My company had 6 employees, I was the CTO and I can't imagine getting SOC2 certified without using Vanta - that was back in their early access/beta days.
I had no choice - we had so many security assessments spreadsheets sent by potential customers, that getting SOC2 saved us time in the long run.
I like the people at Vanta just fine but it really squicks me out to see people doing Vanta because it's the simplest way for them to clear this dumb hurdle --- that implies that they don't understand SOC2 and are just taking Vanta's word for it.
The problem is, Vanta will ask (suggest? come perilously close to demand?) you do a lot of engineering work that is absolutely not necessary for a SOC2 attestation. Worse still: whatever controls you attest in your SOC2, you're practically locked into. If Vanta has you set up some cloud detection capability, and it turns out as you mature your security organization that it wasn't necessary or even useful, you have a fight on your hands with your Type II auditor about why you stopped doing it.
It's all negotiable. I did audits and attestations at a bank, .. everything's negotiable.
> that implies that they don't understand SOC2
Good engineering and SOC2 compliance can be on similar but not identical paths. If you want SOC2, you're bending your engineering towards that particular standard. Getting SOC2 compliant because it's time, and you have the customers, is just a step, and not a reflection of whatever good engineering you've done. If you can defend it, you can probably keep some of your variances.
If you're a solopreneur and you've never been in/near an audit, and you're committed to a vendor like Vanta, I'd recommend hiring a consultant for even a few hours to give you independent coverage of industry norms and a little coaching on sticking points.
I've been working with an organization that apparently won't give its developers reasonable access to dev cloud environments "because of SOC2." At least, that is the excuse they tell me.
Example: "I need access to EC2" isn't enough. I wind up with a role where I can launch instances, but not list them. I have to send several emails, have meetings, follow ups, sending links to AWS docs, etc. to get them to modify a custom IAM role. Then they still can't figure it out, so I am literally telling someone what to copy-and-paste into JSON to fix the issue. I completely understand more control in higher environments, but this crap adds up and costs weeks in lost productivity.
Yep! It took a month of back-and-forth to do what should have taken less than a day in an environment with less friction. I'm totally frustrated by the project at this point.
I think we're in quite a bit of agreement.. sometimes the SOC2 review exposes gaps and you need to find a way to close them -- where do you look for critical path on that?
Also, SOC2 audits are sometimes coupled with more strenuous ones, so in the umbrella of audit season, you may have to demonstrate things, or records of things.
In my experience it was as simple as connecting to AWS and tagging resources in Terraform. I got it all done in around 3 weeks. So maybe yes, if somebody doesn’t know about SOC2 then Vanta might be getting in the way but it in my case it literally solved all my problems in a month or so
but to clarify, this was about a year ago where I struggled to find an auto completion for HttpServer and when I searched it up jdk HttpServer was simply not in the results so I made assumptions that were wrong.
I don't remember the exact situation, but I think this relates to this:
Clojure core was sent a set of patches that were supposed to improve performance of immutable data structures but were provided without much consideration of the bigger picture or over optimized for a specific use case.
Dissatisfaction n. 3 is the essence of the problem: "Because Clojure is a language and other people's jobs and lives depend on it, the project no longer feels like someone's personal project which invites a more democratic contribution process". This is a common, and modern, feeling that the more users a certain thing has, the more the creators/maintainers have a duty to treat it as a "commons or public infrastructure" and give the users a vote on how the thing is to be managed and developed. This is, of course, utter horsesh*t.
Fully declarative approach is the way to go for both IMHO. I'm more familiar with Kotlin than Kotlin. But its coroutines framework and structured concurrency are well aligned with something like this. Essentially you are doing is kind of a stateful form of structured concurrency where state is preserved in a DB and resilient against sub task failures, nodes dying, etc.
This reminds me of a product called restate. I talked to some people in that company a while ago. Their solution is built in Rust I think but they have clients for all sorts of platforms. Including Kotlin. Cool company and distributed workflow engines and agentic / long running workflows feel like a good match.
There are lots of other solutions in this space. I believe an ex Red Hat person is working on rebooting a workflow engine called Kogito based on something that orginally lived under their umbrella.
There's a long history of very enterprisy business process management stuff here. Lots of potential for overengineered solutions.
I once got sucked into a Spring Batch centric project and it was hopelessly overengineered for the requirements. Gave me a proper headache. Nothing was simple. Everything was littered in magic annotations causing all sorts of weird side effects. That's why I prefer declarative approaches with simple functions. Which is what the Kotlin syntax enables relative to Java. You can do the same technically in java but it quickly becomes an unreadable mess of function chaining.
It's doable but you need a lot, and I mean a lot of documentation proving that you are indeed an alien with extraordinary ability. Any press mentions of you and your company, articles, proof that you're working with known companies in the US and more evidence like that will increase your chance.
In fact I worked with Peter on obtaining an O1 while not having a degree, I was a CTO of a startup, moving from the UK.
Most of the time I have 4 or 6 buffers visible at once, including the REPL and files I’m editing - and that’s when I’m working on “one thing”, having packages like transpose frame or ace-window makes this type of workflow much easier
I had no choice - we had so many security assessments spreadsheets sent by potential customers, that getting SOC2 saved us time in the long run.
reply