You do not know, what you do not know.

RobertB — Tue, 10 Sep 2024 06:46:45 +0000

This can be enlightening to those who want to pursue knowledge on varying levels. Also, it can help you expose your weaknesses. I have always believed that there are two types of people in this world. Those who have been hacked and those who do not know they have been hacked. It is a good method in consistently checking your environment for security holes. Red team your environment(s) as much as you can. As often as you can to expose what might be an issue for you. Blue team your environment(s) after you find your security holes. You can then purple team to evaluate your testing.

We utilize a tool called intruder.io. This is an automated pentest tool. This tool automatically integrates with your cloud environment and allows you to specify targets to check. You can set up checks to be weekly, monthly, or quarterly. It also allows for scans on emerging threats https://help.intruder.io/en/articles/2068984-emerging-threat-scans-explained. We have this running against our environment alongside some other scanning tools in our cloud environment and DataDog.

This method of automated testing is great and can help discover a lot of issues in the environment. Yet, there is still a benefit to a manual pentest. We utilize the data from intruder for SOC 2 compliance. We have fixed every issue and have a cyber hygiene score of A+ - Excellent. One of our clients requested that we do a manual pentest and the thought of doing something manual when automation exists seems counter-productive. The results found during the manual pentest were enlightening.

We found ten issues that the automated tool did not pick up. Granted the issues were mainly low or informational, they were still issues that were not caught. For example of a low issue we found out that there were cookies on our site that did not have a secure flag. Pretty quick fix, at the same time a good thing to know.

Sometimes we can miss things without going just a bit further. Thanks to the client who wanted more of us than an automated pentest. Without them we would… not know what we did not know.

Software: Our SOC 2 journey

RobertB — Fri, 30 Aug 2024 23:03:06 +0000

SOC stands for System and Organization Controls. It is a standard when dealing with customer data. SOC is a means of verifying a set of standardized controls that are defined by the American Institute of Certified Public Accountants (AICPA). SOC is used to validate the controls that a company utilizes internally to their clients. You will see how automating and exposing this information would benefit a company.

For SOC 2, the main components to being successful and staying successful are threefold. One, a good centralized documentation center (a place to store all of your reviews, and controls). Two, a way to automatically update and verify controls. Three, a good auditor that can work with you and make sure that you are successful. SOC 2 is something that you have to continuously do and publicize so that your clients can see that you are compliant.

At Software.com we started on our journey like many others, by researching different vendors and looking who can support the aforementioned threefold components. We ended up choosing a company called Drata. At the time Drata had a good centralized system and a pretty good way of allowing read only access for auditors to get information. Once we found Drata we went out to find an auditor that had experience with Drata so that there was an existing cohesion between the two. Once we found our auditor we then focused on getting our SOC 1.

Drata’s tooling made it fairly straightforward to understand what needed to be done. We were able to integrate our main cloud platform and add our subprocessors. Selecting a target of SOC also made it easier because all of the controls required were laid out in Drata. We did have some controls however that did not apply to us, as we are a remote only company. We still have the same challenges as a non remote company, to ensure that our devices and personnel are in compliance with SOC. Within Drata there is a method to assign devices to specific users and ensure that the device(s) they are using are always compliant, thanks to the Drata agent. We were able to get all of our employees compliant within a short period. This included them taking security trainings, reviewing and accepting company policies, and updating their password and login methods to comply with the control standards outlined in SOC.

During this period, we benefited greatly from alining ourselves with a skilled auditor. As mentioned we are a remote only company so policies that refer to building access did not apply to us. At Software we do utilize a cloud environment for our application so making sure that was compliant and listed as an important subprocessor was something that was automated in Drata. As you can see, Drata is making this a bit easier. I told you this would be simpler, if you have the right tools. We still needed to fill in the policy templates that Drata provided. Then devise some of our policies that were not available in Drata as it is a generalized tool. It did work in our favor to see the Drata dashboard showing us all of our controls that needed to be completed and which were already done. SOC 1 was the most laborious of the tasks in our SOC 2 journey. We needed to generate documentation, vet our subprocessors, ensure everyone is compliant in: Acknowledge Policies, Identity MFA, Background Checks, Security Training, and Device Compliance.

Acknowledge Policies
- This is pretty straight forward, as you generate company policies like a backup policy that defines and outlines your company’s policy for backing up information, your personnel read over and acknowledges.
Identity MFA
- MFA can be company specific. You will check if your users utilize MFA or 2FA on the company provided IdP. This is important, as is all of the constant checks and controls. Any method that can be utilized to prevent data exposure, that is what SOC is all about.
Background Checks
- Any kind of personnel check is to make sure that you have reliable employees that can be trusted with sensitive data. Nowadays as an organization you are consistently dealing with PII or SPII, and that information should be safeguarded at all times.
Security Trainings
- Security trainings help personnel get on the same wavelength with regards to security. Sometimes this can also help enlighten personnel as to what SOC is and how securing themselves also secures the clients.
Device Compliance
- Compliance with devices can be any workstation that personnel utilizes for company purposes. That could be a laptop, phone, or any other device that they use for anything company related. The devices that they use should at minimum have a company approved password manager, it should be encrypted, it should have antivirus software installed, and a method in which to report back to a centralized server for updates.

During the process of acquiring our SOC 2 certification we established a security team that meets monthly for risk assessments, quarterly for access reviews and annually for DR testing. Having good tools in our employ did make this process straightforward. For example our access reviews, we utilize a tool called StrongDM for server access, Kubernetes access, and others. We have a centralized place in which to look for specific access and who has it. Tools do help make getting SOC 2 certification simpler especially if you have a single pane of glass for your auditors to look at.

When we set out to get our SOC 2 certification it was because we knew it would be a great way to announce to our clients that we are consistently following a set of standardized controls. To say that we practice safe means of handling data of all types internally and externally. SOC 2 can help reduce some of the apprehension that most security teams have about companies that access any type of data. From our perspective any tool that we want to utilize has to at least be SOC 2 compliant.

If you want to check out our live security report, you can click on this link: https://app.drata.com/security-report/42b97aed-d394-4c1d-b749-4fe65ab025b9/19559124-3354-46f7-bbd2-1313d773fb36?region=NA

DEV Community: RobertB

You do not know, what you do not know.

Software: Our SOC 2 journey