|
|
|
|
|
|
by mac-chaffee
947 days ago
|
|
|
I actually wrote this post in preparation for a fight about WAFs with a SOC2 auditor, wish me luck! :) The specific control says "Boundary protection systems (for example, firewalls, DMZs, IDS/IPS, and EDR systems) are configured, implemented, and monitored to protect external access points", which seems to leave room for doing stuff other than WAFs. |
|
|
Even if you mark it out of scope, this pops up in most of the RFPs. Customers are generally not very keep to see security implementations that are out of the box. It should be kind of industry standard.
Having said that, WAFs are falling out of fashion lately.