Excalidraw+ Is Now SoC 2 Certified

(plus.excalidraw.com)

233 points gmays | 1 comments | 24 Jun 25 01:54 UTC | HN request time: 0s | source

Show context

quicklime ◴[24 Jun 25 03:11 UTC] No.44362564[source]▶

From the article:

> SOC 2 is a security and compliance framework created by the AICPA

How is it that a group of accountants (the American Institute of Certified Public Accountants) was able to create a security framework for software, and position themselves as the sole gatekeeper who decides which auditors are allowed to certify SaaS vendors?

I’m surprised that companies would look to accountants, rather than people from the tech industry, to tell them whether a vendor has good IT security practices.

Yet the whole tech industry seems to be on board with this, even Google, Microsoft, etc. How did this come to be?

replies(3): >>44362616 #>>44362924 #>>44363678 #

tptacek ◴[24 Jun 25 03:23 UTC] No.44362616[source]▶

>>44362564 #

It's an audit standard about security. It's not a security standard. It defines a small number of extremely broad goals, like "you do risk management" and "you have access control mechanisms", which might be IT tools or might be a tabletop RPG.

You're irritated that people keep describing it at a security standard, which is understandable, but it isn't. AICPA auditors run SOC2 audits because SOC2 is an audit; it's about reconciling paperwork and evidence, about digesting policies and then checking that you actually do anything in those policies.

If you want to know about a firm's actual security program, you'll need to ask deeper questions than SOC2 can answer.

replies(2): >>44362654 #>>44362786 #

alexjplant ◴[24 Jun 25 03:34 UTC] No.44362654[source]▶

>>44362616 #

When I worked someplace undergoing a SOC2 audit I had to periodically jump into calls with our auditor and security architect to answer all sorts of highly-specific questions about how we deployed our software and the infrastructure that it ran on. At one point, for instance, the auditor told me that they needed me to demonstrate that our servers were all configured to synchronize their clocks to an NTP server. Kubernetes was a foreign concept to them and pointing to GKE docs wasn't sufficient - if memory serves I had to MacGyver some evidence together by hacking a worker node to be able to get a terminal on it and demonstrate that, yes, Google's managed VMs indeed run chronyd.

This seems to be the opposite of

> It's not a security standard. It defines a small number of extremely broad goals

Is this because of the specific auditors we were using? Are some more sympathetic than others to contemporary engineering practices?

replies(3): >>44362680 #>>44362720 #>>44362764 #

quicklime ◴[24 Jun 25 04:05 UTC] No.44362764[source]▶

>>44362654 #

> Kubernetes was a foreign concept to them and pointing to GKE docs wasn't sufficient

This doesn’t surprise me one bit, in my case our auditors didn’t have a clue what GitHub was and we had to explain how code reviews and deployment pipelines worked. And these are the people who are tasked with certifying whether we’re doing our job correctly.

Sure, maybe it’s because we didn’t pick good auditors. But the accountants certified those auditors, and the whole point of certification is that we can rely on it to establish basic knowledge.

replies(1): >>44362769 #

1. tptacek ◴[24 Jun 25 04:06 UTC] No.44362769[source]▶

>>44362764 #

You're relying on their ability to review documents and the meaningfulness of the reputation they stake on a signature saying they actually reviewed those documents. Nobody who has been through a SOC2 audit would ever reasonably think you're relying on your auditor's technology skills.

↑