This is all good, just a note for anybody reading this to the end: there's basically no way not to pass your Type 1, at least not if you're using a serious auditor. The point of a Type 1 is to document a point-in-time baseline. The Type 2 is the first "real" audit, and basically just checks whether you reliably did all the things you attested to in your Type 1.
All that is to say: you want to minimize the amount of security work you do for your Type 1, down to a small set of best practices you know you're going to comply with forever (single sign-on and protected branches are basically 90% of it). You can always add controls later. Removing them is a giant pain in the ass.
This is always my concern for people going into SOC2 cold: vendors in the space will use the Type 1 as an opportunity for you to upskill your team and get all sorts of stuff deployed. A terrible and easily avoided mistake.
I write this only because the piece ends with Excalidraw psyched to have cleared their Type 1. I hope their auditors told them they were always going to clear that bar.
Am I reading correctly between the lines? That sounds like you're suggesting that vendors in this space will actively work against your interests, and scope creep type 1, to get more business for type 2?
Yup, for the most part you define your own controls! Even type 2 is pretty hard to "fail" if you're serious about security. You're more likely to just get minor exceptions in the report for being sloppy about something.
>I write this only because the piece ends with Excalidraw psyched to have cleared their Type 1. I hope their auditors told them they were always going to clear that bar.
The signal having a Type 1 says is that you're interested in even trying to pass the next one, which in itself is a good sign to everyone. Maybe being excited and proud of "passing" type 1 is a little exaggeration for folks who know the details, but I'm very willing to forgive that. A lot of orgs show a lot more pride about much more dubious things.
Former Head of Security GRC at Meta FinTech, and ex-CISO at Motorola. Now, Technical Founder at a compliance remediation engineering startup.
Some minor nits. One can't be SOC 2 "certified". You can only receive an attestation that the controls are designed (for the Type 1) and operating effectively (for the Type 2). So, the correct phrase would be that Excalidraw+ has received its "SOC 2 Type 1 attestation" for the x,y,z Trust Services Criteria (usually Security, Availability, and Confidentiality. Companies rarely select the other two - Privacy, and Processing Integrity - unless there's overlap with other compliance frameworks like HIPAA, etc.)Reason this is important is because phrasing matters, and the incorrect wording indicates lack of maturity.
Also, as others have said, no one "fails" a SOC 2 audit. You can only get one of four auditor opinions - Unmodified, Qualified, Adverse, and Disclaimer (you want to shoot for Unmodified).
As fyi, the technical areas that auditors highly scrutinize are access management (human and service accounts), change management (supply chain security and artifact security), and threat and vulnerability management (includes patch management, incident response, etc). Hope this information helps someone as they get ready for their SOC 2 attestation :-)
Similarly, the report areas you want to be very careful about are Section 3: System Description (make sure you don't take on compliance jeopardy by signing up for an overly broad system scope), and Section 4: Testing Matrices (push back on controls that don't apply to you, or the audit test plan doesn't make sense - auditors are still stuck in the early 00's / "client server legacy data center" mode and don't really understand modern cloud environments).
Finally, if you're using Vanta/Drata or something similar - please take time to read the security policy templates and don't accept it blindly for your organization - because once you do, then it gets set in stone and that's what you are audited against (example - most modern operating systems have anti-malware built in, you don't need to waste money for purchasing a separate software, at least for year one - so make sure your policy doesn't say you have a separate end point protection solution running. Another one, if you have an office that you're using as a WeWork co-working space model only, most of the physical security controls like cameras, badge systems etc either don't apply or are the landlord's responsibility, so out of scope for you).
Hope this comment helps someone! SOC 2 is made out to be way more complicated (and expensive) than it actually needs to be.
The ratcheting back system scope thing is super good advice I always forget to give, too. You can get your entire software security program wrapped up in your SOC2 --- but why would you ever want to do that. The security of your software is very relevant to your customers, but it is not and should not be relevant to SOC2.
I have also felt the need to claim to be “SOC 2 Certified”. It’s made hard by so many vendors using that language, that it’s come to be expected. Do I want to start the sales call by explaining that the purchaser is wrong… or just say yes, and if you sign this NDA you can have our auditors report.
> SOC 2 is a security and compliance framework created by the AICPA
How is it that a group of accountants (the American Institute of Certified Public Accountants) was able to create a security framework for software, and position themselves as the sole gatekeeper who decides which auditors are allowed to certify SaaS vendors?
I’m surprised that companies would look to accountants, rather than people from the tech industry, to tell them whether a vendor has good IT security practices.
Yet the whole tech industry seems to be on board with this, even Google, Microsoft, etc. How did this come to be?
It's an audit standard about security. It's not a security standard. It defines a small number of extremely broad goals, like "you do risk management" and "you have access control mechanisms", which might be IT tools or might be a tabletop RPG.
You're irritated that people keep describing it at a security standard, which is understandable, but it isn't. AICPA auditors run SOC2 audits because SOC2 is an audit; it's about reconciling paperwork and evidence, about digesting policies and then checking that you actually do anything in those policies.
If you want to know about a firm's actual security program, you'll need to ask deeper questions than SOC2 can answer.
Because CS refuses to formalize/unionize/license itself to its own detriment. There is no standard software developer. Accounts have some minimum bar to maintain their license. Who would you choose?
On the roadmap they posted, they have "self-host Excalidraw" as backlogged. Is there a self-hosted alternative to Excalidraw? I would love to use something like this internally with my team but we self-host all of our services.
We've forked excalidraw a while ago to allow running excalidraw without firebase as a backend. This can already be self-hosted. It needs some love, but it's a good starting point:
I've found that the best experience of self hosting excalidraw is actually using it inside nextcloud, it's called whiteboard over there but it's actually excalidraw. Setup is bit finicky but workable if you understand how reverse proxies work.
Nextcloud allows you to have an actual file based workflow and collaboration works out of the box, so if you give someone the url they can see what you're doing and let them do edits as well.
SOC2 is viral. When you sell B2B services to a SOC2-attested company, they will have a policy somewhere that requires them to ensure that you take adequate security precautions (this is called "vendorsec"). If you're not SOC2, the standard vendorsec process is that your prospective customer gives you a giant Excel spreadsheet questionnaire to fill out. If you are SOC2, your last SOC2 report will usually suffice.
B2B companies often have to answer security questionnaires as part of the buyer's procurement process. Things like "how do you maintain separation of data between tenants?" or "do you encrypt data at rest?"
A SOC 2 attestation can bypass / answer some of these by default.
If you’re not SOC2 certified, a lot of orgs (by policy or by law) have to ask you tons of questions about your security situation to verify that you’re “as good as” SOC2 before they can do business with you.
Strictly speaking it’s better than a hard-and-fast requirement to be certified— at least you have some choice— but as was the case here it tends to be so onerous and repetitive that people tend to just get the certification.
Organisations need to ensure that doing business with you isn't over their risk threshold. One of the areas they focus on is security (cyber, info and physical and perhaps soon AI). In order to determine this they ask you a bunch of questions in which you insert answers and evidence into a spreadsheet, sometimes an online app. These are "the questionnaires". They're also pretty expensive[0]
Having a SOC 2 attestation or certified IS027001 compliance of your Information Security Management System allows you to do business with "less friction" because you can often shortcut some / all portions of those questionnaires.
Excalidraw is used for everything from napkin math to meeting notes to complete software architecture. Naturally the companies using it want to know what the security make up of the company is. This can come in the form of a giant document of questions or simply asking for the SOC2.
Just a query, how do people who are going through the certification process manage their endpoint management? Do you use any MDM solution?
We are completely remote with no office. Most of our developers are on Ubuntu, and we use rented laptops which gets shipped to them by our vendors (we have couple of them, and we select one depending upon which is closest to their area of operation).
Due to this, I couldn't figure out a proper MDM based solution. We evaluated Fleetdm, Kaspersky, eSet, ...) But none of them worked well with Ubuntu laptops.
I do not know anything about that SOC 2 (or any official sounding framework for that matter). I work at a large municipality in the Netherlands and they also meticulously document every step so that the auditors can trace and verify everything.
Seeing what they did to achieve this goal I would say that the next step (their suggestion) to do ISO would be a breeze as all those 'frameworks' require meticulously documentation.
This is a good write up. We are going through the same process at the moment (SOC2 & ISO27001). It has been a long journey. Compliance platforms helps a lot but a lot of work still needs to be done. It's always good to get someone with auditing experience involved early on.
I’m working at a telecom and this actually does a great job of explaining why there are so many bureaucrats in the security side of the company: they must have to deal with this security theater too since telecom is heavily regulated.
Meta used/uses Excalidraw for technical interviews, but mostly as an Etherpad (cooperative text editor) for unexecuted, mentally-evaluated code. As such, PiratePad/Etherpad or Google Doc would suffice.
I regularly see products with a soc2 certification but have never viewed a report. Some of the real world security of these products is total dog shit.
Is it easy to bs your way through a soc2 certificate? Like are the companies in my experience lying or gaming the system, or are the auditors incompetent?
If you're engaged with the vendor's sales team, ask to see the report. 99% of the content is useless. Most read like a poorly performing LLM even if the controls were written pre-LLM.
Why would a vendor get a SOC 2? Because their customers demanded it. Why did their customers demand it? Their customers demanded it.
99% of it is a useless make-work assessment demanded by equally incompetent customers' auditors demanding it to justify their own existence.
You could even use google drive with set of spreadsheets and screenshot. The biggest problem is getting through requirements, understanding what they actually mean and having some sort of framework for writing policies. But once you past that, it's manageable. Vanta/Drata just make this easier.
Vanta/Drata are big players and they're charging big time for their platform. That's why I've started working on own startups, that's meant to disrupt this for SMBs - by making it waaay more affordable (for managing compliance, not attestation/certification itself, which we don't do).
we had to go through this at my current place. getting SOC2 type 1 wasn't easy, it forced us to clean up years of infra mess. audit trails that never existed, access logs that were half broken, no changelog discipline. suddenly had to make all of it real.
and since we're also running an open core setup with paid SaaS, same pain. had to clearly draw lines - what parts stay public, what goes behind login, what actions need tracking. OSS gives you velocity but hides the surface area until compliance hits. things/processes no one cared about when we were shipping fast suddenly became blockers.
it just checks if you said you'd do something and whether there's proof you actually did. forces you to grow up, in a way that isn't very founder friendly
Cosigned. I've lived exactly this in startups and SME.
Perhaps more surprising—but also somewhat reassuring—I've heard the exact same thing from Fortune 500 insiders themselves facing SOC 2, ISO 9xxx, ISO 27xxxx, lorem ipsum for the first time.
Everyone, everywhere apparently lets the bits hang out—until the day comes when someone requires formal processes, checkpoints, documentation, and audits. Then pants go on fast.
[+] [-] tptacek|8 months ago|reply
All that is to say: you want to minimize the amount of security work you do for your Type 1, down to a small set of best practices you know you're going to comply with forever (single sign-on and protected branches are basically 90% of it). You can always add controls later. Removing them is a giant pain in the ass.
This is always my concern for people going into SOC2 cold: vendors in the space will use the Type 1 as an opportunity for you to upskill your team and get all sorts of stuff deployed. A terrible and easily avoided mistake.
I write this only because the piece ends with Excalidraw psyched to have cleared their Type 1. I hope their auditors told them they were always going to clear that bar.
[+] [-] swyx|8 months ago|reply
[+] [-] RainyDayTmrw|8 months ago|reply
[+] [-] robertclaus|8 months ago|reply
[+] [-] colechristensen|8 months ago|reply
The signal having a Type 1 says is that you're interested in even trying to pass the next one, which in itself is a good sign to everyone. Maybe being excited and proud of "passing" type 1 is a little exaggeration for folks who know the details, but I'm very willing to forgive that. A lot of orgs show a lot more pride about much more dubious things.
[+] [-] Vic-Bhatia|8 months ago|reply
Some minor nits. One can't be SOC 2 "certified". You can only receive an attestation that the controls are designed (for the Type 1) and operating effectively (for the Type 2). So, the correct phrase would be that Excalidraw+ has received its "SOC 2 Type 1 attestation" for the x,y,z Trust Services Criteria (usually Security, Availability, and Confidentiality. Companies rarely select the other two - Privacy, and Processing Integrity - unless there's overlap with other compliance frameworks like HIPAA, etc.)Reason this is important is because phrasing matters, and the incorrect wording indicates lack of maturity.
Also, as others have said, no one "fails" a SOC 2 audit. You can only get one of four auditor opinions - Unmodified, Qualified, Adverse, and Disclaimer (you want to shoot for Unmodified).
As fyi, the technical areas that auditors highly scrutinize are access management (human and service accounts), change management (supply chain security and artifact security), and threat and vulnerability management (includes patch management, incident response, etc). Hope this information helps someone as they get ready for their SOC 2 attestation :-)
Similarly, the report areas you want to be very careful about are Section 3: System Description (make sure you don't take on compliance jeopardy by signing up for an overly broad system scope), and Section 4: Testing Matrices (push back on controls that don't apply to you, or the audit test plan doesn't make sense - auditors are still stuck in the early 00's / "client server legacy data center" mode and don't really understand modern cloud environments).
Finally, if you're using Vanta/Drata or something similar - please take time to read the security policy templates and don't accept it blindly for your organization - because once you do, then it gets set in stone and that's what you are audited against (example - most modern operating systems have anti-malware built in, you don't need to waste money for purchasing a separate software, at least for year one - so make sure your policy doesn't say you have a separate end point protection solution running. Another one, if you have an office that you're using as a WeWork co-working space model only, most of the physical security controls like cameras, badge systems etc either don't apply or are the landlord's responsibility, so out of scope for you).
Hope this comment helps someone! SOC 2 is made out to be way more complicated (and expensive) than it actually needs to be.
[+] [-] tptacek|8 months ago|reply
The ratcheting back system scope thing is super good advice I always forget to give, too. You can get your entire software security program wrapped up in your SOC2 --- but why would you ever want to do that. The security of your software is very relevant to your customers, but it is not and should not be relevant to SOC2.
[+] [-] preinheimer|8 months ago|reply
[+] [-] quicklime|8 months ago|reply
> SOC 2 is a security and compliance framework created by the AICPA
How is it that a group of accountants (the American Institute of Certified Public Accountants) was able to create a security framework for software, and position themselves as the sole gatekeeper who decides which auditors are allowed to certify SaaS vendors?
I’m surprised that companies would look to accountants, rather than people from the tech industry, to tell them whether a vendor has good IT security practices.
Yet the whole tech industry seems to be on board with this, even Google, Microsoft, etc. How did this come to be?
[+] [-] tptacek|8 months ago|reply
You're irritated that people keep describing it at a security standard, which is understandable, but it isn't. AICPA auditors run SOC2 audits because SOC2 is an audit; it's about reconciling paperwork and evidence, about digesting policies and then checking that you actually do anything in those policies.
If you want to know about a firm's actual security program, you'll need to ask deeper questions than SOC2 can answer.
[+] [-] unknown|8 months ago|reply
[deleted]
[+] [-] citizenpaul|8 months ago|reply
[+] [-] 9283409232|8 months ago|reply
[+] [-] lis|8 months ago|reply
[+] [-] keithnz|8 months ago|reply
[+] [-] nodja|8 months ago|reply
Nextcloud allows you to have an actual file based workflow and collaboration works out of the box, so if you give someone the url they can see what you're doing and let them do edits as well.
[+] [-] ranger_danger|8 months ago|reply
Can someone explain what they meant by this? Questionnaires by who, and why?
[+] [-] tptacek|8 months ago|reply
[+] [-] aag8|8 months ago|reply
A SOC 2 attestation can bypass / answer some of these by default.
[+] [-] Analemma_|8 months ago|reply
Strictly speaking it’s better than a hard-and-fast requirement to be certified— at least you have some choice— but as was the case here it tends to be so onerous and repetitive that people tend to just get the certification.
[+] [-] jamiecurle|8 months ago|reply
Having a SOC 2 attestation or certified IS027001 compliance of your Information Security Management System allows you to do business with "less friction" because you can often shortcut some / all portions of those questionnaires.
But you can never get rid of them.
[0]: https://sharedassessments.org/sig/
[+] [-] 9283409232|8 months ago|reply
[+] [-] danjc|8 months ago|reply
[+] [-] jonathaneunice|8 months ago|reply
[+] [-] blackbirdsr71|8 months ago|reply
[+] [-] doubtfuluser|8 months ago|reply
[+] [-] bhattisatish|8 months ago|reply
We are completely remote with no office. Most of our developers are on Ubuntu, and we use rented laptops which gets shipped to them by our vendors (we have couple of them, and we select one depending upon which is closest to their area of operation).
Due to this, I couldn't figure out a proper MDM based solution. We evaluated Fleetdm, Kaspersky, eSet, ...) But none of them worked well with Ubuntu laptops.
What do you guys use?
[+] [-] ivolimmen|8 months ago|reply
[+] [-] rajeshrajappan|8 months ago|reply
[+] [-] shrubble|8 months ago|reply
[+] [-] burnt-resistor|8 months ago|reply
[+] [-] hsbauauvhabzb|8 months ago|reply
Is it easy to bs your way through a soc2 certificate? Like are the companies in my experience lying or gaming the system, or are the auditors incompetent?
[+] [-] eclipticplane|8 months ago|reply
Why would a vendor get a SOC 2? Because their customers demanded it. Why did their customers demand it? Their customers demanded it.
99% of it is a useless make-work assessment demanded by equally incompetent customers' auditors demanding it to justify their own existence.
[+] [-] tptacek|8 months ago|reply
[+] [-] alberth|8 months ago|reply
Is it to use something like Vanta/Drata? Are they any good?
[+] [-] mlitwiniuk|8 months ago|reply
Vanta/Drata are big players and they're charging big time for their platform. That's why I've started working on own startups, that's meant to disrupt this for SMBs - by making it waaay more affordable (for managing compliance, not attestation/certification itself, which we don't do).
[+] [-] doctorpangloss|8 months ago|reply
[+] [-] phendrenad2|8 months ago|reply
SOC 2: Systems and Organization Controls 2
SoC: System-on-Chip
Get it right!
[+] [-] mlitwiniuk|8 months ago|reply
[+] [-] b0a04gl|8 months ago|reply
and since we're also running an open core setup with paid SaaS, same pain. had to clearly draw lines - what parts stay public, what goes behind login, what actions need tracking. OSS gives you velocity but hides the surface area until compliance hits. things/processes no one cared about when we were shipping fast suddenly became blockers.
it just checks if you said you'd do something and whether there's proof you actually did. forces you to grow up, in a way that isn't very founder friendly
[+] [-] jonathaneunice|8 months ago|reply
Cosigned. I've lived exactly this in startups and SME.
Perhaps more surprising—but also somewhat reassuring—I've heard the exact same thing from Fortune 500 insiders themselves facing SOC 2, ISO 9xxx, ISO 27xxxx, lorem ipsum for the first time.
Everyone, everywhere apparently lets the bits hang out—until the day comes when someone requires formal processes, checkpoints, documentation, and audits. Then pants go on fast.