undefined | Better HN

0 pointsdgellow2h ago0 comments

I guess we had different experiences. The ones I interacted with were ok and wouldn’t have accepted a simple nmap here

0 comments

I'm not being snarky when I say that not getting your automated vulnerability scan, whatever it might have been, past your SOC2 auditors is a skills issue. SOC2 audits are not technical and the vulnerability scan control in SOC2 is categorically not meaningful. Cloudflare wrote a whole post about this.

dgellowOP2h ago

FWIW I agree that SOC2 for automated vulnerability scans has a really low bar and isn’t too meaningful. At no point did I defend SOC2 here. The bar I’ve seen is above “just an nmap”, which is pretty bad standard IMHO. You seem to be reading way too much in my comments

tptacek2h ago

I brought up nmap. You said you'd expect respected SOC2 auditors to reject it. I don't just think that's not true, I know it not to be true.

1 more reply

j / k navigate · click thread line to collapse

0 comments

tptacek2h ago

dgellowOP2h ago

tptacek2h ago

I brought up nmap. You said you'd expect respected SOC2 auditors to reject it. I don't just think that's not true, I know it not to be true.

1 more reply

j / k navigate · click thread line to collapse