[ath0]

Not really a fair assessment.

An auditor's job is often to check if you're doing what an external standard says you should be doing (SOC 2 => AICPA trust principles; FedRAMP => NIST 800-53, etc.).

Unfortunately, these external standards may be written vaguely and while you may have policies that define X as Y, the auditor doesn't have to accept your answers. For example, when PCI requirement 5 says "Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers).", your policy may say "antivirus is not required inside containers that run on platforms like GKE, as these are not commonly affected by malicious software." It's very likely you'll have a discussion about your interpretation of that requirement.

[viraptor]

PCI also suggests a hardened system image, for example CIS and consistency checking like Aida. I'm getting tired of explaining that CIS (and other) "hardened" images just flip a few options and install lots of crap that can actually increase risk. E.g. You don't need cron? Haha, it's scored in the CIS benchmark, now you're running it.

I don't mean to just single out CIS as bad, but recently I learned that Ubuntu CIS docker images contain Aida, cron, and sysctl configuration. Yes, you pay for that. I'll be making fun of that for a long time.

[lazyant]

Not responding to this, just using the example. It can be easily argued that adding AV software to (some) servers increase their surface attack and reduce their security (leaving alone performance and other AV issues).

[edoloughlin]

So every team gets to argue with the auditors? Seems like the people writing the policy should do that so there's one argument instead of n.

[ath0]

Sounds like you've mostly worked in perfectly-sized and structured corporations, where the auditors and policy-writers were perfectly connected to changing product, business and technical needs; well-staffed with policy writers and architectural governance committees who have the time, skill and background to have regular, even-handed tradeoff conversations when these issues occur, and where the engineering teams are prepped and able to engage in those conversations well.

Are they hiring?

[edoloughlin]

Unfortunately, they have an audited policy of not hiring sarcastic people.

[dimitrios1]

Actually, you are both half right half wrong. If GP was talking about internal audit, they are correct. If you are talking about external audit, then you are correct. If you are lumping both audit functions into one, you are both wrong. Big difference between the two.

[hobs]

No, they check if you're doing what an external standard that you purport to follow is being followed.

You dont have to claim that you follow some standard that actually makes you less secure, you are just not going to be able to sell to clients who are also sheep in this manner (read: everyone.)