Compliance

Code Owners can help you satisfy the requirements of the most widely recognized standards and certifications in the IT industry.

SOC 2

Requirements

A important aspect of the certification is to enforce reviews by engineers not responsible for the creation of the changes.

How Code Owners helps?

With Code Owners you can ensure that a given number of knowledgeable engineers that are not the author of the changes review and approve code changes by:

• adding groups of skilled and context-aware engineers as code owners for each part of the code base

• adding merge checks to ensure a given number of code owners have approved a Pull Request before it can be merged (excluding the author)

OWASP Top 10

Requirements

As part of the recommendations provided to avoid the Top 10 most common security risks, OWASP provides recommendations for code reviews including the in-depth review of high risk code by reviewers that have “the correct security context when reviewing the code” and “the necessary skills and secure coding knowledge to effectively evaluate the code”.

How Code Owners helps?

With Code Owners you can ensure that a given number of engineers either from a skilled core security team (for teams that apply security models like BSIMM or OpenSAMM) or from a group of engineers with secure coding knowledge and context review and approve code changes by:

• adding groups of engineers from the code security team as code owners for all parts of the code base so they need to sign off all changes

• adding groups of skilled engineers as code owners for parts of the code base where they are most knowledgeable to effectively review the changes

• adding merge checks to ensure a given number of these code owners have approved a Pull Request before it can be merged

Checklists
The OWASP guide to code reviews also recommends to define checklists to ensure that a series of security practices are always considered during code reviews (and document that reviewers have validated them). You can use our application Pull Request Checklist Buddy to complement Code Owners by creating context-based checklists for all your pull request reviews.

PCI DSS (requirement 6.3.2)

Requirements

The PCI DSS requirements include among other items, the following:

• Code changes should be reviewed by people other than the source code author and those who are familiar with code review techniques and secure coding practices.

• Code review results should be reviewed and approved by management before they are published.

How Code Owners helps?

With Code Owners you can ensure that a given number of knowledgeable engineers that are not the author of the changes review and approve code changes by:

• adding groups of skilled and context-aware engineers as code owners for each part of the code base

• adding merge checks to ensure a given number of code owners have approved a Pull Request before it can be merged (excluding the author)

With Code Owners you can also ensure that all Pull Requests are validated by a management individual by:

• adding him/her as a code owner for all code changes

• require his/her approval in merge checks

Checklists
The OWASP guide to code reviews also recommends to define checklists to ensure that a series of security practices are always considered during code reviews (and document that reviewers have validated them). You can use our application Pull Request Checklist Buddy to complement Code Owners by creating context-based checklists for all your pull request reviews.

SAFECode - Software Integrity Control

Requirements

The Software Integrity Control recommendations of the SAFECode stresses the importance of peer reviews for security testing on top of automated testing. The use of code path to ensure optimal coverage of the code base and relevant peer review is also mentioned.

How Code Owners helps?

With Code Owners you can ensure that peer reviews by engineers from specific teams based on the path of the code changed are enforced by:

• adding groups of skilled and context-aware engineers as code owners for each part of the code base based on code path

• adding merge checks to ensure a given number of code owners have approved a Pull Request before it can be merged (excluding the author)