Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
10/24/2016
12:40 PM
Malwarebytes Labs
Malwarebytes Labs
Partner Perspectives
50%
50%

Vendor Security Alliance To Improve Cybersecurity Of Third-Party Providers

Member companies can use their VSA rating when offering their services, effectively skipping the process of verification done by prospective businesses.

Nine companies -- Airbnb, Atlassian, Docker, Dropbox, GoDaddy, Palantir, Square, Twitter, and Uber -- recently founded the Vendor Security Alliance, an independent, non-profit coalition that aims to help member companies evaluate and assess the security and privacy of third-party providers that they heavily rely on and with whom they entrust their users’ most important data. The companies also have taken it upon themselves to standardize and create a benchmark of acceptable cybersecurity practices with which vendors need to comply.

In a blog post, George Totev of Atlassian gives readers a bird’s eye view of how the alliance will perform its duties:

We believe trust begins with transparency and accountability, and having an independent entity [to] manage this process for all its members will provide an efficient, common, and credible way of evaluating the vendors we all use. [For example] each cloud company will be evaluated, audited, and scored based on a set of common criteria that measures cybersecurity risk, policies, procedures, privacy, vulnerability management, and data security.

Each year, the VSA will create and push out a security and compliance questionnaire that companies can use to assess vendor risks based on a set of predetermined criteria. (Note that only members of the VSA can go through an independent auditing of vendors.) Once scored, vendors can then use their VSA rating when offering their services, effectively skipping the process of verification done by prospective businesses.

The VSA made the first questionnaire available to the public on Oct. 1.

Ken Baylor, president of the VSA and head of compliance at Uber, explains why this alliance is an industry game changer:

Companies belonging to the VSA can draw on the collective expertise across the industry, gaining trust and verification of vendors’ security practices. The VSA will also enable companies to save time and money through the use of a standardized cybersecurity evaluation with real-time answers. The current way of evaluating cybersecurity risks and approving vendors can take several months -- the new VSA process cuts the process down to minutes.

It’s important to mention that the VSA is only one of several security groups that aim to address one part -- namely third-party security compliance and risks—of a complicated cybersecurity problem we all face.

In March 2009, eBay and ING announced the formation of the Cloud Security Alliance in order to promote best practices to assure secure cloud computing. Then in September of 2015, AirWatch formed the Mobile Security Alliance together with 10 other companies, aiming to mitigate the growing threat within the mobile threat landscape.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Benefiter
50%
50%
Benefiter,
User Rank: Apprentice
11/12/2016 | 10:11:09 AM
Re:
I have a hard time describing my thoughts on content. but I really felt I should here. Your article is really great. I like the way you wrote this information.
Lily652
50%
50%
Lily652,
User Rank: Moderator
11/12/2016 | 5:01:41 AM
prayer times

I really like your page and the of the author's style . I always loking for your new posts. Thank you, I really like it, it is useful

Lily652
50%
50%
Lily652,
User Rank: Moderator
11/12/2016 | 5:01:15 AM
prayer times

I really like your page and the of the author's style . I always loking for your new posts. Thank you, I really like it, it is useful 

UmeshKTiwari
100%
0%
UmeshKTiwari,
User Rank: Strategist
10/24/2016 | 10:39:51 AM
Vendor Security Alliance...
Great idea and makes a lot of sense. I think much like the utility model of cloud based IT Infrastructure services, Cyber Security Assurance services can mature and benefit from a standards based utility model that allows technology vendors a reasonable and predictable path to gain reasonable security assurance standard (and attestation) that a lot of consumer companies can subscribe to, without having to hire their own staff of cyber security assurance experts.

 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...