Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://chaos.social/users/makdaam/statuses/114364100584153200">Leszek (makdaam@chaos.social)'s status on Saturday, 19-Apr-2025 19:18:30 JST</a><a href="https://chaos.social/@makdaam" title="makdaam@chaos.social"><img src="https://gnusocial.jp/avatar/107196-48-20230503130450.webp" width="48" height="48" alt="Leszek" style="position: absolute; left: 0; top: 0;">Leszek</a><div><a href="https://gnusocial.jp/notice/9636771" rel="in-reply-to">in reply to</a><ul><li><li><a href="https://gnusocial.jp/user/6007" title="wolf480pl@mstdn.io">Wolf480pl</a></li><li><a href="https://gnusocial.jp/user/19973" title="domi@donotsta.re">Tulip ?️‍⚧️</a></li></ul></div></section><article><p><a href="https://mstdn.io/@wolf480pl">@wolf480pl</a> <a href="https://donotsta.re/users/domi">@domi</a> <a href="https://queer.hacktivis.me/users/lanodan">@lanodan</a>  The answer, as always, is "it depends".</p><p>Basically it depends on the people implementing compliance. If they care, compliance and security are aligned. You can use most compliance tools to make life of your SoC easier. Like you wrote before - you can decide on dev teams' priorities, you can learn about practices in other places etc.</p><p>But also you can do the absolute minimum to pass an audit and fight with people who discover actual issues outside the approved process.</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/4918999#notice-9636794">In conversation</a><time datetime="2025-04-19T19:18:30+09:00" title="Saturday, 19-Apr-2025 19:18:30 JST">about a month ago</time> <span>from <span><a href="https://chaos.social/@makdaam/114364100584153200" rel="external" title="Sent from chaos.social via ActivityPub">chaos.social</a></span></span><a href="https://chaos.social/@makdaam/114364100584153200">permalink</a></footer></blockquote>

Corresponding Notice

Embed this notice
Leszek (makdaam@chaos.social)'s status on Saturday, 19-Apr-2025 19:18:30 JSTLeszek
in reply to
@wolf480pl @domi @lanodan The answer, as always, is "it depends".
Basically it depends on the people implementing compliance. If they care, compliance and security are aligned. You can use most compliance tools to make life of your SoC easier. Like you wrote before - you can decide on dev teams' priorities, you can learn about practices in other places etc.
But also you can do the absolute minimum to pass an audit and fight with people who discover actual issues outside the approved process.
In conversationabout a month ago from chaos.socialpermalink

Public

Embed Notice

HTML Code

Corresponding Notice