←back to thread

Excalidraw+ Is Now SoC 2 Certified

(plus.excalidraw.com)
233 points gmays | 3 comments | 24 Jun 25 01:54 UTC | HN request time: 0.827s | source
Show context
tptacek ◴[24 Jun 25 02:44 UTC] No.44362436[source]
This is all good, just a note for anybody reading this to the end: there's basically no way not to pass your Type 1, at least not if you're using a serious auditor. The point of a Type 1 is to document a point-in-time baseline. The Type 2 is the first "real" audit, and basically just checks whether you reliably did all the things you attested to in your Type 1.

All that is to say: you want to minimize the amount of security work you do for your Type 1, down to a small set of best practices you know you're going to comply with forever (single sign-on and protected branches are basically 90% of it). You can always add controls later. Removing them is a giant pain in the ass.

This is always my concern for people going into SOC2 cold: vendors in the space will use the Type 1 as an opportunity for you to upskill your team and get all sorts of stuff deployed. A terrible and easily avoided mistake.

I write this only because the piece ends with Excalidraw psyched to have cleared their Type 1. I hope their auditors told them they were always going to clear that bar.

replies(4): >>44362485 #>>44362521 #>>44362792 #>>44362850 #
1. robertclaus ◴[24 Jun 25 02:59 UTC] No.44362521[source]
Yup, for the most part you define your own controls! Even type 2 is pretty hard to "fail" if you're serious about security. You're more likely to just get minor exceptions in the report for being sloppy about something.
replies(1): >>44362541 #
2. tptacek ◴[24 Jun 25 03:05 UTC] No.44362541[source]
I think we've managed to get an exception in every Type 2 we've done (each time, some dumb paperwork policy thing; I think in one instance we were untimely with a post-facto merge PR signoff, the closest we've come to an actual slip. The first exception we got, I raised hell and wrote a management statement. But nobody cares about trivial exceptions, and so I've learned not to here either.

But, true, I didn't even pay attention in our last Type 2 (I don't run security here) --- passing was a foregone conclusion.

replies(1): >>44365264 #
3. jonathaneunice ◴[24 Jun 25 12:08 UTC] No.44365264[source]
"Nobody cares about trivial exceptions"...except the most persnickety GRC teams of your most persnickety enterprise customers.

Or at least *cough*, that's what I've heard.