On a project I've been working on, I've been preparing for SOC 2 Type II certification. My responsibilities have mostly been on the engineering/IT side, ensuring that our SaaS is deployed and developed according to SOC 2 processes. This isn't something a developer would willingly or enthusiastically take on, right? I can’t believe I’m saying this out loud, but actually ... it hasn’t been that bad. The biggest reason for this has definitely been Vanta . Vanta has distilled the rather hard-to-decipher process descriptions into actionable items. As far as I know, SOC 2 isn’t a one-size-fits-all (SaaS provider) certification; it differs according to the stack - which makes sense. Plugging in all our services, from cloud providers to issue trackers, spits out a tailored task list. The task list can even include literal Terraform code examples, which you can copy-paste with minor changes. You could kind of get a similar list from AWS Audit Manager or AWS Security
On a project I'm working on we are using PgCat as the PostgreSQL frontend. We chose it mainly based on gut feeling as pgbouncer seems a bit dated, although it would have arguably been the safe choice. I was looking into the connection times using our tracing tool (Sentry) and noticed that establishing connections takes about 50ms. That is a bit slow, right? It was easy enough to confirm that it is indeed very slow. Establishing a direct connection to the mostly idle Postgres is in the sub-5ms range. I quickly found a ticket about connection slowness, hinting that the problem could be related to TCP_NODELAY. Essentially, it disables Nagle's algorithm , which batches small packets together. I guess that establishing connections from the client to PgCat is such a light process that the extra buffering is actively harmful. And sure enough, after upgrading PgCat, we see sub 5ms connection times. So why use PgCat at all? For us, it is for scaling purposes but not for load distri