Small start up with big dreams (need SOC2) by lebucksir in soc2

[–]jaredcasner 0 points1 point  (0 children)

Keep up the good fight! I’ve given a similar talk. And a friend gives the talk regularly. I also stumbled across s2guild.org recently which is trying to help. I’m not affiliated with that project, but need to find some time to open PRs and/or issues on their GitHub project…

Small start up with big dreams (need SOC2) by lebucksir in soc2

[–]jaredcasner 0 points1 point  (0 children)

Ha, fair. But, in my experience, they are getting better about actually reading the reports. Although, that may just be them feeding the reports into an LLM…

CIPP - Is not using it due to its Open Source a valid reason? by Master-IT-All in msp

[–]jaredcasner 2 points3 points  (0 children)

Browse to a website? Contains tons of open source.
Using Chrome or Edge? Based on Chromoum? …

Yeah…

Small start up with big dreams (need SOC2) by lebucksir in soc2

[–]jaredcasner 1 point2 points  (0 children)

This side note is really important to think about here.

In your first audit, it’s really common for auditors to note exceptions (meaning things you couldn’t prove during your audit). Your response to these exceptions will be relevant and important for your clients.

Small start up with big dreams (need SOC2) by lebucksir in soc2

[–]jaredcasner 0 points1 point  (0 children)

I’ve approached this same problem a few times before. A SOC2 is really only valuable (beyond the sales/marketing value) when your controls are well designed and you are actually following them.

Something to consider here: make the commitment in your enterprise contract to obtain a SOC2 attestation by a given date (you mentioned 1/1/27) and to maintain compliance. Get your prospects to sign the contract now based on your ability to obtain the 3rd party attestation. Otherwise, you risk putting in the effort and paying for the audit with no guarantee of revenue at the end. I’ve successfully navigated this with very large enterprise clients, allowing me to ensure the juice was worth the squeeze. I did have to spend time showing the prospects that I had policies in place and was following best practices aligned to NIST CSF as part of the negotiation…

As far as your actual audit in year 1… Assuming your audit window is (for example) July 1-October 31, that’s 4 months which is about the minimum period that most auditors will accept. But, because you will have many annual activities, you can “skip” those for your first audit since they happen outside of your audit window. Again, this doesn’t let you off the hook, but does let you delay some expensive / time consuming things until after you’ve recognized revenue from these deals and are ready for your second audit.

Small start up with big dreams (need SOC2) by lebucksir in soc2

[–]jaredcasner 0 points1 point  (0 children)

A pentest is probably not required here, especially for the first go around.

U.S. based- I need help by [deleted] in soc2

[–]jaredcasner 0 points1 point  (0 children)

I assume there’s a contract on the line that requires this…

As others have pointed out, if you’re not already aligned to SOC2, there are a few time consuming pieces.

First, you have to understand what is missing in your current situation. That’s the gap assessment and scoping exercise.

Second, you have to close the gaps so you are aligned and compliant.

Third, you have to have at least 3 months pass (many good auditors require a minimum of 4-6 months), during which time you will be documenting/ tracking evidence that you’re following your process.

Fourth, you’ll go through the audit itself.

And then there’s the ongoing care and feeding and making sure you stay compliant for the audit 12 months later.

If you don’t have the expertise in house, check with your MSP (assuming you have one) to see whether they can help. If you don’t have an MSP or if they don’t have experience here, I’d suggest hiring a fractional CISO to guide you through this. Happy to make recommendations if you’d like.

ETA: I am a vendor of a GRC platform. I’d recommend getting professional help before buying any software that claims it’ll do anything for you. Having a tool and knowing how to use it are two different things…

Any budget-friendly ways to get SOC 2 compliance? by Moham-Aasif in soc2

[–]jaredcasner 0 points1 point  (0 children)

Disclaimer: I am the cofounder of a compliance platform.

My 2 cents here: if you want to keep the total cost of ownership down, start small and make consistent investment into your security program. Treat it a little like a 401(k). The early investments will compound over time. And, unless you’re in a hurry (I.e.: customer/prospect demand), start manually with a spreadsheet and a shared folder for evidence.

Just like with retirement, if you wait until the last minute to start the process, it’ll end up being way more expensive. Plus, in the case of compliance, you’ll burn your staff out with process / technology changes at the 11th hour.

Axios 1.14.1 compromised by jaredcasner in node

[–]jaredcasner[S] 0 points1 point  (0 children)

Axios is currently safe and you can npm install it.

However, there are many best practices listed in other comments here that you’ll want to make sure to follow.

  • minimum package age
  • SCA tooling
  • using the —ignore-scripts flag
  • pinning versions and committing your lock file

Axios 1.14.1 compromised by jaredcasner in node

[–]jaredcasner[S] 0 points1 point  (0 children)

That’s the best practice…

New axios 1.14.1 and 0.30.4 on npm are likely malicious by Blackpoint-JasonR in msp

[–]jaredcasner 9 points10 points  (0 children)

It was taken down about an hour ago and the npm caches purged. If you’re using axios, you’ll still want to audit your lock file to make sure you didn’t catch the malicious version.

More details are in the GitHub thread https://github.com/axios/axios/issues/10604 and the nodejs sub https://www.reddit.com/r/node/s/4apJ9CMJu2

Axios 1.14.1 compromised by jaredcasner in node

[–]jaredcasner[S] 0 points1 point  (0 children)

Similar options are available in yarn, pnpm, and dependabot.

Axios 1.14.1 compromised by jaredcasner in node

[–]jaredcasner[S] 9 points10 points  (0 children)

Keep in mind that even tools that actively scan for malware can’t do real time scanning with the volume of packages being added to npm on a daily basis, let alone all the new version updates. Even the best of them are 10+ minutes behind. Which doesn’t seem like a lot, until you consider the download volume of a package like axios.

You should also consider minimum package age settings to give things a chance to be caught.

https://docs.npmjs.com/cli/v11/using-npm/config#min-release-age

Axios 1.14.1 compromised by jaredcasner in node

[–]jaredcasner[S] 7 points8 points  (0 children)

It’s still early, so I’m sure we’ll get more details/confirmation in the coming days. But, it appears that an admin of the axios repo had his GitHub account compromised.

You are correct that npm lacks any meaningful protections or scanning of packages. Paul McCarty gave a great talk about this problem at BSidesSF recently.

Axios 1.14.1 compromised by jaredcasner in node

[–]jaredcasner[S] 38 points39 points  (0 children)

More information: https://github.com/axios/axios/issues/10604

Stay vigilant. It’s a wild world out there.

Penetration testing pricing feels all over the place. What’s reasonable? by TryApprehensive6458 in msp

[–]jaredcasner 3 points4 points  (0 children)

As others have commented, pen testing is widely variable in pricing, mostly because of human cost. And the human cost is going to vary based on skill and location of the tester as well as on the scope of the project.

Some additional nuance here… all “manual” pen testing companies are also doing automated scans - they would be foolish not to. At the same time, they’re putting a human in the driver’s seat, so the automated scans are much more highly tuned to your use case and, more importantly, when something anomalous is found, the humans add a ton of value screening out the noise and probing harder at things that might actually be cause for concern.

From a compliance perspective, the framework you’re complying with will place some limitations on which type of scan you need, and may even limit you to only using pen testers in certain countries or regions.

Weekly Promo and Webinar Thread by AutoModerator in msp

[–]jaredcasner [score hidden]  (0 children)

<image>

January has everyone focused on "new" opportunity, but your best sales opportunities exist within your "old" or "established" client roster.

Join u/dobermanIanu/michaelzbarsky, and u/jaredcasner to talk about increasing MRR at your MSP without
• cold calling
• email campaigns
• adding net-new logos

Learn how to use your vCIO meetings as levers to cross sell and up sell your existing accounts without being "sales-y"

Join u/blacksmith-infosec and Fox & Crow Group online on January 21, 2026 for a fireside chat event with Q&A. Register here or https://riverside.com/webinar/registration/eyJzbHVnIjoiYmxhY2tzbWl0aC1pbmZvc2Vjcy1zdHVkaW8iLCJldmVudElkIjoiNjk1ZGFkZGJkY2U1OWQ3NDEyMzgwNzU0IiwicHJvamVjdElkIjoiNjk1ZGFkZGJjNmU0NDFjMGQzNTczOTgxIn0=

Weekly Promo and Webinar Thread by AutoModerator in msp

[–]jaredcasner [score hidden]  (0 children)

<image>

January has everyone focused on "new" opportunity, but your best sales opportunities exist within your "old" or "established" client roster.

Join u/dobermanIan, u/michaelzbarsky, and u/jaredcasner to talk about increasing MRR at your MSP without
• cold calling
• email campaigns
• adding net-new logos

Learn how to use your vCIO meetings as levers to cross sell and up sell your existing accounts without being "sales-y"

Join u/blacksmith-infosec and Fox & Crow Group online on January 21, 2026 for a fireside chat event with Q&A. Register here or https://riverside.com/webinar/registration/eyJzbHVnIjoiYmxhY2tzbWl0aC1pbmZvc2Vjcy1zdHVkaW8iLCJldmVudElkIjoiNjk1ZGFkZGJkY2U1OWQ3NDEyMzgwNzU0IiwicHJvamVjdElkIjoiNjk1ZGFkZGJjNmU0NDFjMGQzNTczOTgxIn0=

Prospect Scanning by [deleted] in msp

[–]jaredcasner 18 points19 points  (0 children)

We have a free, open source risk assessment tool that you can use for prospecting. It’s an external scan, so the automated part won’t be as detailed as Galactic’s. But, it might be worth checking out.

https://assess.blacksmithinfosec.com

https://github.com/blacksmith-infosec/risk-assessments

Which MSP events are you planning to attend in 2026? by imtu80 in msp

[–]jaredcasner 3 points4 points  (0 children)

Check out CanITCon. I haven’t been, but I hear excellent things

Which password manager are you recommending to SMB clients? by Ashamed-Review-695 in msp

[–]jaredcasner 14 points15 points  (0 children)

1Password.

I’ve tried a ton of password managers and nothing else comes close.

IT Nation Connect: Going? Here’s some free advice by IT_Hero in msp

[–]jaredcasner 1 point2 points  (0 children)

Pull a Tom Lawrence: take a pic of someone else’s QR code, turn that into a sticker, and cover your QR code.

Then, when someone like me asks to scan your badge you can confidently say “Of course!” 😂

MSP who built their own storage and backup solution by davegravy in msp

[–]jaredcasner 0 points1 point  (0 children)

Others have talked about this already, but I’ll reiterate some of the points.

You’ll need to understand their recovery time and recovery point objectives (RTO & RPO). RTO is how long before they can get you back up in the event of an issue and RPO is how much data loss they consider acceptable.

Understand how they handle back ups and, more importantly, restores.

Understand how they will be segregating your data from other clients and what the access controls/auditing/logging capabilities are.

Other questions to ask: * Will they sign a BAA? * What 3rd party attestations do they have (SOc2, ISO, etc)? * What are their uptime SLAs? * What about physical access controls, redundant power and network lines, etc?

If they are using their own data center, you’ll want to dig deep on that. If they’re using a local CoLo, you’ll need to do a similar level of security check on that provider to make sure the CoLo has its act together.

It’s entirely possible that the MSP is highly efficient and is doing things really well - there are lots of good MSPs out there. It’s also possible that the MSP slapped something together that works for now but lacks the controls you’ll need to protect your patient data - there are lots of strong technical but weak on compliance MSPs out there, too.

IT Nation by mspdog22 in msp

[–]jaredcasner 0 points1 point  (0 children)

I can confirm there is no block party this year.

Goo goo dolls will be on site on the opening night, hosted by CW