We have been using octopus deploy for a while now (its awesome) however we have a PCI application and we are wondering if we store passwords as variables which will then be input to web.config’s for a deployment does this meet PCI compliance??
Also would the above pass SOX?
Thanks for getting in touch! We actually have several Octopus customers that follow both PCI compliance and the SOX compliance laws.
To answer your question, all sensitive variables inside Octopus are encrypted and you are never able to view the value until it is used during the deployment.
Ideally you would complete the configuration of Octopus as you plan on using it then have your auditors assess it themselves and give feedback on areas that need clarification.
I believe one of the biggest things to keep in mind with the SOX compliance and Octopus is that you do not configure any retention policies. Otherwise you will be removing the data that may be required in an audit situation.
Octopus itself has had a security audit done and if you would like we are happy to send that through.
Hope that helps! If you have any further questions please don’t hesitate to send them through.