Tuesday, May 7, 2013
As long as I don't have to write a unit test to assert it's true.
I spend a lot of time lately working on SOC 2, NIST 800-53, and FedRAMP security digs. One of the differentiation factors that is often discussed is whether a security dig is prescriptive and bound to extremely specific pieces of evidence that must all be fulfilled, or whether a dig is an attestation, and the rules are not strictly speaking externally determined, but attested to by a company and only those the company attests to fulfilling and providing evidence for matter. It's amazing that one little idea can make such a huge difference in a dig, although when you pull both versions through the microscope and look at the security control proof through the lens, it looks suspiciously similar when it lands on your desk with a four hour deadline.
Snarky: They asked me to provide attestation for our security investigation. I think I'll need you to vouch for my character.
Title: As long as I don't have to write a unit test to assert it's true.