Comment by shortrounddev2

2 days ago

Absolute theater. They do nothing to validate that you are compliant with whatever ISO cert you're pursuing. They make you install a root cert on your macbook and they say that's good enough to ensure compliance. You just attest that you don't do stupid shit like committing directly to master or testing in production and they believe you

3 comments

shortrounddev2

dathinab 2 days ago

> compliant with whatever ISO cert you're pursuing

ISO cert compatibility audits are very different from a proper security audit.

And weather they do anything to check if depends on which you high, many of the slightly more expensive ones have the reputation to be "fast" and "overlook most issues".

But that doesn't apply to all security audits (but most audits for ISO compatibility, like really it's bad).

Anyway see my way to long answer about the on a sibling comment.

shortrounddev2 2 days ago

I'm certain there are good firms out there which will actually give you a legit audit and make recommendations. But if the client is not actually interested in security, there will always be unscrupulous firms who will essentially sell you an ISO cert for no effort required. In my experience, most medium to small sized companies place little value in security

UK-AL 2 days ago

People test in production in all the time via Canary releases.