@renice well said. #SOC2 my favorite sort of Ponzi scheme: one with a purpose.

Today it's my turn to present at the company all-hands meeting: on the importance of the #SOC2 certification.

I hope the first slide captures my feelings appropriately.

Today is my turn to present at the company all-hands. #soc2

"in all material respects" must be my least favourite security buzzword bingo phrase #soc2

Of the last recent years I was usually the go to guy for anything product compliance related. #SOC2 and #ISO27001 mainly. The standardization and #opensource related work towards a safer internet for everyone is important. Googles effort of bringing forward a standard for vulnerability scanning is noteworthy: https://github.com/google/osv-scanner

Our latest #opensource drop: https://github.com/chainguard-dev/acls-in-yaml

As part of #SOC2 #compliance, we've been using this to run monthly #audit reviews of our ACLs across SaaS platforms: #GCP, #Slack, #Vercel, etc.

acls-in-yaml dumps #ACLs from each platform into a consistent and neutral #YAML format, which makes it easy to visualize change over time.

We use this by committing the result into a #Github repo and getting the PR reviewed by the admins for each system.

PS: ACL change alerts are also awesome!

I'm open-sourcing a new tool today: kolide-google-matcher

It's fringe, as it's designed for IT admins that use both #Kolide and #GoogleWorkspace, but for that handful of users, it can unearth #soc2 #compliance violations: https://github.com/chainguard-dev/kolide-google-matcher