Security Checkpoints In Your SDLC?

November 30, 2015 Jacob Ansari

My SOC 2 auditor says that we must include security checkpoints in our SDLC. If we have really good security process in place and review the code for security issues, why do we still need segregation of duties?

Because application security only works when it's integrated with the broader security context of your environment. A user or system that can span between production and development increases the attack surface of your environment and allows for potential attacks that may have nothing to do with unauthorized changes to production code.

About the Author

Jacob Ansari

Jacob Ansari is a Manager at Schellman. Jacob performs and manages PCI DSS assessments. Additionally, Jacob oversees other Payment Card Industry assessment services, namely PA-DSS and P2PE. Jacob’s career spans fifteen years of information security consulting and assessment services, including network and application security assessments, penetration testing, forensic examinations, security code review, and information security expertise in support of legal matters. Jacob has performed payment card security compliance assessments since the payment card brands operated their own standards prior to the advent of PCI DSS. Jacob speaks regularly to a variety of audiences on matters of information security, incident response, and payment card compliance strategy.

More Content by Jacob Ansari
Previous Article
HITRUST, Meet SOC 2 – Relationship Advice
HITRUST, Meet SOC 2 – Relationship Advice

HITRUST, or the Health Insurance Trust Alliance, is a security organization and the creator of the Common S...

Next Article
Can I use the HITRUST certification to replace my SOC 1 or SOC 2 report?
Can I use the HITRUST certification to replace my SOC 1 or SOC 2 report?

Currently, HITRUST is not a replacement for SOC 1 or SOC 2 examinations. HITRUST and the AICPA have recentl...