Hacker News new | past | comments | ask | show | jobs | submit login

This is pretty horrifying. I’ve worked on a project that did something similar with having services created on random ports but not only was this not a public service, it was removed from the design before deployment. I can’t imagine deploying something like this for a public cloud service that manages account actions with user-generated code.

Security flaws happen but as someone who’s not a security professional, this seems pretty inexcusable to me.




The real mockery is it shows you exactly how much the independent certifications they have mean which everyone uses as due diligence check boxing.


The certs check for process issues such-as not updating your OS. They don't check for poor design.


SOC2, which is by far the most common compliance certification, checks for:

1. The presence of a formal threat model

2. A process for applying controls against that threat model

3. Evidence that the process is being followed (for a type 2)

This is actually pretty good. It's just also easy to game. It's totally on you to say what your threat model is, to say what controls you've accounted for, what risks you've accepted, etc. An auditor might call you out like "no, encrypting data at rest doesn't address password reuse", but you have a lot of control over how the whole thing plays out.

That means that most companies basically just buy their way out of SOC2 by having a compliance team that retroactively works to map what currently exists to a standard threat model provided by NIST. What happens less often is that people actually do the work the intended way - starting with a model, creating a process, and then creating an audit trail for it.

If they did, honestly, SOC2 would have a lot of value. It is a very sound approach to security. But, as with all cost centers, the goal is to minimize the cost of security, not to do it well.


This is an excellent explanation of the process. Like a lot of people, I was pretty surprised at how the certification works when I first learned about it. It's way more about checking that you have a process than it is checking that the process is sound.


That's the point: too people look at those certifications and see them as an end point rather than the floor of what anyone running a computer should do.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: