[HN Gopher] Minimum Viable Secure Product ___________________________________________________________________ Minimum Viable Secure Product Author : arraypad Score : 36 points Date : 2021-11-03 21:18 UTC (1 hours ago) (HTM) web link (mvsp.dev) (TXT) w3m dump (mvsp.dev) | ChrisMarshallNY wrote: | That's a great idea! | | I hope that the idea takes hold. | lmeyerov wrote: | I dislike any compliance document that requires paid & external | vendors, so would love to see that factored out | | SOC I vs SOC II helps get at these kinds of distinctions in | practice. I've seen a lot of conversations enabled by that. "We | did the SOC I software checklist. At some point, we'll pay | vendors $50K-250K for SOC II, feel free to fast track that now as | part of our contract." | | I get why it's there, but this kind of thing is also why, despite | being designed to address a real need, initiatives like FedRAMP | have been slow & expensive disasters in practice. We should be | pushing to self-serve & automated accreditation, and all the way | to 1 person projects. Anything that puts third parties, people, | and $$$ in the critical path needs to be split out. | wly_cdgr wrote: | I get why it's there, but then I also get why the guy who runs | my corner store gives Jimmy a $200 interest-free loan every | Thursday | Kalium wrote: | If you have a way to automatically handle all the auditing that | goes into evaluating all the not-strictly-technical controls | that are part of SOC and PCI-DSS and similar, a _lot_ of people | will be very interested. | | Based on this list, how would you automatically validate that | vulnerability reports are handled in a reasonable timeframe? | How would you do self-serve validation for incident handling | timelines? How do you quickly and easily automate assessments | of subprocessor data handling? | | Quick, easy, strong, self-service, automated accreditation is a | wonderful goal! It's critically important to make this stuff as | easy as possible because there are features to ship and | customer needs to meet. Security must be a baseline for | _everyone_ , and achievable by everyone, or else it's just a | way for big companies to squeeze out small ones It just might | be worth considering carefully that there may be systems at | hand that blend humans and computers. It may perhaps be | possible that information security could be more than just an | engineering problem. | | If I may propose a different framing? Information security is | primarily a human endeavor. It is mostly about how humans and | systems made of humans behave. Information security is about | _process_. Some parts of it can be partially handled by | computers, but most of it is deeply not susceptible to | automation. | aetherspawn wrote: | Your page ( https://mvsp.dev/mvsp.en/index.html ) is broken on | small screens ie 13-inch laptops. This is because of the use of | padding and width: 100% at the same time. You need to remove | .w-full from the styles in your content. | | Edit: I have opened a quick PR. | killerpopiller wrote: | how would the list differ for B2C users? | Zababa wrote: | Maybe a way to help that would be to see if a library/framework | is compliant. For example, Dream in OCaml automatically adds CSRF | tokens to your forms https://aantron.github.io/dream/#forms (I | took that example since OWASP compliance is one of the big points | and it's not well known, I don't want to start a framework war | here. Since there are constantly new developers, I think it would | help to talk more and show more security best practices. | Kalium wrote: | I think one of the key lessons here is that a framework | fundamentally _cannot_ be compliant. Too much of what is | required is simply beyond what any framework can deliver and a | matter of human-based process. ___________________________________________________________________ (page generated 2021-11-03 23:00 UTC)