[apimade]

I’ll spend some more time replying to this next week, so circle back to this comment; I’m someone who regularly helps people get past these audits, meet the criteria customers are trying to assess with these certifications, and vet startups who don’t have these certifications or budget.

Start by pre-filling your own CAIQ v4 with an earnest “we don’t do this” or “we haven’t even thought about this” attempt: https://cloudsecurityalliance.org/artifacts/cloud-controls-m...

Then read through it and see what you can address immediately (EDR on your laptop, MFA on your cloud environments, etc), followed by role playing your client; “based on answers to this questionnaire, what would I not accept?”

There will be some items you can’t fix.

You’ll soon find out the majority of customers, including banks, governments, defence contractors, crypto startups — simply do not care. If they want to use your product, they’ll work with you.

It may be single-tenancy, it may require architectural changes, it may mean making it selfhosted with a time-bomb, but you’ll be able to address the requirements of the CISO, compliance monkey or executive.

I’ve yet to meet an industry or individual I can’t convince. Even if the product is a hot mess, half baked and radioactive — we’ll deploy it on a VM running inside of a VDI within the customer’s environment, because slopping together a migration path is _so easy_, and those early, highly regulated clients are worth it.

[p_l]

Major problem of entire compliance/auditing industry is not enough asking in companies "what are the actual risks we are dealing with", "what's the goal for given control", "do we have alternative control ensuring that".

Compounded by cheap shitty auditors that just mark down checkboxes on a worksheet

[apimade]

Agree, see the Delve fiasco. But that’s not their job. Their job is literally checkbox. However some audits are so poorly done, or have auditors with zero real world engineering or cyber experience, they’re actively harmful to a product or customer base.

Example: insane, complex password policies and password rotation policies. These are still pushed by auditors rather than trying to build a reasonable exception case with the client.

[p_l]

I was thinking more of audits that do not even allow deviation nor have any understanding what they are asking for each checkbox. So it's hard to even start on anything nuanced.

[tptacek]

Please don't do any extra engineering for your wiki project simply because it appears on the Cloud Security Alliance CAIQ worksheet. These worksheets are built by committees where every member has a bunch of idiosyncratic controls and objectives that they slip into the document.

[apimade]

Sometimes good change comes from compliance. More than once I’ve seen major product resource shift to address major cybersecurity gaps, in response to a compliance led audit.

Compliance is not security, but engineers, especially solo ones tend to have their blinkers on when they’re trying to build something to first work.

[gtech1]

Do you genuinely use em-dashes in your regular writing ? I'm just curious because whenever I type I simply press -

[apetresc]

An em-dash is just Alt-(regular-dash) on most well-configured compose key configurations, it's not any harder.

[Marsymars]

This is also the default macOS/iPadOS configuration. (So I use em-dashes when I'm writing an macOS/iPadOS, but not on Windows.)

[apimade]

iPhone.

[sochix]

Thank you! That make a lot of sense!

[apimade]

No worries, it’s more about finding what the security and compliance teams care about — and making them comfortable. Compliance doesn’t equal security, I’ve onboarded startups with better security than the SOC2 certified, ISO27K Swiss cheese $B unicorn.

Hackers don’t target based on certification. It’s generally convenience and motive. Unknown startups who are laying solid foundations won’t show up on anyone’s radar for the first 2 years without some insanely unlucky event (i.e supply chain breach, an early employee doing something really dumb).