This all makes a lot of sense. I agree that SOC2 can be security theatre (I mean a lot of the language of the standard is suggestive, not a requirement). But a lot of your points about having MDM and EDR set up is covered by that cert. It's just how you implement it. And we intend to do it well. The cert and the "trust page" is a signal of our security practices, but at least we wouldn't have to go through it over at HN...
Maybe because I did cryptography at a mathematical level in college, I never really bought into the idea of security through obfuscation. Also the empirical evidence behind whether hiding your tech stack makes you more secure as a non-state level actor / software company actually leans towards the side of "it doesn't really matter".
We obviously do a lot more in our infra/corp sec side that I'm not sharing. But really everything I listed are well known best practices that any attacker should assume a relatively non-stupid security-aware startup should have.
I mean I guess I do believe a bit in security through obfuscation. Not sharing our password manager and IdP as many providers haven't had (as you mentioned) great track record in this space.
I do think it might be a difference of where we learned security. I found folks like yourself from your certain gov/military background to buy into security via obfuscation a lot more. I guess we can agree to disagree.
I don’t buy into security via obfuscation at all, but that meme comes from the context of hoping your infra is too confusing for an attacker to figure out once they find it.
For the context of digging into your sec stack on open-access platforms, ya def obfuscate haha, public review is step 0 in pentests for a reason.
Help us out? I really would like to hear your advice / thoughts / experience in private. Please find me via email (no getting making this public unfortunately)!
Maybe because I did cryptography at a mathematical level in college, I never really bought into the idea of security through obfuscation. Also the empirical evidence behind whether hiding your tech stack makes you more secure as a non-state level actor / software company actually leans towards the side of "it doesn't really matter".
We obviously do a lot more in our infra/corp sec side that I'm not sharing. But really everything I listed are well known best practices that any attacker should assume a relatively non-stupid security-aware startup should have.
I mean I guess I do believe a bit in security through obfuscation. Not sharing our password manager and IdP as many providers haven't had (as you mentioned) great track record in this space.
I do think it might be a difference of where we learned security. I found folks like yourself from your certain gov/military background to buy into security via obfuscation a lot more. I guess we can agree to disagree.