[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Is subversion SOX (sarbanes-oxley) compliant?

From: Frank Gruman <fgatwork_at_verizon.net>
Date: 2005-09-07 19:22:53 CEST

Daniel Berlin wrote:

>On Wed, 2005-09-07 at 12:36 -0400, Joshua.White@hartfordlife.com wrote:
>
>
>>All,
>>
>>I am trying to put together a case to use subversion instead of PVCS
>>at my company (If you could point me to any resources on this, I
>>would appreciate it!) I have been receiving a lot of push back about
>>subversion having security vulnerabilities. See the following:
>>
>>http://secunia.com/ (http://secunia.com/search/?search=SVN)
>>or
>>http://www.cve.mitre.org/
>>(http://www.cve.mitre.org/cgi-bin/cvekey.cgi?keyword=SVN)
>>
>>As you can expect, managers want our SCM to be SOX compliant. PVCS
>>claims to be SOX compliant. Is subversion SOX compliant?
>>
>>
>
>
>This question is non-sensible, since SOX is not about what products you
>use, but about the processes and controls in place.
>
>You can certainly be SOX compliant using Subversion, if you wanted to.
>--Dan
>
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
>For additional commands, e-mail: users-help@subversion.tigris.org
>
>
>
>
Daniel is right. My company just went through a SOX audit a couple
months ago.

SOX really has no rules about what you can and cannot use as long as you
have the proper access and policy controls in place. This does include
access to intellectual property (software code), and the security
vulnerabilities you mention could have been considered valid at one
time. But those items were all addressed in the code already. The
three listed on mitre.org all referenced items in the 1.0.x line of
code, and all were fixed in early 1.1.x code. So security is definitely
a priority with this product, and they release patches quickly after
finding or being made aware of vulnerabilities. It's software. Someone
will always be able to find a way to exploit it somehow.

If you really want a statement of SOX compliance, create one yourself.
The Good Book details steps to ensure security of the system as well as
ensuring that all changes made to files in that code are tracked.
Backup solutions are recommended. That is the documentation part of
SOX. Now you just need to follow through and implement those
recommendations, and you could very easily be considered SOX compliant.
THAT is the same thing that PVCS is doing.

And as for passing a SOX audit - good luck. My experience is that your
compliance is a subjective decision made by whatever contractor/auditor
comes in to do it. There is no black and white to it.

Hope that helps.

Regards,
Frank
Received on Wed Sep 7 19:24:59 2005

This is an archived mail posted to the Subversion Users mailing list.