place and they verify it. Once a company starts attracting enterprise-level customers, a SOC 2 becomes a must-have. 

Companies perform SOC 2 audits using a variety of tools: sometimes it’s purpose-built SaaS tools; sometimes it’s a cascade of spreadsheets. Ultimately, what’s important is providing an audit trail for your controls, a record that proves that your security does what you claim it does. Trust, but verify. 

The process can grow complicated, as companies can have 100 to as many as 300 SaaS applications running in their business. That’s a lot of important business data on someone else’s cloud. Many of these SaaS applications operate data on the shared responsibility model: they ensure the service is available and secure, and you ensure that your data is accurate and secure. 

A key part of these security controls is disaster recovery and business continuity. Imagine that you’re using a SaaS application to track your audit process. What happens if a disgruntled employee wrecks your data, or your cat walks over your keyboard, hitting just the right combination of keys to delete something important? Or what if you unwittingly get flagged on a T&C violation and get deplatformed? Your audit trail could be lost if you haven’t upheld your end of the shared responsibility model and backed up your data. 

Ultimately, having experts who know the process can help. Your auditor, too, can be a resource, so get to know them. They want you to succeed. They want to help you improve your audit process because it makes their lives easier.