How GitLab can help you prepare for your SOC 2 audit

Jul 18, 2023 · 5 min read
Julie Byrne GitLab profile

GitLab customers have found that using GitLab as their platform for DevSecOps has simplified the SOC 2 audit process. This blog reviews the SOC 2 standards and GitLab features that help customers with their SOC 2 audit.

Introduction to SOC 2

System and Organization Controls 2, or SOC 2, is a voluntary compliance standard that specifies how organizations should manage customer data. The SOC 2 audit report allows companies to provide attestation to the trustworthiness of software it offers to business customers.

Developed by the Association of International Certified Professional Accountants (AICPA), SOC 2 focuses on five Trust Services Criteria (TSC):

Security is the only required criterion for every SOC 2 audit. The other criteria can be added to the audit in cases where they are deemed critical to the services being provided.

Security TSC

The security criterion pertains to not only the security of servers and physical systems, but also applications. Software vulnerabilities potentially open up an application to attackers, putting customers' data at risk, but this is an area where GitLab can help.

GitLab provides security scans to identify potential vulnerabilities in the applications a company builds, including the following:

GitLab also provides a vulnerability report, which shows all known vulnerabilities, based on the scans above, in the current application. GitLab also provides a software bill of materials (SBOM) in standard CycloneDX JSON format, that shows all software-level and operating system-level dependencies and known vulnerabilities for them.

Having regular vulnerability scans and robust vulnerability reporting helps satisfy three Security criteria:

A crucial piece of security scans is governance and enforcement. GitLab provides features to ensure that scans are happening regularly and that software development teams are not able to circumvent them. These features include:

With these configurations in place, organizations can prove that software security is a top priority for their applications and security practices are being enforced.

Availability and Processing Integrity TSCs

GitLab can also help with Availability and Processing Integrity TSCs. These criteria focus on the quality and performance of the application itself. To support these criteria, GitLab provides:

While the above software development practices are used early in the software development lifecycle to ensure high-quality, tested code, GitLab additionally provides templates for various types of automated tests for a running application to ensure it is working as expected. These tests include:

By focusing on strong DevSecOps practices with GitLab to build high-quality, secure applications, organizations are able to more easily pass a SOC 2 audit to attest to the security of customer data.

More resources

“Learn about features in the DevSecOps platform that are helpful in readying for a SOC2 audit.” – Julie Byrne

Click to tweet

Edit this page View source