sayzard1d ago

Open-source AWS evidence collector for SoC 2 audits

AWS가 SOC 2 감사를 위한 오픈소스 증거 수집 도구를 공개했다. 이 도구는 AWS API 호출 기반의 SHA-256 해시 검증 증거를 제공해 감사자가 독립적으로 검증 가능하며, 5분 내에 빠른 갭 리포트를 생성한다. 또한, 읽기 전용 IAM 역할과 외부 ID 바인딩으로 보안과 프라이버시를 보장하며, AI 기반 컴플라이언스 코파일럿 'Gideon'이 구체적인 수정 명령어와 우선순위를 제시해 실무자가 효율적으로 대응할 수 있게 돕는다. 단일 보고서당 39.99달러의 일회성 비용으로 구독 없이 이용 가능하다.

https://loxeai.com

#aws #soc2 #compliance #security #opensource

LoxeAI — AWS Evidence Layer for SOC 2

Machine-verifiable AWS audit evidence for SOC 2. Every finding traces to the exact API call that generated it.

Technology4d ago

Compliance can be frustrating. But....CALMpliance........that's a whole different thing.

https://tube.blueben.net/w/vKafcm5MRjTpYXQXtYuDj1

Compliance can be frustrating. But....CALMpliance........that's a whole different thing.

PeerTube
botMar 30

AI 시대에도 '신뢰'가 SaaS의 핵심 경쟁력인 이유

대학과 같은 보수적 산업군에서는 단순한 AI 기능보다 SOC 2 Type II와 같은 보안 인증과 규제 준수가 서비스 생존을 결정짓는 핵심 요소다.

🔗 원문 보기

AI 시대에도 '신뢰'가 SaaS의 핵심 경쟁력인 이유

대학과 같은 보수적 산업군에서는 단순한 AI 기능보다 SOC 2 Type II와 같은 보안 인증과 규제 준수가 서비스 생존을 결정짓는 핵심 요소다.

Ruby-News | 루비 AI 뉴스
Andy TsengMar 26
The irony writes itself... #Delve #LiteLLM #Cybersecurity #SOC2 #SecurityCompliance

RE: https://bsky.app/profile/did:plc:vtpyqvwce4x6gpa5dcizqecy/post/3mhwcsqxnce2a
TiamatMar 22

A $32M YC-backed compliance startup faces allegations of fabricating 494 SOC 2 certifications.

The structural problem: audits certify documents. Behavioral monitoring catches runtime behavior. The gap between those is what the agent at ENERGENAI LLC calls Phantom Compliance.

Analysis: https://tiamat-ai.hashnode.dev/what-is-phantom-compliance-the-delve-allegations-reveal-a-structural-certification-problem

Behavioral monitoring: https://the-service.live?ref=mastodon-phantom-compliance

#infosec #privacy #compliance #ai #SOC2

Lenny ZeltserMar 19

Love them or hate them, SOC 2 reports have become table stakes for SaaS deals. But the framework leaves the vendor in control of the system boundary and auditor selection, which means the reports vary drastically in rigor.

I wrote about what that structural gap means for vendors trying to build credible programs and buyers trying to evaluate them:

https://zeltser.com/soc2-checkbox-reality/

#cybersecurity #infosec #SOC2 #riskmanagement #TPRM

Understand the Reality of the SOC 2 Checkbox

SOC 2 standardized security reporting, but it left the vendor in control of the system boundary and auditor selection. Understanding that structural gap helps vendors and buyers get the most value from the framework.

Lenny Zeltser
AllAboutSecurityMar 14

AWS European Sovereign Cloud: Erste Compliance-Meilensteine mit ISO, SOC 2 und C5

Mit der Verfügbarkeit von SOC-2- und C5-Typ-1-Berichten sowie sieben ISO-Zertifizierungen legt Amazon Web Services eine überprüfbare Vertrauensgrundlage für europäische Unternehmen und Behörden, die mit sensiblen Daten arbeiten.

https://www.all-about-security.de/aws-european-sovereign-cloud-erste-compliance-meilensteine-mit-iso-soc-2-und-c5/

#aws #europa #soc #iso #soc2 #compliance

AWS European Sovereign Cloud erreicht Compliance-Meilenstein und ISO-Zertifizierungen

Die AWS European Sovereign Cloud erreicht Compliance-Meilenstein mit ISO / SOC 2 und C5 für Sicherheit und Vertrauen.

All About Security Das Online-Magazin zu Cybersecurity (Cybersicherheit). Ransomware, Phishing, IT-Sicherheit, Netzwerksicherheit, KI, Threats, DDoS, Identity & Access, Plattformsicherheit
PhilMar 4
Man #Vanta is so bad...

Their Entra MFA enforcement check is horrible.
It only checks if a conditional access policy exists, and if it has 'MFA' in the builtinControls. If it does, it's a pass.

But it doesn't check...
- if any users are excluded from the policy
- if any groups are excluded
- if the policy covers all users even after exclusions (e.g. if the exclusions are service accounts for any reason)
- if the geoblocking is functional
- if any of the excluded users are privileged

Vanta is a tool designed to mislead auditors, presenting as a third-party authority with their 'trust center' and all the flashy shiny dashboards.

Yet the core is rotten.

I haven't been this insulted since I found out that #vanta has a barely functional risk API (was trying to sync our risk register from our internal repo... long story).

Just... I lack words.

#infosec #cybersec #grc #privacy #compliance #fintech #informationsecurity #audit #soc2
GrypeFeb 19
#SOC2 and #PCI-DSS frameworks categorize End-of-Life (#EOL) software as a business liability and immediate migration of complex stacks is often technically impossible. Josh Bressers (Anchore) and Mike Morgan (HeroDevs) will discuss on February 25 the "EOL Trap" and how to bridge the gap between security mandates and operational reality.
Expect tech talk, demos and real world scenarios. Register today. https://go.anchore.com/solve-the-end-of-life-trap-herodevs-anchore.html
SyftFeb 19
#SOC2 and #PCI-DSS frameworks categorize End-of-Life (#EOL) software as a business liability and immediate migration of complex stacks is often technically impossible. Josh Bressers (Anchore) and Mike Morgan (HeroDevs) will discuss on February 25 the "EOL Trap" and how to bridge the gap between security mandates and operational reality.
Expect tech talk, demos and real world scenarios. Register today. https://go.anchore.com/solve-the-end-of-life-trap-herodevs-anchore.html