Hi, we’re building a B2B SaaS with Clojure/ClojureScript. We might have to do a 3rd-party code review to satisfy the security requirements of a large customers. I imagine there might be no such 3rd-party given that Clojure isn’t the most mainstream of languages. Anybody here have any experience with this?
Pls let me know if there’s a more suitable group for this question.
https://www.latacora.com/ is a security-focused Clojure consultancy
I've run a B2B Saas that was built using Clojure, implemented SOC2 (type 1 & type 2) and kicked off HIPAA compliance effort - happy to chat too :-)
Hi @lukaszkorecki - did you do a 3rd-party code review for SOC2 or HIPAA? I don’t think it’s a requirement for SOC2 from what I remember looking at it.
No, you don't need it for SOC2. Even when my company got acquired there was no code review during due diligence. Both HIPAA and SOC2 are more concerned about your organizational practices & processes and following their requirements - the code itself is not that important, unless you're dealing with very specific business or offering - e.g. if you're offering something security-critical, that's where extra attestations like that are valuable, but that's always in addition to standardized things like SOC2 and HIPAA
In general: when a lead requests access to your code to close a deal, it better come with a huge price tag, same goes for on-prem deployments. It's just not worth anybody's time