[HN Gopher] Minimum Viable Secure Product
___________________________________________________________________
Minimum Viable Secure Product
Author : arraypad
Score : 36 points
Date : 2021-11-03 21:18 UTC (1 hours ago)
(HTM) web link (mvsp.dev)
(TXT) w3m dump (mvsp.dev)
| ChrisMarshallNY wrote:
| That's a great idea!
|
| I hope that the idea takes hold.
| lmeyerov wrote:
| I dislike any compliance document that requires paid & external
| vendors, so would love to see that factored out
|
| SOC I vs SOC II helps get at these kinds of distinctions in
| practice. I've seen a lot of conversations enabled by that. "We
| did the SOC I software checklist. At some point, we'll pay
| vendors $50K-250K for SOC II, feel free to fast track that now as
| part of our contract."
|
| I get why it's there, but this kind of thing is also why, despite
| being designed to address a real need, initiatives like FedRAMP
| have been slow & expensive disasters in practice. We should be
| pushing to self-serve & automated accreditation, and all the way
| to 1 person projects. Anything that puts third parties, people,
| and $$$ in the critical path needs to be split out.
| wly_cdgr wrote:
| I get why it's there, but then I also get why the guy who runs
| my corner store gives Jimmy a $200 interest-free loan every
| Thursday
| Kalium wrote:
| If you have a way to automatically handle all the auditing that
| goes into evaluating all the not-strictly-technical controls
| that are part of SOC and PCI-DSS and similar, a _lot_ of people
| will be very interested.
|
| Based on this list, how would you automatically validate that
| vulnerability reports are handled in a reasonable timeframe?
| How would you do self-serve validation for incident handling
| timelines? How do you quickly and easily automate assessments
| of subprocessor data handling?
|
| Quick, easy, strong, self-service, automated accreditation is a
| wonderful goal! It's critically important to make this stuff as
| easy as possible because there are features to ship and
| customer needs to meet. Security must be a baseline for
| _everyone_ , and achievable by everyone, or else it's just a
| way for big companies to squeeze out small ones It just might
| be worth considering carefully that there may be systems at
| hand that blend humans and computers. It may perhaps be
| possible that information security could be more than just an
| engineering problem.
|
| If I may propose a different framing? Information security is
| primarily a human endeavor. It is mostly about how humans and
| systems made of humans behave. Information security is about
| _process_. Some parts of it can be partially handled by
| computers, but most of it is deeply not susceptible to
| automation.
| aetherspawn wrote:
| Your page ( https://mvsp.dev/mvsp.en/index.html ) is broken on
| small screens ie 13-inch laptops. This is because of the use of
| padding and width: 100% at the same time. You need to remove
| .w-full from the styles in your content.
|
| Edit: I have opened a quick PR.
| killerpopiller wrote:
| how would the list differ for B2C users?
| Zababa wrote:
| Maybe a way to help that would be to see if a library/framework
| is compliant. For example, Dream in OCaml automatically adds CSRF
| tokens to your forms https://aantron.github.io/dream/#forms (I
| took that example since OWASP compliance is one of the big points
| and it's not well known, I don't want to start a framework war
| here. Since there are constantly new developers, I think it would
| help to talk more and show more security best practices.
| Kalium wrote:
| I think one of the key lessons here is that a framework
| fundamentally _cannot_ be compliant. Too much of what is
| required is simply beyond what any framework can deliver and a
| matter of human-based process.
___________________________________________________________________
(page generated 2021-11-03 23:00 UTC)