I'd also prefer to see these standards go away. I haven't seen any proof they are providing meaningful security at any company I've been at and several of them have had massive hacks despite being SOC2 on paper. They also eat up InfoSec time instead of being productive on meaningful stuff like "Hey, are patching everything?"

Most of these compliance just seem like barber licenses. A way for existing entities entrench themselves.

Here here. The only thing SOC2 has done in my opinion is to create a multibillion dollar business that mainly just drains resources from companies that may not have them, with no guarantees you're actually secure. This usually devolves into security theatre where the CISO and underlings are putting in tools that drown teams with so much noise it's hard to detect the signal.

The people running these programs rarely understand the security space well enough to even tell you what a lot of the hits even mean, which ramps up disdain and division between the groups. This is arguably more detrimental to security as the scanners give execs/management a false sense of security while the noise makes it incredibly difficult to run a holistic security strategy.

(It’s "hear hear," since you want people to hear it. Honestly I have no idea whether to say something or not. But I’d want to know, so, just in case it’s helpful.)

Crap, I always get that wrong. Thanks for the reminder!

ETA: like I told my kids, if we don't police each other, the LLMs will never learn. ;)

I agree that regulatory compliance and industries around that can often be theater and it creates regulatory barriers that inhibit startups and competition generally but there must be some method of oversight to ensure that people can trust a system or company without needing to see the internals. For example, we trust our food is healthy because the firm that made it is authorized to do so by the FDA as they comply with the rules established by those regulators. Obviously there are flaws, loopholes, etc, and obviously software is different than health but to an extent we want some guarantees from an externally trusted actor. What is needed in the current SOC2 world that might solve some of the issues you outlined without getting rid of it, or the idea of it, entirely?

>What is needed in the current SOC2 world that might solve some of the issues you outlined without getting rid of it, or the idea of it, entirely?

IMO, nothing. It's not redeemable at all. Since you asked though, here is some thoughts:

Be more like FDA process where software is extensively reviewed, rollback procedures established, and you launch specific version with compliance. So basically two releases, maybe 4 a year.

Disallowing risk mitigation because IMO, that's result of most of problems. Oh yea, we are doing "Terrible Security thing but since fixing is too expensive, here is a bunch of lies about how we have mitigated it."

There is also option to make a government audit with criminal liability for falsifying/misleading auditors. This third-party system where auditors are getting paid results in problems. I've seen plenty of audits where bosses write up auditor requests is extremely specific ways that creatively leave out thing that should never be approved. I've also seen auditors be made aware of problem, then people backtrack, and auditors accept it because "They are also our customer and we need repeat business."

Vanta/Drata and other are starting to build solutions that are somewhere in-between checkbox compliance and real security. To the extent they integrate with your cloud providers and security tools, they can validate you have secure settings, active monitoring, and have remediated the things that have been flagged in a timely manner. Doesn't mean you are secure, but does ensure some baseline tablestakes.

> To the extent they integrate with your cloud providers and security tools,

What happens when Vanta/Drata are compromised?

A mass-exploit of their customers?

They are goldmine of enumerated attack surface. But it would likely require some kind of secondary exploit of the identified vulns. The API connections are generally scoped to read-only access of security settings. Though it wouldn't surprise me if there was some way to get lateral movement from the access these tools have to monitor an environment.

At $LastCompany, someone gave them Contributor (Create/Read/Update/Delete) access to Azure because it was easier than scoping to 5 roles they required. I wouldn't be shocked if we were not only ones.

Edit: Their software should really check and refuse to work if someone does that but obviously Vanta doesn't care. They can begin scanning and billing.

It's what's annoying about NIST and DFARS: you can be fully compliant despite having made stupid decisions as long as you have documented that you are in fact making this stupid decision.

Vanta cofounder/CEO here.

Thanks for the feedback. What we should probably do is take the credential, start scanning, and then nag them with a failing test about overly-permissive roles. Our own role is an easy check because we know what to expect, but there's other best practices here we can check for (and in some cases do, though not 100% comprehensively across all clouds.)

Glad one of many things is getting fixed.

SOC2 is akin to a protection racket.

Try ISO 27001. Everyone says it's more onerous, but for startups, it's actually a lighter lift. It is a lot worse for big companies than SOC2, but it's a lot easier for startups.

Interesting! Do you have any resources or tips on how startups / small companies can keep the ISO 27001 process lightweight? On a first scan, it seems that the amount of mandatory processed and documents is quite high...

Yeah, the only thing worse than the current status quo would be giving some SV startups a privileged position as gatekeepers for regulatory compliance (the Watershed strategy).

This is (kind of) starting to happen. See Vanta ($100m+ funding), Secureframe ($50m+ funding), etc.