Every software purchasing decision has a security impact, and with information security threats on the rise, companies are increasingly concerned about third party vendor risks. That’s why for companies to sell software these days it is no longer enough to be secure, you also need to be able to prove it.
Over the last year or so we’ve noticed an increasing expectation that software companies, even SMEs and startups, should be SOC 2 compliant. For our customers, the challenge with SOC 2 is to prove that they are following the best security practices they already have in place without introducing layers of paperwork and bureaucracy.
A few months ago we began our own journey. Like our customers, we hold ourselves to extremely high standards when it comes to maintaining security and availability alongside our CI/CD and DevOps, so this was a great opportunity for us to navigate the challenges of SOC 2 compliance first hand.
We set out to make the process as painless as possible, and we’ve found that if you’re already doing the right things getting the proof doesn’t have to be a burden. With the right tools and approach, it’s possible to achieve SOC 2 Type 2 compliance in just 90 days. In this article I’ll share how we did it using Drata and Kosli.
Why we needed to get SOC 2 Compliance
When you’re selling to enterprise customers, especially in regulated industries like financial services and healthcare, SOC 2 compliance is now table stakes. It’s not enough to claim you have good security practices - you have to prove it. Customers want to see evidence that you have the right policies, procedures, and controls in place to protect their data.
For Kosli, achieving SOC 2 was critical to building customer trust and streamlining our sales process. We didn’t want compliance to be a bottleneck for our growth. You can’t be ambitious on behalf of your customers, but your customers can be ambitious on behalf of you. Our customers were asking for SOC 2, so we made it a priority.
How to choose the Right Tools for SOC 2
At Kosli, we’re all about automating compliance. Our platform records all the facts in a software delivery pipeline - from commit to deploy - and maps them to compliance controls. So, we had a head start when it came to evidencing our own SDLC for SOC 2.
But SOC 2 covers more than just software development. We needed a way to automate evidence collection for our policies, employee processes, vendor management, and more. That’s where Drata came in.
Drata is a continuous compliance platform that integrates with all your IDP, SaaS tools, and cloud providers. It automatically collects evidence and maps it to SOC 2 controls. When we looked at the market, Drata was the clear choice. It had the depth and breadth of integrations we needed, and the user experience was intuitive.
How Drata and Kosli Work Together
By combining Kosli and Drata we were able to build a powerful compliance automation stack. Drata handled a lot of the heavy lifting around policy management, access reviews, and cloud account monitoring. It made sure we had the right guardrails in place and could prove it.
Kosli, on the other hand, was our system of record for software changes. We use Kosli to define our SDLC policies and map them to SOC 2 controls. Every pull request, build, test run, and deployment is recorded in Kosli. We can show an auditor exactly what changed, who approved it, and how it was verified.
One of the key things we did was define our company SDLC and change management policies to match our DevOps culture. We’re big on automated testing, infrastructure as code and continuous delivery, and we didn’t want SOC 2 to slow us down or force us into a waterfall model.
We worked with our auditor to design policies that embrace automation and lean on our existing DevOps practices as controls. For example, our SDLC policy says that all code changes must go through a CI/CD pipeline with mandatory security scans and approvals. That’s something we were already doing, but now it’s codified and evidenced for SOC 2.
Key Steps and Challenges in the 90-Day Journey
So, how did we get to SOC 2 Type 2 in 90 days? The key was preparation and focus. Before we started the official Type 2 observation period, we did a Type 1 audit as a dry run. This helped us to identify gaps in our policies and evidence, so we could address them proactively.
During the 90-day observation period, the main challenge was making sure we consistently followed our policies and had evidence to prove it. This is where Drata and Kosli really worked well together. They automated a lot of the evidence collection, so we didn’t have to chase down screenshots and tickets.
Another key success factor was having a close, collaborative relationship with our auditor. We worked with Prescient Security, and they were fantastic (shoutout to Tony Russo!). They gave us a dedicated Slack channel where we could ask questions and get quick feedback. This helped us course-correct in real-time and avoid surprises at the end of the audit.
One interesting challenge was figuring out how to package the granular SDLC data from Kosli in a way that was easy for our auditor to review. Kosli records every event in a software pipeline as structured data. That’s great for automation, but auditors are used to documents and screenshots.
To solve this we built some custom reporting in Kosli to aggregate the data and present it in a more human-friendly format. We could show the auditor a complete story of a software change, from Jira ticket to production deployment, with all the relevant details and approvals. This helped streamline the evidence review process.
Lessons Learned and Advice
If I could distill our SOC 2 journey into a few key lessons, they would be:
- Collaborate early and often between compliance and engineering teams. SOC 2 shouldn’t be a siloed effort. The more alignment you have on policies and controls, the smoother the process will be.
- Automate evidence collection wherever possible. Manual screenshots and tickets are time-consuming and error-prone. Tools like Drata and Kosli will save you a ton of time and effort.
- Build security and compliance into your SDLC by default. The more you can lean on your existing DevOps practices as controls, the less friction you’ll have in the audit process.
- Choose an auditor that understands your business and can be a collaborative partner. SOC 2 is not a “set it and forget it” exercise. You need an auditor who can give you actionable guidance along the way.
Continuous Compliance will be the new normal for SaaS vendors
Looking ahead, I believe continuous compliance will become the norm for SaaS companies of all sizes. As software eats the world, every company is becoming a software company. And with that comes increased scrutiny on data security and privacy.
We’re already seeing this with the rise of frameworks like SOC 2, ISO 27001, and GDPR. Regulators and customers are demanding more transparency and accountability from software vendors. The days of “just trust us” are over.
At the same time, the pace of software delivery is only accelerating. To stay competitive, companies need to ship code faster and more frequently. The challenge is to maintain compliance without slowing down innovation.
That’s where automation comes in. By embedding compliance into the SDLC and using tools to continuously monitor and collect evidence, companies can achieve both speed and security. It’s not an either/or proposition.
I also think we’ll see more use of technologies like cryptographic anchoring and blockchain-like immutability for audit evidence. Imagine if every SOC 2 report came with a tamper-proof ledger of all the evidence and attestations. That would really boost trust and transparency in the compliance process.
Conclusion
Achieving SOC 2 Type 2 compliance in 90 days was a challenging but rewarding journey for Kosli. By leveraging Drata for continuous compliance automation, and Kosli for SDLC evidence, we were able to meet the rigorous standards of SOC 2 without sacrificing any of the speed or automation in our DevOps.
The benefits have been significant. We can now confidently tell customers that we have best-in-class security practices, validated by an independent auditor. This has helped us close larger deals faster and build deeper trust with our users. We’re also able to offer customers first hand knowledge and experience of how to get SOC 2 without negatively impacting their CI/CD or developer experience.
Now we have achieved our attestation, the next part of our journey will be continuous improvement to ensure we maintain and improve our standards.
If you’re a SaaS company at the start of a SOC 2 journey, I recommend using Drata and Kosli. They can help you automate evidence collection, streamline audit prep, and embed compliance into your SDLC.
By sharing what we learned on our SOC 2 journey our hope is that we can help others to build a more secure and trustworthy software ecosystem. Get in touch if you’d like to make Kosli part of your compliance stack.