To avoid potential security incidents, Oso requires change management controls to ensure only authorized changes are made to its environment and processes.
Changes to code in Oso’s environment made by an employee or contractor must be tested and approved by another employee prior to being merged and rolled out.
Oso uses branch protection rules on GitHub to require a second review prior to merging code.
Exceptionally, employees can push changes without a second review where they are required to mitigate an incident.
Changes to publish documentation, changes to the marketing website, or non-substantive code changes are exempt from this policy.
Documentation can be updated without requiring a separate reviewer.
Employees should notify others prior to making changes to Oso’s infrastructure, e.g., over Slack. Where infrastructure is codified and uses a deployment tool, infrastructure changes should be approved by another employee prior to being deployed.
Oso may make changes to customers’ accounts in Oso at their request. Changes are initiated by customer support tickets.
Oso may also make changes to customer environments without the customer initiating the request, such as when required by law or due to an urgent security issue.
Security policies must have a change log to allow auditing of past changes, including when and by whom these changes were made. Oso stores these security policies in GitHub and uses git to track changes.