My SOC 2 auditor says that we must include security checkpoints in our SDLC. If we have really good security process in place and review the code for security issues, why do we still need segregation of duties?
Because application security only works when it's integrated with the broader security context of your environment. A user or system that can span between production and development increases the attack surface of your environment and allows for potential attacks that may have nothing to do with unauthorized changes to production code.
Schellman is a leading provider of attestation and compliance services. We are the only company in the world that is a CPA firm, a globally licensed PCI Qualified Security Assessor, an ISO Certification Body, HITRUST CSF Assessor, a FedRAMP 3PAO, and most recently, an APEC Accountability Agent. Renowned for expertise tempered by practical experience, Schellman's professionals provide superior client service balanced by steadfast independence. Our approach builds successful, long-term relationships and allows our clients to achieve multiple compliance objectives through a single third-party assessor.