[mgraczyk]

Having gone through the SOC2 process multiple times and having worked with and read SOC2 reports from many public companies, it's difficult for me to understand the outrage.

The specific fraud allegations are bad (lying about US based auditors) but it's completely normal and common for soc2 reports to be templates with no company specific information. It would be unusual for reports to include anything about the specific information found during an observation window as some have suggested.

SOC2 is basically fake and it isn't possible in practice to fail to be compliant. You really can apply the same template to all companies and automate the audit process.

[ramraj07]

We have done SOC2 and it's not fake. Its real and enforced some good practices and we spent a lot of time collecting evidence and submitting it. You can take it seriously or you can choose not to.

[mgraczyk]

What evidence did you collect that was not automated?

[yearolinuxdsktp]

A startup might have trouble with, and might not have enough automation for:

- proving churned customer data was deleted completely and within the agreed-on period of time

  - - not enough to have a record

  - - auditors will ask you to prove the data is not laying around

- proving all changes shipped are reviewed and linked to tracked work

- proving branch rules are set to require PRs and prohibit changing history on release/trunk branches

  - - auditors will ask you to show live that you can’t approve your own changes

  - - some auditors might ask you for an audit log to prove no unexpected branch rule changes occurred —- depending on the observation period, you might have to build your own audit log capture to prove this

- proving you performed penetration testing

- proving you performed a disaster recovery test in production with the frequency you claim (e.g. annually)

  - - running a DR test might be more than a few hours depending on your data size and level of infra automation

  - - this is often something that startups are ready to execute, but don’t invest a lot of time automating

- proving you have and enforce full-disk-encryption on all your employee laptops

  - - this is automated with MDM but a startup might not be running an MDM yet

- proving you are rotating credentials on the frequency you ascribe to in your policies

  - - automated reports are available for some credentials, e.g. AWS keys, but takes more work for smaller vendors

  - - even with AWS, you might discover you forgot to rotate something, and it might be because it’s non-trivial to execute

- perform quarterly access reviews

  - - some systems are more difficult/time consuming to inspect against your employee and permissions list

  - - ideally this is automated, but often times at a startup, you might not have fully automated authorization and access control, such that when employees change teams or leave the company, that you get notified and don’t miss it

- proving that you act on performance or reliability alerts

  - - auditors will ask you to show live some examples of past alerts and that someone handled it

  - - auditors will often ask you to show live that these alerts are consistently configured for all your production system —- startups might not have the alerting and PagerDuty-like setup be fully automated (e.g. with Terraform)

[petcat]

There are typically two soc2 reports generated from an audit. The first is the one for general use, often just shared publicly. This is probably what you look at from public companies that you have no binding relationship with. The other is the restricted use report which details all the findings and controls. That is typically only shared under NDA.

[mgraczyk]

I haven't seen that and all the reports I got were under nda

[RIMR]

>it's difficult for me to understand the outrage.

It's pretty simple. Compliance is legally important, and faking compliance exposes companies to extraordinary legal liability. Being lied to about your compliance warrants outrage.

>SOC2 is basically fake

This isn't true, but if it were, it would justify outrage in its own right.

[mgraczyk]

I don't understand in what sense they faked the process. What I've heard described is substantially similar to other SOC2 processes I've seen

And yes SOC2 is fake. Have you ever heard of a startup failing to get soc2 or doing more than a few hours of work to get into compliance?