Skip to main content

SOC 2 Compliance

These rule examples will help your developers to write safe code and stay compliant to soc2 standards. Use them as inspiration to create your own guideline repository.

## Secure Data
- Ensure that session tokens are securely generated, stored, and expire after a reasonable period of inactivity.
- Encrypt data at rest: Ensure all sensitive data is encrypted using strong algorithms (e.g., AES-256) when stored in databases or file systems.
- Use appropriate cryptographic standards: Avoid weak or outdated encryption algorithms, such as MD5 and SHA-1, in favor of SHA-256 or higher.
- Use Transport Layer Security (TLS) to encrypt all communication between systems, APIs, and third-party services.

## Secure Code
- Validate all user inputs, both client-side and server-side, using a whitelist approach to avoid injection attacks.
- Use proper sanitization and escaping techniques to prevent SQL injection, XSS, and command injection attacks.
- Never hardcode sensitive data (e.g., passwords, API keys, database credentials) in source code. Use environment variables or secure vaults.
- Ensure that error messages do not expose sensitive information (e.g., stack traces, SQL queries). Return generic error messages to users and log detailed errors securely.
- Session and token invalidation: Ensure that sessions and tokens are invalidated properly upon logout or after a period of inactivity.
- API security: Ensure that all APIs are properly authenticated, encrypted, and rate-limited.

## Pipelines
- Perform regular automated scans of the codebase for known vulnerabilities using tools like OWASP dependency-check or Snyk. This check should be added to the deployment pipelines.