It hasn't slowed us down at Netflix. :) In fact what it has done is caused us to be really good about separating what needs auditing from what doesn't, so that only a very minimal set of services has to have separations and release processes that are in line with SOX controls.

That's good to hear.

I believe you're somewhat mistaken. SOX generally applies to finance systems and financial reporting at public companies. So if you're publicly traded you couldn't use this process for your accounting system. But if Facebook wants to let a junior engineer push out new code without independent review, SOX isn't stopping them.

I don't know if that's a SOX law. However, I do know that it is a PCI requirement. A single person shouldn't be able to introduce new code and then be able to push their own change out to production.

Can you point to the bit in the PCI spec that says that? My understanding is that people should only have access to the systems they require. But that doesn't stop a developer having access to a continuous deployment server that can push code that meets requirements to production. But that's based on my memories, and may not reflect reality.

Wait, what? Could someone elaborate on S-O restricting developer control over production systems?

Everyone just 'knows' what is in Sarbanes Oxley but when you ask them to point it out to you in the legislation they cannot find what they were so certain about 2 minutes prior. We have compliance people and auditors are always coming in, but when someone claims something is required for Sox compliance, challenge them on it as 99% of the time it is a convention because someone told them, or they did it like that somewhere else once, rather then what is required by law. At the least it will make them justify the compliance/overhead they are causing you to do as an engineer.

Here is the legislation if you want to read through it or use it to challenge someone's assumptions about the Sarbanes-Oxley; http://www.sec.gov/about/laws/soa2002.pdf

A lot of this stuff is open to interpretation by auditors. SOX doesn't literally specify any of this sort of stuff.

In my experience, SOX usually ends up meaning that developers don't have access to production systems, or significantly limited access. However, a continuous deployment system should generally be very much in the spirit of SOX, in that it's pretty hard to do without well-defined, highly-repeatable, automated and auditable processes.