Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I’m at a tiny startup doing SOC 2 Type 2 at the moment. As far as I can tell it’s a complete joke. We have written policies but no-one knows what they are and they are never referred to ever. The app is riddled with SQL injection and who knows what other vulnerabilities because the original engineer has no idea what he was doing (working on fixing this!). There’s no auditing, no logging, no security scans (unless Dependabot alone counts), one shared SSH key - I could go on.

And apparently it’s going quite well. No reason to think we won’t get certified. I don’t know whether to laugh.

Is this normal?



Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: