SOC2 is mainly to check boxes, and forces you to think about a few things. There’s no real / actual audit, and in my experience the pen tests are very much a money grab. You’re paying way too much money for some “pentesting” automated suite to run.

The auditors themselves pretty much only care that you answered all questions, they don’t really care what the answers are and absolutely aren’t going to dig any deeper.

(I’m responsible for the SOC2 audits at our firm)

When I worked for a consulting firm some years back I randomly got put on a project that dealt with payment information. I had never had to deal with payment information before so I was a bit nervous about being compliant. I was pointed to SOC2 compliance which sounded scary. Much to my relief (and surprise), the SOC2 questionnaire was literally just what amounted to a survey monkey form. I answered as truthfully as I could and at the end it just said "congrats you're compliant!" or something to that effect.

I asked my my manager if that's all that was required and he said yes, just make sure you do it again next year. I spent the rest of my time worrying that we missed something. I genuinely didn't believe him until your comment.

Edit: missing sentence.

Once this type of issue gets publicized, does that in anyway affect the certification?

Sometimes scandals affect these things. But it's hard to predict.

Soc2 and most other certifications are akin to the tsa, security theater. After seeing the info sec security space from the inside i can only say that it blows my mind how abhorrent the security space is. Prod db creds in code? A ok. Not using some stupid vendors “pen testing” software on each mr, blasphemy?

Unless im missing something, they replied stating they would look into it and then its totally vague when they patched, with Alex apparently randomly testing later and telling them in a "follow up" that it was fixed.

I dont at all get why there is a paragraph thanking their communication if that is the case.

Probably given the alternative, being ghosted followed by a no-knock FBI raid

It looks like SOC 2 (and the other SOCs) where developed by accountants?

I wouldn't expect them to find any computer problems either to be honest.

There are only 3 books of SOC: SOC I, SOC II Part 1, SOC II Part II.

The time to fix isn't really important, assuming that they took the system offline in the mean time... but we all know they didn't, because that would cost to much.

Where did it say that they took a month to fix? The hacker just checked in 2 weeks later and it was fixed by that point.

According to the timeline it took more than a week just for Filevine to respond saying they would review and fix the vulnerability. It was 24 days after initial disclosure when he confirmed the fix was in place.

Is there any stricter standard? Should one strive for PCI-DSS even if they are a regular SaaS?

Whatever Google does internally would be a much stricter standard, but I'm not sure they've written it up for outsiders to use, alas.