undefined | Better HN

0 pointssaganus1d ago0 comments

Would a proper SOC2 audit have prevented this?

I've been through SOC2 certifications in a few jobs and I'm not sure it makes you bullet proof, although maybe there's something I'm missing?

0 comments

shados1d ago

SOC2 is just "the process we say we have, is what we do in practice". The process can be almost anything. Some auditors will push on stuff as "required", but they're often wrong.

But all it means in the end is you can read up on how a company works and have some level of trust that they're not lying (too much).

It makes absolutely zero guarantees about security practices, unless the documented process make these guarantees.

saganusOP1d ago

Yeah, that was my understanding as well, so I fail to see how a proper SOC2 would have prevented this.

I mean ideally a proper SOC2 would mean there are processes in place to reduce the likelihood of this happening, and then also processes to recover from if it did ended up happening.

But the end result could've been essentially the same.

kyyol1d ago

It wouldn't have. lol.

stevekemp1d ago

Just so long as it was a proper SOC2 audit, and not a copy-pasted job:

https://news.ycombinator.com/item?id=47481729

j / k navigate · click thread line to collapse