Comment by twodave

Comment by twodave 5 days ago

15 replies

View on Hacker News

The people who need to read these articles are the auditors. Until they change their expectations, the many businesses who have to pass audits are still going to be stuck doing a lot of things that are industry-standard but also very stupid. This is the case even for small businesses in certain fields where security audits are valued. We have at least half a dozen measures in place that we know aren't actually helpful but we also know auditors won't budge on right now.

smallerfish 4 days ago

I've been pushing NIST on SOC2 auditors for years. They always accept it once given a link.

Reply View 3 replies
  • ShakataGaNai 4 days ago

    Makes sense. The thing people forget about SOC2 is that it's very not-technical and very much so written by CPA's. No two SOC2's are identical. Hell the same companies SOC2 done by different auditors will be different.

    Saying "The United States of America National Institute of Standards and Technology says X on page 423 of Special Publication 800-53 revision 5" is a really awesome "We're doing things the RIGHT way".

    Reply View 0 replies
  • notTooFarGone 4 days ago

    Yes, it's this rolling on your back and preemptively trying to cover all eventualities that does stuff like this.

    It seems like none wants to actually justify their decisions to auditors as its more time critical when the audit happens.

    Reply View 1 reply
    • HauntedKiwi 4 days ago

      If only everyone involved with security compliance could learn the lesson that John learned in The Phoenix Project, developers and ops folks would experience a lot less pressure to treat the pantry like Fort Knox. There is not only evidence that goes against the expectations of many auditors, but there's also no requirement that compliance of everything be implemented through costly software and network changes, because physical security and process can be used for compliance as well.

      Reply View 0 replies
mooreds 4 days ago

The auditors aren't writing the compliance guidelines, are they? Just enforcing them.

I'd say you want to send these articles to the people writing such guidelines.

What am I missing?

Reply View 2 replies
  • twodave 4 days ago

    No, you’re right. Though I think there’s definitely a gap between standards bodies like NIST and the AICPA or whoever sets the SOC2 standards these days. I think some of the answer is just momentum. Customers have come to expect it of their vendors, specifically because it is security theatre, something they can point to if anything goes wrong.

    Reply View 1 reply
    • mooreds 4 days ago

      > because it is security theatre, something they can point to if anything goes wrong.

      Yeah, there is space between "this is a good practice and it's nice to be able to check the box" and "this is a standard someone else dictated but it will cover my butt if anything happens" unfortunately.

      I get it, I depend on standards all the time (food safety, equipment certification) so I understand the desire, but darn it's frustrating when they are viewed as a cure-all.

      Reply View 0 replies
dstroot 4 days ago

Came here to say this, upvoted. Both Apple and Microsoft have "corporate IT" settings that can be used to turn off "trust my device", "remember me", etc. Auditors and CISO offices tend to lean in on checklist security - in other words it doesn't matter if it's actually more secure, it only matters that it passes the checklist audit. Many of the settings are user hostile and incentivize users to work around them. Making real security worse of course...

Reply View 7 replies
  • Henchman21 4 days ago

    I’m not sure how one changes the mind of auditors who are just there for a job and who aren’t actually interested in the field? IME, the only auditors who are knowledgeable are those overseeing the folks with checklists — and they rarely seem to have the time to correct the folks they’re overseeing.

    Reply View 5 replies
    • twodave 4 days ago

      Customers need to ask for these changes, which is why this is hard to solve. At least in my field, many of the measures we end up having to fall in line with are the result of our customers deciding that those who bid on their contracts must have these certain credentials. If those same customers had more competent decision-makers determining technical qualifications then this would be less of an issue. Unfortunately, that also means that we will be stuck with these audits in their current form until the vast majority of our customers first decide they’re not needed.

      Reply View 0 replies
    • nightpool 4 days ago

      Stop paying them, I guess, and find a different audit firm that's more knowledgeable. Just like anything else—you get the level of competence you pay for. (Although I guess there's probably a "sweet spot" at which you can pay less AND get better first-level auditors if you're not looking at the biggest firms that are going to charge the most money and also have the most churn)

      Reply View 0 replies
    • immibis 4 days ago

      In a free market, you don't - you start your own company that doesn't waste half of everyone's time on security, and do stuff twice as efficiently, for half the price and outcompete the other one.

      Then you get outcompeted by a company with no security at all, which is twice as efficient as you until they get hacked.

      Reply View 2 replies
      • spacebanana7 4 days ago

        Good security, the stuff that actually stops you from getting hacked, shouldn’t be considered wasteful. And eliminating good security shouldn’t be considered an improvement in efficiency.

        Ideally we should use the word “waste” to narrowly point at activities that are entirely pointless. Like requiring password rotation every 7 days.

        Reply View 1 reply
        • catlifeonmars 4 days ago

          There is no incentive to do so when the shareholders are only interested in the next quarterly earnings report.

          Reply View 0 replies
  • rainsford 4 days ago

    It seems like the problem here isn't the use of checklists, it's that the checklists in question contain questionable stuff like "enforce frequent reauth". Systematically checking for the presence of good things and the absence of bad things seems like a good idea both from a security and consistency perspective. Of course the trick is making sure your "good" and "bad" lists are well thought out and appropriately applied.

    Reply View 0 replies