Vendor-Neutral Initiative Sets Bare-Minimum Baseline for Security
Google on Wednesday announced the Minimum Viable Secure Product (MVSP) initiative, partnering with some of tech’s biggest names to create a vendor-neutral minimum baseline criteria for secure products.
Aimed at eliminating the need for organizations to design and implement their own security baselines, the MVSP effort is vendor agnostic and is designed to increase clarity during each phase of the procurement process.
Built and backed by organizations like Google, Okta, Salesforce, Slack, and others, the initiative aims to increase the minimum bar for security and to simplify the vetting process.
Through MVSP, a set of minimum security requirements is being developed for business-to-business applications, as well as for outsourcing suppliers. A series of proposed controls should be implemented to ensure that minimum security is achieved and to help improve security posture.
At a bare minimum, the MVSP mandates that vendors should implement vulnerability reporting processes and should allow customer testing. Organizations should perform reviews of their security programs, should allow for external testing, should perform training of their employees, should ensure they are compliant to standards and requirements, and make sure they have incident response and data sanitization in place.
[ READ: How to Plan Your M&A Security Strategy ]
For applications, the initiative requires the implementation of Single Sign-On and HTTPS-only, as well as the existence of content security and password policies, the use of standardized libraries to improve security, the implementation of processes to identify and address vulnerabilities, logging, encryption, and backup and disaster recovery capabilities.
Various other application implementation and operational controls are also included, to help security teams perform vendor assessments and internal reviews faster, as well as compliance teams, legal teams, and procurement teams in their efforts.
“We recommend that all companies building B2B software or otherwise handling sensitive information under its broadest definition implement the listed controls and are strongly encouraged to go well beyond them in their security programs,” the group said in a statement.