SOC2 is mainly to check boxes, and forces you to think about a few things. There’s no real / actual audit, and in my experience the pen tests are very much a money grab. You’re paying way too much money for some “pentesting” automated suite to run.
The auditors themselves pretty much only care that you answered all questions, they don’t really care what the answers are and absolutely aren’t going to dig any deeper.
When I worked for a consulting firm some years back I randomly got put on a project that dealt with payment information. I had never had to deal with payment information before so I was a bit nervous about being compliant. I was pointed to SOC2 compliance which sounded scary. Much to my relief (and surprise), the SOC2 questionnaire was literally just what amounted to a survey monkey form. I answered as truthfully as I could and at the end it just said "congrats you're compliant!" or something to that effect.
I asked my my manager if that's all that was required and he said yes, just make sure you do it again next year. I spent the rest of my time worrying that we missed something. I genuinely didn't believe him until your comment.
Soc2 and most other certifications are akin to the tsa, security theater. After seeing the info sec security space from the inside i can only say that it blows my mind how abhorrent the security space is. Prod db creds in code? A ok. Not using some stupid vendors “pen testing” software on each mr, blasphemy?
Unless im missing something, they replied stating they would look into it and then its totally vague when they patched, with Alex apparently randomly testing later and telling them in a "follow up" that it was fixed.
I dont at all get why there is a paragraph thanking their communication if that is the case.
The time to fix isn't really important, assuming that they took the system offline in the mean time... but we all know they didn't, because that would cost to much.
According to the timeline it took more than a week just for Filevine to respond saying they would review and fix the vulnerability. It was 24 days after initial disclosure when he confirmed the fix was in place.
Given that the author describes the company as prompt, communicative and professional, I think it’s fair to assume there was more contact than the four events in the top of the article.
Kinda sad but LinkedIn has fulfilled the original promise of Facebook for me. Almost all the people I’ve met in my career and at school have a verified profile under their real name and when I want to reach out to them, that’s a place I can start if I lost their number.
The feed is hell. The content is cringe. All true. But it’s a very good directory.
I believe they’re using all numbers for a family of four. So two kids. Your numbers are for one kid. Double them and it’s closer to what the article says.
The UN doesn’t say that a human life is actually worth $10 million but that’s the number we’re going to use, so the question is as QALY thing how much is a liver transplant worth and it turns out the liver transplant gets you about 25 QALYs, and so running the numbers a liver is only about $3.75 million.
For our coding interviews we encourage people to use whatever tools they want. Cursor, Claude, none, doesn’t matter.
What I’m looking for is strong thinking and problem solving. Sometimes someone uses AI to sort of parallelize their brain, and I’m impressed. Others show me their aptitude without any advanced tools at all.
What I can’t stand is the lazy AI candidates. People who I know can code, asking Claude to write a function that does something completely trivial and then saying literally nothing in the 30 seconds that it “thinks”. They’re just not trying. They’re not leveraging anything, they’re outsourcing. It’s just so sad to set how quickly people are to be lazy, to me it’s like ordering food delivery from the place under your building.
I’m not totally against CTOs who code (I like having management that I respect technically) but it sounds like this CTO is pretty clearly doing too much coding and not enough CTO-ing.
Posts like these show why the founding engineer is the most underpaid person in Silicon Valley. This CTO probably has 30% of the company. There’s probably a founding engineer doing 90% of the same work for years (and likely doing the technical bits better) for 1-1.5% of the company max.
On this topic I strongly recommend “The World I Live In” by Hellen Keller.
In some of the essays she describes how before she was taught to communicate she had no inner monologue and didn’t even recognize herself as human. She was surprised to learn that the dog was not able to understand her. Language essentially gave her her mind, although the book does go into great detail about the things she perceived about the world through touch and exploration that few others would.
SF seems to claim the Beat movement as a whole. There’s a museum dedicated to it and the area around it has multiple landmarks which play into that as well (City Lights, Vesuvio). I never really considered before if that was fair.
Also … shows you what a SOC 2 audit is worth: https://www.filevine.com/news/filevine-proves-industry-leade...
Even the most basic pentest would have caught this.
reply