Compliance is Not Security
When self-attestation can be faked, only verifiable testing tells you the truth. Here is why the Delve scandal makes the case for OSSTMM over checkbox compliance.
|The Delve Scandal and the Case for OSSTMM
The recent whistleblower reports regarding Delve, a Y Combinator-backed compliance startup, have sent shockwaves through the tech industry. Allegations that the platform fabricated audit evidence and used “certification mills” to rubber-stamp SOC 2 reports highlight a systemic flaw in modern cybersecurity: the dangerous gap between “checking a box” and actual operational security.
When compliance becomes a “Potemkin village” a facade of security with nothing behind it the only party truly protected is the attacker. This is why it’s time to move past self-attestation and embrace a scientific, verifiable testing methodology: the OSSTMM.
The “Paper Tiger” Problem: Why SOC 2 is Failing
SOC 2 is an attestation, not a certification. It relies heavily on a company’s word that they have controls in place. While reputable auditors do perform sampling, the rise of “compliance automation” has made it all too easy to:
- Generate “evidence” for controls that aren’t actually functioning.
- Template-ize security policies that don’t reflect real-world operations.
- Treat security as a snapshot rather than a continuous state of resistance.
The Delve scandal proves that if you tell a system you have a firewall, the system reports you have a firewall. It doesn’t actually check if that firewall is leaking data like a sieve.
The OSSTMM: Testing Reality, Not Promises
The Open Source Security Testing Methodology Manual (OSSTMM), maintained by ISECOM, offers the antithesis to compliance theater. It doesn’t care what your policy says, it cares about what your systems actually do.
1. Verifiable Facts Over Opinions
Unlike SOC 2, which is based on an auditor’s opinion of your documentation, the OSSTMM is built on scientific measurement. It provides a framework to quantify operational security through five channels: Physical, Wireless, Telecommunications, Data Networks, and Human.
2. The Power of RAV (Risk Assessment Value)
The OSSTMM uses a metric called the RAV. Think of this as a “security credit score” based on actual testing. It measures:
- Visibility: What can an attacker see?
- Access: What can an attacker touch?
- Trust: What are the hidden relationships that can be exploited?
By calculating the RAV, you get a mathematical representation of your actual attack surface something a “pre-filled” SOC 2 report could never provide.
3. Moving from “Trust” to “Verification”
The core of the Delve failure was a misplaced trust in automated evidence. The OSSTMM operates on a quantified trust methodology. It treats every control as a hypothesis that must be tested. If you claim to have an Access Control List (ACL), the OSSTMM requires a test to see if that ACL can be bypassed, spoofed, or ignored.
Why Griffin Cyber Solutions Chooses the OSSTMM
At Griffin Cyber Solutions, we believe that a “clean” audit report is worthless if it doesn’t represent a hardened environment. By using the OSSTMM as our guiding light, we provide:
- Actual Attack Simulations: We don’t just look at your settings; we try to break them.
- Measurable Improvements: We provide a baseline RAV score and show exactly how our remediations improve your operational security.
- Defense Against “Teleporting” Attackers: By focusing on the application layer and individual assets (The Möbius Defense), we ensure that even if one control fails, the rest of the system holds.
The Bottom Line
The Delve scandal is a wake-up call. Compliance theater might get you through a procurement questionnaire, but it won’t stop a data breach. If you want to know if your controls actually work, stop taking someone’s word for it. Test them.