business

2024-02-12T15:33:28.195449Z

Hi, we’re building a B2B SaaS with Clojure/ClojureScript. We might have to do a 3rd-party code review to satisfy the security requirements of a large customers. I imagine there might be no such 3rd-party given that Clojure isn’t the most mainstream of languages. Anybody here have any experience with this?

2024-02-12T15:34:11.736809Z

Pls let me know if there’s a more suitable group for this question.

vemv 2024-02-12T16:00:08.016159Z

https://www.latacora.com/ is a security-focused Clojure consultancy

👍 1
lukasz 2024-02-12T16:27:35.027419Z

I've run a B2B Saas that was built using Clojure, implemented SOC2 (type 1 & type 2) and kicked off HIPAA compliance effort - happy to chat too :-)

2024-02-12T16:38:02.072769Z

Hi @lukaszkorecki - did you do a 3rd-party code review for SOC2 or HIPAA? I don’t think it’s a requirement for SOC2 from what I remember looking at it.

lukasz 2024-02-12T16:41:28.868169Z

No, you don't need it for SOC2. Even when my company got acquired there was no code review during due diligence. Both HIPAA and SOC2 are more concerned about your organizational practices & processes and following their requirements - the code itself is not that important, unless you're dealing with very specific business or offering - e.g. if you're offering something security-critical, that's where extra attestations like that are valuable, but that's always in addition to standardized things like SOC2 and HIPAA

lukasz 2024-02-12T16:42:58.731079Z

In general: when a lead requests access to your code to close a deal, it better come with a huge price tag, same goes for on-prem deployments. It's just not worth anybody's time

💯 1
🥳 1