upvote

points

by tptacek14 hours ago |
comments
upvoteby ekidd11 hours ago|
next
[-]
No offense taken.

I was going to argue that companies got to choose their own auditors, so of course there were some bad ones out there. But looking at the market, it seems like (1) the race to the bottom has gotten ridiculous, and (2) the insurance companies do not currently trust the auditors in any meaningful way. So, yeah, point to you.

Once upon a time, I went through SOC2 audits where the auditors asked lots of questions about Vault and really tried to understand how credentials got handled. Sure, that was exceptional even at the time.

But that still leaves a whole pile of other audits and regulatory frameworks I need to comply with. Probably most of these frameworks will eventually accept "The code was written by an LLM and reviewed by an actual programmer." I am less certain that you'll be able to get away with vibe coding regulated systems any time soon.

reply
upvoteby tptacek11 hours ago|
parent|
[-]
SOC2 has never been about software resilience. You can create a set of attestations that will require you to present evidence to your auditors (who are ~accountants and will not know what the dotted quads of an IP address mean) about software quality, but there is no reason to do that and most organizations don't. SOC2 cares a great deal more about access management (in the "plotting on spreadsheet" sense) than it does about vulnerabilities.

My thing here is: you want to summon some kind of deus ex machina reason why the unpredictability (say) of agent-generated software will fail in the real world, but the concrete one you came up with fails to make that argument, pretty abruptly. Which makes me think the argument is less about the world as it is and more about the world as you'd hope it would be, if that makes sense.

reply
upvoteby yellowapple14 hours ago|
prev|
[-]
Since when are SOC audits not a meaningful thing?
reply
upvoteby kasey_junk14 hours ago|
parent|
[-]
If soc audits are driving your development process you are doing it backwards. And _certainly_ a time is coming when just using the llm will be soc compliant.
reply
upvoteby threecheese13 hours ago|
parent|
[-]
I’d think any company big enough or working in certain markets which has a Compliance Officer cares about this; regulations are a legitimate business risk, and software integration contracts have security control compliance requirements which very much impact the sdlc.

Would you have the same reaction to requiring an approval for a production deployment? That’s driving the development process.

—-

Also jfc I need to cool it with the buzzwords, sorry I just got home from “talk like this all day” $job

reply
upvoteby tptacek12 hours ago|
parent|
[-]
SOC2 is generally regarded as a joke and has in fact almost nothing to do with software resilience even on its own terms.
reply