Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

We went through a SAQ D Service Provider 3.0, and paying for an ASV didn't hurt nearly as much as filling out that 80 page questionnaire... In fact, it reminded us apply some recent CVE's to our system before taking it to production. We used Comodo HackerGuardian which is $250/y, so you don't have to pay $1000s.


I think my tool can actually help you. You document all your procedures in an organized structure using Github flavored markdown. http://cc-stg2.herokuapp.com/compliancechimp/documents/softw...

We're becoming the true Turbo Tax for compliance.


You probably have a good tool, but I am not even going to take a look at it when it doesn't have its own url. herokuapp just screams weekend project.


I do have a real tool. Its on ComplianceChimp.com. But its down right now because my TLS Certs expired a couple days ago and I never recorded my Key rotation procedures. I did think about temporarily disabling SSL, specifically for this HN post, but thought against it. We want to do compliance right.

We're fixing the certs now and updating our Key rotation procedures for you all to see in our publicly viewable compliance workbook.


Not to kick someone while they're down... but a security company screwing up their key rotation is not exactly a good sign.


There's only so much I can get done with my dwindling runway =(.

But you're right, that getting Key Rotation Procedures documented is the 1st thing I should have done.

This is good feedback actually because now I know that after scoping the assets in my turbo tax-like tool, the very next thing a person should do is write down their key rotation procedures. Its also easier to write out as a procedure because its such a common yet forgetful practice.

We're putting cycles into this right absolutely now.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: