For those looking for help with SOC2 compliance, I had a good experience with another YC company, Vanta. That was some years ago so not sure if anything has changed since then but I would recommend checking them out.
I had a pretty poor experience as a startup on Vanta. Maybe this is my own ignorance, but I told them when our contract was to renew that we do NOT want to renew. We were an early-stage startup soon to shut down and didn't need it. We never touched Vanta for 10 months before this, we never got SOC-2 (it was deprioritized). Not a single login in 10 months.
Nevertheless, they said it was: too late to opt out, that it can't be canceled or postponed, and then kept emailing us endlessly and sending to collections to pay them another $10K platform fee for the next year (more than we had in the company bank account).
I understand this with large corporations, but I don't think they're a good fit for startups.
Not every sales team can convince a big paying customer that SOC2 isn't important. Lots of B2B SaaS companies have to play the enterprise lawyer game to get big contracts.
Fly is not saying "just ignore SOC2 compliance". Fly is saying "yes, get SOC2, we had to become SOC2 compliant, and also, you can work with your auditor to achieve SOC2 compliance in a more sane way than if you just do whatever is recommended upfront."
Basically, they are saying that you should tailor your SOC2 implementation so that it's actually useful without being a horrible overbearing process, that you have that option and should take it.
This feels like a weird response to a comment recommending how to approach getting a SOC2, that links to a blog post about Fly.io's SOC2.
The pitch isn't "don't get a SOC2", or "convince big paying customers that SOC2 isn't important". It's "don't worry about SOC2 until a big paying customer says they'll make big payments if you get it, and when you do worry about it, don't let SOC2 compliance trick you into doing bonkers infrastructure things"
YC has funded both Vanta and OneLeet. It's a shame they also funded a hype machine like Delve.
I would recommend both Vanta and OneLeet as good quality tools to work with, having used both. The founders of OneLeet are very accessible, and Vanta has all the integrations you would need as both a small startup and an enterprise-grade player.
Secureframe and Drata are other tools in a similar class that are also legitimate.
Vanta misses a lot of things to cover iso27001, and clearly misunderstand this norm at times.
The integrations are what makes it really useful, but elements are not correctly connected between them, or are too limited to be useful : for instance access review information tells you who is an "admin", but ignores the various permissions levels (e.g: on GitHub, you can be an admin of a repository) which exists on each platforms. So let's say you are using rbac access policies, then all vanta integrations are meaningless because you cannot check roles, and you have to build /buy another tool...
Their policy builder is a bad joke, slow, incomplete, and you lose all automations when you need to change even one word.
The default policies are quite bad anyway, very long and complex, pushing you to use forms which are not integrated into the platform, so again you have to maintain a duplicate system elsewhere.
Generally speaking, there's no help to keep in sync policies with processes and proofs, and let me tell you it goes out of sync very fast!
One tool I've found useful in low-power/low-bandwidth situations is the Lynx web browser [1]. Used to be installed by default in most Linux distributions but I think that's probably not the case anymore. Wikipedia says its also available on OSX and Windows.
Burnie Burns of Rooster Teeth made a massage appointment with the head of Xbox programming (luckily Siri was not that competent that it said "Mr. Appointment" in the invite)
Regarding feedback on whether sandboxing would be useful, yes, please! Including something like Docker sandboxes would make isolating the agent env’s much less of a hassle.
As an aside, I’m curious how others are handling this now… Mostly just creating dedicated user accounts?
Thank you for the feedback! My general feeling is that people are not doing sandboxing. Those that are, generally use devcontainers or some docker based solution
Google’s efforts there seem laudable. They have an internal db for tracking issues that employees identify, resolve them promptly (according to the notes in the db and their response to the article authors), and generally seem to be taking the issues reported seriously.
I have more trust for google after reading that, which is not what I expected
“Knowing somebody at Google” has long been the best customer support route for non enterprise customers, which represents almost all google customers (per capita).
I didn't know what you were referring to since I use FF with NoScript. Enabled javascript for the domain and whoa, that is really hard to read. Very strange choice, the article is much easier to read with the default browser fonts. So I guess javascript-blockers FTW?
reply