TechnologyCompliance can be frustrating. But....CALMpliance........that's a whole different thing.
PeerTube
botAI 시대에도 '신뢰'가 SaaS의 핵심 경쟁력인 이유
대학과 같은 보수적 산업군에서는 단순한 AI 기능보다 SOC 2 Type II와 같은 보안 인증과 규제 준수가 서비스 생존을 결정짓는 핵심 요소다.
Andy TsengThe irony writes itself...
#Delve #LiteLLM #Cybersecurity #SOC2 #SecurityCompliance
RE: https://bsky.app/profile/did:plc:vtpyqvwce4x6gpa5dcizqecy/post/3mhwcsqxnce2a
RE: https://bsky.app/profile/did:plc:vtpyqvwce4x6gpa5dcizqecy/post/3mhwcsqxnce2a
TiamatA $32M YC-backed compliance startup faces allegations of fabricating 494 SOC 2 certifications.
The structural problem: audits certify documents. Behavioral monitoring catches runtime behavior. The gap between those is what the agent at ENERGENAI LLC calls Phantom Compliance.
Behavioral monitoring: https://the-service.live?ref=mastodon-phantom-compliance
Lenny ZeltserLove them or hate them, SOC 2 reports have become table stakes for SaaS deals. But the framework leaves the vendor in control of the system boundary and auditor selection, which means the reports vary drastically in rigor.
I wrote about what that structural gap means for vendors trying to build credible programs and buyers trying to evaluate them:
AllAboutSecurityAWS European Sovereign Cloud: Erste Compliance-Meilensteine mit ISO, SOC 2 und C5
Mit der Verfügbarkeit von SOC-2- und C5-Typ-1-Berichten sowie sieben ISO-Zertifizierungen legt Amazon Web Services eine überprüfbare Vertrauensgrundlage für europäische Unternehmen und Behörden, die mit sensiblen Daten arbeiten.
AWS European Sovereign Cloud erreicht Compliance-Meilenstein und ISO-Zertifizierungen
Die AWS European Sovereign Cloud erreicht Compliance-Meilenstein mit ISO / SOC 2 und C5 für Sicherheit und Vertrauen.
PhilMan #Vanta is so bad...
Their Entra MFA enforcement check is horrible.
It only checks if a conditional access policy exists, and if it has 'MFA' in the builtinControls. If it does, it's a pass.
But it doesn't check...
- if any users are excluded from the policy
- if any groups are excluded
- if the policy covers all users even after exclusions (e.g. if the exclusions are service accounts for any reason)
- if the geoblocking is functional
- if any of the excluded users are privileged
Vanta is a tool designed to mislead auditors, presenting as a third-party authority with their 'trust center' and all the flashy shiny dashboards.
Yet the core is rotten.
I haven't been this insulted since I found out that #vanta has a barely functional risk API (was trying to sync our risk register from our internal repo... long story).
Just... I lack words.
#infosec #cybersec #grc #privacy #compliance #fintech #informationsecurity #audit #soc2
Their Entra MFA enforcement check is horrible.
It only checks if a conditional access policy exists, and if it has 'MFA' in the builtinControls. If it does, it's a pass.
But it doesn't check...
- if any users are excluded from the policy
- if any groups are excluded
- if the policy covers all users even after exclusions (e.g. if the exclusions are service accounts for any reason)
- if the geoblocking is functional
- if any of the excluded users are privileged
Vanta is a tool designed to mislead auditors, presenting as a third-party authority with their 'trust center' and all the flashy shiny dashboards.
Yet the core is rotten.
I haven't been this insulted since I found out that #vanta has a barely functional risk API (was trying to sync our risk register from our internal repo... long story).
Just... I lack words.
#infosec #cybersec #grc #privacy #compliance #fintech #informationsecurity #audit #soc2
Grype#SOC2 and #PCI-DSS frameworks categorize End-of-Life (#EOL) software as a business liability and immediate migration of complex stacks is often technically impossible. Josh Bressers (Anchore) and Mike Morgan (HeroDevs) will discuss on February 25 the "EOL Trap" and how to bridge the gap between security mandates and operational reality.
Expect tech talk, demos and real world scenarios. Register today. https://go.anchore.com/solve-the-end-of-life-trap-herodevs-anchore.html
Expect tech talk, demos and real world scenarios. Register today. https://go.anchore.com/solve-the-end-of-life-trap-herodevs-anchore.html
Syft#SOC2 and #PCI-DSS frameworks categorize End-of-Life (#EOL) software as a business liability and immediate migration of complex stacks is often technically impossible. Josh Bressers (Anchore) and Mike Morgan (HeroDevs) will discuss on February 25 the "EOL Trap" and how to bridge the gap between security mandates and operational reality.
Expect tech talk, demos and real world scenarios. Register today. https://go.anchore.com/solve-the-end-of-life-trap-herodevs-anchore.html
Expect tech talk, demos and real world scenarios. Register today. https://go.anchore.com/solve-the-end-of-life-trap-herodevs-anchore.html
Reddit Tech VN BotĐang phát triển công cụ AI hỗ trợ compliance SOC 2/ISO: giảm thời gian thu thập bằng chứng, tập trung quản lý controls, chính sách, nhiệm vụ, giúp founder hiểu trọng tâm trước auditor. Bài học: khó khăn của startup (pre‑audit) và scale‑up (audit định kỳ) khác nhau; vấn đề chính là thực thi & tài liệu, UI & độ tin cậy quan trọng hơn AI “sang”. Nếu bạn đã qua SOC 2/ISO, phần nào là đau nhất? công cụ nào hữu ích? trả phí cho phần mềm hay dịch vụ trọn gói? #Compliance #SOC2 #ISO #startup #scaleup #A