TL;DR: Vanta support is now available for orgs with the Compliance package. You can activate from the Vanta side or from under the Compliance tab in the Fly.io dashboard. Huzzah.
At one point I mentioned that Vanta support was coming. And then… crickets. For over a year! What the heck?
First, mea culpa. The work was (seemingly) close to being done but then, in classic reverse Pareto style, the remaining 20% of the work took 80% of the effort. I’m sorry that I so poorly estimated, and I’m sorry I kept folks waiting. However, that remaining 20% was all due to some security guidelines we have here and, while it was a LONG TIME implementing them, the guidelines (and our implementations of them) are worthwhile and worth discussing.
The overarching guideline is, to quote from our earlier blogpiece “Tokenized Tokens”:
“all secrets are hazmat”
And that’s why Ben wrote tokenizer and ssokenizer. They’re super cool. Read the blog and check them out. He does a great job explaining the philosophy and I won’t bore you repeating it here.
So, back to Vanta. We want to keep our customer’s Vanta access tokens out of our databases but we will need the tokens to actually write to Vanta. Fine: let’s do the dance to handle Vanta auth and access via tokenizer and ssokenizer. Easy enough.
But then I hit some limits of the tokenizer and ssokenizer code. First, we had to add functionality to allow passing allow-listed parameters in the request. Second, there was a single (but important) operation where the auth token has to be sent in the body of the request, as opposed to the header, so I had to add an additional injector to the tokenizer.
Total amount of code was small (and Ben wrote most of it) but the triage, development, testing, along with prioritized security work, meant it took way way way longer than expected. Again, sorry about that.
But, after a long wait, Vanta integration is here and syncs your org membership, roles, and 2FA status. We may expand upon the functionality at some point as we see what demand looks like but, for now, sign up for the Compliance package (if you haven’t already) and let us know how you get on.
