Yep disk space and learning curve are the two major downsides to Nix. The former has never been a problem for me in practice, just run garbage collection once a month. The latter was a big problem, but is now mitigated for most people by LLMs.
Yes, however the space is not „used up” in a classic sense. It’s a cache, so you can give up some of it and reclaim your space. Fresh after a full cleanup it won’t take much more than a regular distro.
You build something great and big corporation X wants to buy a subscription but you need to be certified.
Much of this is a good checklist but some of it is very european.
"Where is the risk register to track controls in your 7 person company?"
Now instead of doing what your team does best, you are doing paperwork theater for frameworks designed for a 100,000 employee enterprise.
You are documenting things nobody will read, making up processes that don't exist and translating the operations of a lean company into bureaucratic language.
What's needed is a variant of these standards for small teams, which is proportionate and pragmatic.
SOC 2 is mostly about proving you do what your policies say, and there’s more flexibility than people think.
For small teams it doesn’t have to be heavyweight. A risk register can be a simple doc with a few real risks and mitigations.
That said, I agree there’s a lot of theater. For smaller companies and budgets, it often turns into rubber stamping. Auditors rely on the evidence you provide, so the report can look much cleaner than day to day reality.
Still, it has value. It forces you to formalize basic practices, and if you want those customers, you’re signing up for that level of scrutiny.
In reality the starting point itself is something absurd like "all vendors must be ISO certified no exceptions"
Nobody wants to be the person who says an exception is ok in this case, so you get lumped with having to certify.
Now your color palette generator startup is doing ISO certification. You are holding quarterly "information security governance meetings" and maintaining a risk register for... "blue vs slightly different blue".
Exactly this. But my question here is also: is there not a competitive advantage to a big enterprise that applies standards in a more intelligent way? You have a SaaS, I have a Fortune 500 company that could use your product but I cannot use it because my procurement process is as long and winding ad the Road to Hana. In the meantime my competitor has a smarter procurement process that takes into account the impact and risk involved in renting your software. Don’t they get a competitive advantage over me by having a better process and as a result getting better vendors?
Unfortunately in most cases the buyers have way more liability/risk using a small vendor than opportunity. Often this is coming from regulators in certain industries.
In scenarios where the company REALLY REALLY wants to buy the SaaS, they often will invest in the company, one of the reasons for which being to ensure they have the resources to go through all the red tape.
I’ve found CIS Controls v8.1 to be good and sane, with actual benefits to security. Level 1 is a solid base, and Level 2 is good for picking from depending on where risks exist in your business.
CIS Benchmarks are worth a look too: They’re best practices for securing typical cloud platforms, SaaS and OS.
The risk register is ISO 27001. The "I" in ISO doesn't stand for Internet, it stands for international. You shouldn't be doing business with international customers if you don't have a risk register, which is why they're requesting it.
What is it about customers in Ethiopia that necessitates this? What is it about American (non-international) customers that doesn't require a register?
What is the purpose of a business though? To make profits for its owners. If the profit lies in doing all this corporate theater then that's the business. A company that focuses only on providing a service and product but ignores how their customer needs to use said service and product is going to go out of business.
That is "a" purpose of a business, but not the primary purpose. The primary purpose of business is to provide a service or product people want. You can want profits all day long but if you don't have something people want you don't have a business.
If the purpose of every business were making profits every business would be a hedge fund (at which point there could be no hedge funds, but that's a separate issue). Profits are a necessary component of a businesses's activities, but not its purpose.
I would argue that profits are a result of what you do and not the purpose...
Obviously intertwined but that's why its important to pick something you like
Going through this with a medical startup... We have like 2 developer. But to get investment, put the app online etc. We need to fill out those paperwork... For things which just don't exist...
> Now instead of doing what your team does best, you are doing paperwork theater for frameworks designed for a 100,000 employee enterprise.
Have you considered that the kind of companies that demand SOC2 compliance would be happy to pay extra for SOC2 compliance, if you offered it as an optional add-on costing $200k per year?
Translation: all your rules and regulations are crap, and we don't want to comply with any of them.
When in reality most rules and regulations are not crap, and you should care about them.
Especially when your startup advertises compliance with HIPAA (medical records), PCI-DSS (payments data) and a bunch of other data protection standards and regulations.
Data protection is a tiny component of what certifications like ISO and SOC2 involve. The data protection stuff is welcome and often pre-existing, the other stuff is what annoys people.
Accuracy is often presumed to be english, which is fine, but it's a vague thing to say "higher" because does it mean higher in English only? Higher in some subset of languages? Which ones?
The minimum useful data for this stuff is a small table of language | WER for dataset
reply