How StepSecurity got SOC 2 compliant in 4 weeks
In late 2021, security veterans Varun Sharma and Ashish Kurmi came together to build StepSecurity – a platform for developers to implement software supply chain security best practices with ease in minutes.
StepSecurity empowers developers to defend against software supply chain attacks by automating security best practices. Using StepSecurity, developers can quickly discover and integrate DevSecOps tools into software development and delivery pipelines, and remediate security issues through automated pull requests with just one click. StepSecurity is changing the game in software security, making it simpler and more efficient for developers to secure their software supply chain.
SOC2
USA
4 weeks
Time to complete SOC2 Type 1 audit
Ready to get started?
Challenge
StepSecurity started as a company that helped open-source maintainers and communities with their software supply chain security. However, as StepSecurity continued to grow, they started seeing a lot of requests from large enterprise organizations with private repositories that had the same security issues. These organizations were predominantly from regulated industries such as healthcare and finance and wanted to work with partners that were SOC 2 compliant.
Co-founders Ashish and Varun both come from a Security background and have helped several large-scale enterprises with their SOC 2 journeys in the past. But being a first-time start-up with limited resources, SOC 2 compliance seemed like a costly and time-consuming process that would take attention away from more pressing priorities.
SOC 2 compliance usually requires a substantial amount of time, resources, and investment. Larger enterprises typically have teams dedicated to managing security compliance, including project managers, program managers, and CISOs working in tandem to ensure compliance with regulations. As a startup, we were laser-focused on customer acquisition and revenue growth. We didn’t want to be sidetracked by the heavy lift of SOC 2 compliance.
But as and when they started working with more customers, Ashish and Varun realized that SOC 2 compliance was a huge business opportunity that they couldn’t ignore. Owing to limited resources and tight timelines, they needed a security compliance tool that would help them get SOC 2 compliant fast and within their budget.
“We started evaluating tools in the market, and they all promised a high degree of automation. But when I got on a call with Sprinto, I could clearly see the high level of automation that is built into the product, and I was convinced that Sprinto would make a perfect choice!
StepSecurity signed up for Sprinto ignite – a curated security compliance enablement program for tech startups. “Compared to other platforms, Sprinto made sense because of Ignite – it was so much more affordable. As a startup we appreciated the pricing,” the founders note.
Solution
During the kickoff call, Sprinto provided a meticulous action plan for each phase of StepSecurity’s SOC 2 journey.
Given that StepSecurity uses a modern tech stack and operates exclusively on AWS, the setup process was a breeze! Everything from organizing the organization chart and conducting employee security training to categorizing repositories and AWS resources – all of it was done within an hour, and StepSecurity was up and running without delay.
“Although we did have weekly calls after the initial setup, the streamlined process felt effortless, and everything seemed to run on autopilot,” notes Ashish.
What stood out for me about Sprinto is that it is very action-oriented. It tells you exactly where the security gaps are and how you can fix them. The tiered escalation system for failing checks is amazing and turned out to be invaluable in guiding us towards identifying and prioritizing issues that required immediate attention.
Drawing from prior experience, Ashish anticipated that achieving SOC 2 compliance would take up a lot of their time and effort. However, he was pleasantly surprised to see Sprinto’s customer success team handle every aspect of their SOC 2 journey, from start to finish, leaving no detail overlooked. “To my amazement, the process was not only seamless but also hassle-free. Our CSM played a pivotal role in making this experience so incredibly remarkable for our team,” adds Ashish.
Results
Within 2 weeks of implementing Sprinto, StepSecurity was ready for audit. They decided to go ahead with Prescient Assurance from Sprinto’s auditor network to achieve their SOC 2 certification.
I was bracing myself for an intensive involvement during the audit process as well, preparing to walk the auditors through every little detail and answering their barrage of questions. But to my delight, Team Sprinto was our first point of contact for the auditors, and they effortlessly fielded all the queries that came their way. They also provided the auditors with access to the audit dashboard within Sprinto, which showcased evidence exactly as they needed to see it.
Over the next two weeks, StepSecurity completed its audit and received SOC 2 Type 1 audit report. “Thanks to Sprinto, we pulled it off with such finesse!” adds Ashish. SOC 2 Type 2 and ISO27001 are next in line and already in motion.
Since becoming compliant, StepSecurity has amped up its sales effort. They are now actively working on unblocking commercial deals and clearing their fast-growing sales pipeline.