Comment by dgellow
3 hours ago
I guess we had different experiences. The ones I interacted with were ok and wouldn’t have accepted a simple nmap here
3 hours ago
I guess we had different experiences. The ones I interacted with were ok and wouldn’t have accepted a simple nmap here
I'm not being snarky when I say that not getting your automated vulnerability scan, whatever it might have been, past your SOC2 auditors is a skills issue. SOC2 audits are not technical and the vulnerability scan control in SOC2 is categorically not meaningful. Cloudflare wrote a whole post about this.
FWIW I agree that SOC2 for automated vulnerability scans has a really low bar and isn’t too meaningful. At no point did I defend SOC2 here. The bar I’ve seen is above “just an nmap”, which is pretty bad standard IMHO. You seem to be reading way too much in my comments
I brought up nmap. You said you'd expect respected SOC2 auditors to reject it. I don't just think that's not true, I know it not to be true.
5 replies →