Hacker News new | comments | show | ask | jobs | submit login
Ask HN: Is Compliance at odds with Continuous Delivery?
2 points by micah_chatt 6 minutes ago | hide | past | web | discuss | favorite
Every DevOps/SRE/microservice article or book I've read makes the assumption that CI/CD and developer-driven deployments is the way to to go. My SaaS startup is preparing for a SOC2 audit, and a more Waterfall-minded manager is insisting (after going through two SOC2 audits at previous organizations) that production deployments for our core product must:

* every corresponding task must be in the "closed" state in JIRA

* be signed-off by the manager

* only DevOps engineers should be able to hit "deploy"

* deployments are only every 2 weeks.

How can this be the case, since we have proper controls like

* Pull Requests must pass tests to be merged

* Code review is performed with references to JIRA tickets on every commit/branch

* QA is performed in a staging environment

* Deployments/Rollbacks are automated and logged.

In short, shouldn't developers (or at least senior developers) be able to push deployment updates on their own?






Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: