Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
dgellow 5 hours ago

I guess we had different experiences. The ones I interacted with were ok and wouldn’t have accepted a simple nmap here

tptacek 5 hours ago | parent [-]

I'm not being snarky when I say that not getting your automated vulnerability scan, whatever it might have been, past your SOC2 auditors is a skills issue. SOC2 audits are not technical and the vulnerability scan control in SOC2 is categorically not meaningful. Cloudflare wrote a whole post about this.

dgellow 4 hours ago | parent [-]

FWIW I agree that SOC2 for automated vulnerability scans has a really low bar and isn’t too meaningful. At no point did I defend SOC2 here. The bar I’ve seen is above “just an nmap”, which is pretty bad standard IMHO. You seem to be reading way too much in my comments

4 hours ago | parent | next [-]
[deleted]
tptacek 4 hours ago | parent | prev [-]

I brought up nmap. You said you'd expect respected SOC2 auditors to reject it. I don't just think that's not true, I know it not to be true.

dgellow 4 hours ago | parent [-]

I know, that’s already established. I already acknowledged we had different experiences. I have no idea what you’re pushing for at that point

tptacek 3 hours ago | parent | next [-]

Just to clarify, this is a bugbear of mine. It's nothing personal with you, but I've spent the last 6 years or so evangelizing the idea that people should minimize their SOC2s and not get pushed around by auditors or evidence collection platforms like Vanta, because that drives a lot of terrible security engineering, and the hypercompetent best-staffed security orgs in the industry all push their SOC2 auditors around.

Compliance and security are entirely different practices in a well-run firm. Security can inform compliance. Compliance should not inform security engineering.

If you search my name and "SOC2" in the search bar below, I've expanded on this quite a bit.

rmccue 2 hours ago | parent [-]

As just one data point here, let me say thank you for all your writing on it; it was super useful to have things to point at to say “we don’t have to just blindly do a thing the auditor suggested!” for our SOC2.

john_strinlai 3 hours ago | parent | prev [-]

tptacek just hates soc. its probably not personal.

tptacek 3 hours ago | parent [-]

We got some value from it! I just think it's important to remember what it actually is, rather than axiomatically deriving what you think it should be.