top | item 44362564

(no title)

quicklime | 8 months ago

From the article:

> SOC 2 is a security and compliance framework created by the AICPA

How is it that a group of accountants (the American Institute of Certified Public Accountants) was able to create a security framework for software, and position themselves as the sole gatekeeper who decides which auditors are allowed to certify SaaS vendors?

I’m surprised that companies would look to accountants, rather than people from the tech industry, to tell them whether a vendor has good IT security practices.

Yet the whole tech industry seems to be on board with this, even Google, Microsoft, etc. How did this come to be?

discuss

tptacek|8 months ago

It's an audit standard about security. It's not a security standard. It defines a small number of extremely broad goals, like "you do risk management" and "you have access control mechanisms", which might be IT tools or might be a tabletop RPG.

You're irritated that people keep describing it at a security standard, which is understandable, but it isn't. AICPA auditors run SOC2 audits because SOC2 is an audit; it's about reconciling paperwork and evidence, about digesting policies and then checking that you actually do anything in those policies.

If you want to know about a firm's actual security program, you'll need to ask deeper questions than SOC2 can answer.

alexjplant|8 months ago

When I worked someplace undergoing a SOC2 audit I had to periodically jump into calls with our auditor and security architect to answer all sorts of highly-specific questions about how we deployed our software and the infrastructure that it ran on. At one point, for instance, the auditor told me that they needed me to demonstrate that our servers were all configured to synchronize their clocks to an NTP server. Kubernetes was a foreign concept to them and pointing to GKE docs wasn't sufficient - if memory serves I had to MacGyver some evidence together by hacking a worker node to be able to get a terminal on it and demonstrate that, yes, Google's managed VMs indeed run chronyd.

This seems to be the opposite of

> It's not a security standard. It defines a small number of extremely broad goals

Is this because of the specific auditors we were using? Are some more sympathetic than others to contemporary engineering practices?

er4hn|8 months ago

I've always viewed SOC-2 as a certification for business continuity, not security. Once you view it as making sure that the service can continue running, even with disaster or heavy turnover, it makes more sense.

unknown|8 months ago

[deleted]

citizenpaul|8 months ago

Because CS refuses to formalize/unionize/license itself to its own detriment. There is no standard software developer. Accounts have some minimum bar to maintain their license. Who would you choose?