Source Code Security: The Importance of a SOC 2 Type II Compliant SCM Platform

Allison Bokone
Allison Bokone
·
Last updated on May 9, 2024

Shifting software development to the cloud may raise concerns about losing direct control over your source code security. However, selecting a source code management platform with SOC 2 Type II certification should put those concerns to rest. Read on to understand the workings of AICPA SOC 2 and its implications for the security of your source code.

What Is SOC 2 Compliance?

System and Organizations Control is a collection of audits that companies can have performed by external auditors to verify different levels of compliance with security best practices. SOC 1 focuses on internal controls for financial statements and reporting, including how customer information is processed and protected. SOC 2 focuses on internal controls for customer data and how it is handled across five Trust Services Criteria: data security, availability, integrity, confidentiality, and privacy of data. SOC 3 is an official summary of a company’s SOC 2 results which can be marketed to the general public.

Assembla is dedicated to maintaining high levels of compliance and has obtained AICPA SOC Type 2 Certification across all areas of our source code management platform. SOC 2 Type 2 rigorously evaluates an organization’s internal controls over a specified testing period.

What Is SOC 2 Type 2 Compliance?

There are two types of SOC 2 compliance. SOC 2 Type 1 is a point in time audit that describes internal controls and processes and specifies whether the system design is effective. SOC 2 Type 2 is an audit done over an extended period of time (usually 3-12 months) that assesses how internal controls and processes are designed and how they function to specify whether the system operation is effective.

SOC 2 compliance breaks down into five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.

Security

SOC 2 security covers access controls, change management, systems operation, and mitigating risk. These essential security measures focus on preventing unauthorized access, unauthorized changes, deviations from organizational procedures for operations, and identifying, preventing, and handling risks when they arise.

Availability

Availability refers to service or system uptime. Can users access their data during agreed upon working hours, as set up in the terms of use and service level agreements?

Processing Integrity

For financial transactions, processing integrity ensures that the transmissions are encrypted. For data storage and hosting, companies must show how they maintain data integrity across systems.

Confidentiality

Confidentiality is about restricting access to data, particularly sensitive data such as PII (personally identifiable information). Companies must document their policies and procedures for how they handle data and restrict access to comply with privacy policies and laws.

Privacy

Privacy centers around customer data. What data does a company collect, how is it stored, how is it shared, and what do they do with it?

How Does the SOC 2 Type 2 Audit Process Work?

A SOC 2 Type 2 audits are conducted by a licensed CPA from the AICPA (American Institute of Certified Public Accountants). The first step in the audit is to determine the scope. Of the five Trust Services Criteria, all companies must complete the Security portion for a SOC 2 audit. The remaining criteria – availability, processing integrity, confidentiality, and privacy – are only evaluated if they apply to the processes and data of the organization

Once the scope is defined, the CPA does a gap analysis of the security practices and controls. If gaps are discovered, the CPA provides a remediation plan and works with companies to implement it. The CPA then examines the design and operating effectiveness of the Trust Services Criteria over a period of months. This examination includes talking with company management, reviewing documents, and running tests. Once the necessary period of time for full observation and evaluation has passed, the CPA writes up their findings in a report.

What’s In a SOC 2 Type 2 Report?

The SOC 2 Type 2 report includes a management assertion section, where company management outlines the protocols and controls related to the Trust Services Criteria. The CPA auditor will compare these descriptions against how the systems actually performs in each of the five Trust Services Criteria areas and provide an attestation on the accuracy of the descriptions and that their designs held up over the period of time the audit was performed.

The report also includes a detailed overview of the organization’s services and systems, which should include people, processes, data, software, and infrastructure. Finally, the CPA documents all the tests they conducted during their audit and the results.

Why SOC 2 Type 2 Compliance Is Important for Source Code Management

SOC 2 Type 2 compliance is essential for source code management (SCM) primarily because it assures clients and stakeholders that your organization follows strict security, availability, processing integrity, confidentiality, and privacy standards. Here’s why SOC 2 Type 2 compliance is important specifically for SCM:

  1. Data Security: Source code often contains sensitive information, such as proprietary algorithms, authentication details, or intellectual property. SOC 2 compliance ensures that proper security measures are in place to protect this information from unauthorized access, disclosure, or alteration.
  2. Client Assurance: Many clients, especially those in regulated industries like finance or healthcare, require assurances about the security and integrity of their data. Being SOC 2 compliant demonstrates your commitment to meeting their security needs and can be a significant factor in winning contracts or retaining clients.
  3. Risk Mitigation: Compliance with SOC 2 standards helps mitigate the risk of security breaches, data leaks, or other security incidents that could harm your organization’s reputation and financial stability. By adhering to these standards, you reduce the likelihood of such incidents occurring.
  4. Internal Controls: SOC 2 compliance requires the implementation of robust internal controls and processes for managing and protecting data. These controls not only ensure compliance but also help streamline SCM workflows, improve efficiency, and reduce the likelihood of errors or inconsistencies in code management.
  5. Continuous Improvement: Achieving and maintaining SOC 2 compliance is an ongoing process that encourages continuous improvement in security practices and procedures. This commitment to continual enhancement helps keep your SCM infrastructure and processes up to date with evolving security threats and industry best practices.
  6. Competitive Advantage: SOC 2 compliance can serve as a competitive differentiator, especially in industries where security and data protection are top priorities. It demonstrates to potential clients and partners that your organization takes security seriously and has implemented measures to safeguard their data.

Assembla’s SOC 2 Certification

When customers move their source code to a cloud-hosted solution, they gain the flexibility and scalability the cloud offers without the administration overhead, but they are also giving up direct control of the security and management of their source code. It is important for customers to know the new system is secure and held to the same high standard they had on-prem.

With our SOC 2 Type 2 compliance, your team can rest assured knowing that our systems, processes, procedures, and data function the way we say they do and are secure and reliable across the Trust Services Criteria.

Assembla operates as a subsidiary of Idera, Inc., and the certification and compliance measures of Idera also apply to Assembla. Assembla maintains an equivalent Governance, Risk, and Compliance (GRC) posture, along with corresponding technical and organizational security measures.

A SOC 2 audit institution rigorously evaluated Idera’s internal controls over a specified testing period. It focused on data security, availability, integrity, confidentiality, and privacy of data. The audit concluded with a successful issuance of the SOC 2 Type 2 certification and Assembla therefore obtained the AICPA SOC 2 Type 2 Certification.

Our Commitment to Security

We prioritize the security and reliability of your source code by selecting a source code development platform that protects, audits, and monitors your company’s most valuable assets. For more information, see our Security page.

Start a Free Trial of Assembla

If you’re ready to try cloud-based source code management, start a free 14 day trial of Assembla. Our team would love to talk with you about how a cloud solution can meet your development needs.

Get Source Code Management Tips in Your Inbox
The reCAPTCHA was invalid. try it again.
By registering, you confirm that you agree to the processing of your personal data by Assembla, Inc. as described in the Privacy Statement. Assembla, Inc. is part of the Idera group and may share your information with its parent company Idera, Inc., and its affiliates. For further details on how your data is used, stored, and shared, please review our Privacy Statement.
Allison Bokone
Allison Bokone
Allison Bokone is an instructor at Miami University in Ohio for the Computer and Information Technology department, specializing in process and DevOps. Prior to teaching, Allison worked at Microsoft for 18 years, first as a Technical Writer, then as a Program Manager and Director at Xbox. In her last role she was a regular contributor to MicrosoftGameDev.com.
© 2024 Assembla - All Rights Reserved

Select AWS Region

Pick the region closest to your team for faster performance.

Select AWS Region

Pick the region closest to your team for faster performance.