Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Vulnerability Management

9/16/2016
11:30 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Uber, Dropbox, Other Tech Leaders Team Up To Boost Vendor Security

Tech companies - including Uber, Dropbox, Twitter, and Docker - have joined forces to create the Vendor Security Alliance, which aims to vet vendor security practices.

Oftentimes compromised vendor systems are the gateways leading to major security breaches. Nine prominent tech companies are joining forces to prevent these types of attacks with the Vendor Security Alliance (VSA).

VSA is a coalition of organizations committed to improving Internet security. The group will create standards for vendors' security practices so enterprise customers can gauge the safety of their products and services.

The effort was spearheaded by Ken Baylor, Uber's head of compliance. In addition to Uber, founding businesses include Docker, Palantir, Twitter, Atlassian, GoDaddy, Dropbox, Square, and Airbnb.

"Every day, industries across the globe depend on each other to embrace sound cybersecurity practices: yet in the past companies have not had a standardized way to assess the security of their peers," writes the group in its mission statement. "The VSA was formed to solve these issues and streamline vendor security compliance."

Each year, the VSA will collaborate with security experts and compliance officers to release a questionnaire so companies can determine their level of risk. Questions are intended to evaluate vendors and make sure the right controls are in place to boost security.

The questionnaire will measure risk by addressing areas including policies, procedures, privacy, vulnerability management, and data security, explains Uber's Baylor in a blog post on the news. Its scoring process will help standardize cybersecurity practices across businesses.

When complete, the questionnaire will be evaluated, audited, and scored by an independent third-party auditor working with the group, he continues. Vendors will earn points for strong practices, and lose them for anything that may increase security risks.

As they offer their products and services to companies within the VSA, vendors can use their scores to demonstrate the strength of their security practices without requiring additional audits.

"Sharing expertise and standardizing acceptable cybersecurity practices will create a baseline of acceptable security for all vendors, as well as reduce vendor risk," says Baylor. "Companies belonging to the VSA can draw on the collective expertise across the industry, gaining trust and verification of vendors' security practices."

The VSA reports its first questionnaire will be made available on Oct. 1 and will be free of charge. The group will create a new questionnaire each year to raise standards for vendors and hold them accountable for strong security measures.

"We believe trust begins with transparency and accountability, and having an independent entity manage this process for all its members will provide an efficient, common, and credible way of evaluating the vendors we all use," adds George Totev, head of risk and compliance at Atlassian, in a blog post.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JulietteRizkallah
50%
50%
JulietteRizkallah,
User Rank: Ninja
9/26/2016 | 3:55:18 PM
Non security Tech vendors leading the vendor security compliance charge?
I woudl expect such initiative to come from security vendors and/or cyberinsurance providers. Interesting to see what this alliance will come up with and how its participants will draw from their experience.
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27254
PUBLISHED: 2021-03-05
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR R7800. Authentication is not required to exploit this vulnerability. The specific flaw exists within the apply_save.cgi endpoint. This issue results from the use of hard-coded encrypti...
CVE-2021-27255
PUBLISHED: 2021-03-05
This vulnerability allows remote attackers to execute arbitrary code on affected installations of NETGEAR R7800 firmware version 1.0.2.76. Authentication is not required to exploit this vulnerability. The specific flaw exists within the refresh_status.aspx endpoint. The issue results from a lack of...
CVE-2021-27256
PUBLISHED: 2021-03-05
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R7800 firmware version 1.0.2.76. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists wit...
CVE-2021-27257
PUBLISHED: 2021-03-05
This vulnerability allows network-adjacent attackers to compromise the integrity of downloaded information on affected installations of NETGEAR R7800 firmware version 1.0.2.76. Authentication is not required to exploit this vulnerability. The specific flaw exists within the downloading of files via...
CVE-2021-26705
PUBLISHED: 2021-03-05
An issue was discovered in SquareBox CatDV Server through 9.2. An attacker can invoke sensitive RMI methods such as getConnections without authentication, the results of which can be used to generate valid authentication tokens. These tokens can then be used to invoke administrative tasks within the...