My SOC 2 auditor says that we must include security checkpoints in our SDLC. If we have really good security process in place and review the code for security issues, why do we still need segregation of duties?
Because application security only works when it's integrated with the broader security context of your environment. A user or system that can span between production and development increases the attack surface of your environment and allows for potential attacks that may have nothing to do with unauthorized changes to production code.
About the Author
Jacob Ansari is a Manager at Schellman. Jacob performs and manages PCI DSS assessments. Additionally, Jacob oversees other Payment Card Industry assessment services, namely PA-DSS and P2PE. Jacob’s career spans fifteen years of information security consulting and assessment services, including network and application security assessments, penetration testing, forensic examinations, security code review, and information security expertise in support of legal matters. Jacob has performed payment card security compliance assessments since the payment card brands operated their own standards prior to the advent of PCI DSS. Jacob speaks regularly to a variety of audiences on matters of information security, incident response, and payment card compliance strategy.More Content by Jacob Ansari