Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Vulnerability Management

9/16/2016
11:30 AM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Uber, Dropbox, Other Tech Leaders Team Up To Boost Vendor Security

Tech companies - including Uber, Dropbox, Twitter, and Docker - have joined forces to create the Vendor Security Alliance, which aims to vet vendor security practices.

Oftentimes compromised vendor systems are the gateways leading to major security breaches. Nine prominent tech companies are joining forces to prevent these types of attacks with the Vendor Security Alliance (VSA).

VSA is a coalition of organizations committed to improving Internet security. The group will create standards for vendors' security practices so enterprise customers can gauge the safety of their products and services.

The effort was spearheaded by Ken Baylor, Uber's head of compliance. In addition to Uber, founding businesses include Docker, Palantir, Twitter, Atlassian, GoDaddy, Dropbox, Square, and Airbnb.

"Every day, industries across the globe depend on each other to embrace sound cybersecurity practices: yet in the past companies have not had a standardized way to assess the security of their peers," writes the group in its mission statement. "The VSA was formed to solve these issues and streamline vendor security compliance."

Each year, the VSA will collaborate with security experts and compliance officers to release a questionnaire so companies can determine their level of risk. Questions are intended to evaluate vendors and make sure the right controls are in place to boost security.

The questionnaire will measure risk by addressing areas including policies, procedures, privacy, vulnerability management, and data security, explains Uber's Baylor in a blog post on the news. Its scoring process will help standardize cybersecurity practices across businesses.

When complete, the questionnaire will be evaluated, audited, and scored by an independent third-party auditor working with the group, he continues. Vendors will earn points for strong practices, and lose them for anything that may increase security risks.

As they offer their products and services to companies within the VSA, vendors can use their scores to demonstrate the strength of their security practices without requiring additional audits.

"Sharing expertise and standardizing acceptable cybersecurity practices will create a baseline of acceptable security for all vendors, as well as reduce vendor risk," says Baylor. "Companies belonging to the VSA can draw on the collective expertise across the industry, gaining trust and verification of vendors' security practices."

The VSA reports its first questionnaire will be made available on Oct. 1 and will be free of charge. The group will create a new questionnaire each year to raise standards for vendors and hold them accountable for strong security measures.

"We believe trust begins with transparency and accountability, and having an independent entity manage this process for all its members will provide an efficient, common, and credible way of evaluating the vendors we all use," adds George Totev, head of risk and compliance at Atlassian, in a blog post.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JulietteRizkallah
50%
50%
JulietteRizkallah,
User Rank: Ninja
9/26/2016 | 3:55:18 PM
Non security Tech vendors leading the vendor security compliance charge?
I woudl expect such initiative to come from security vendors and/or cyberinsurance providers. Interesting to see what this alliance will come up with and how its participants will draw from their experience.
I 'Hacked' My Accounts Using My Mobile Number: Here's What I Learned
Nicole Sette, Director in the Cyber Risk practice of Kroll, a division of Duff & Phelps,  11/19/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-13157
PUBLISHED: 2019-11-22
nsGreen.dll in Naver Vaccine 2.1.4 allows remote attackers to overwrite arbitary files via directory traversal sequences in a filename within nsz archive.
CVE-2012-2079
PUBLISHED: 2019-11-22
A cross-site request forgery (CSRF) vulnerability in the Activity module 6.x-1.x for Drupal.
CVE-2019-11325
PUBLISHED: 2019-11-21
An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrary PHP code. This is related to symfony/var-exporter.
CVE-2019-18887
PUBLISHED: 2019-11-21
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. The UriSigner was subject to timing attacks. This is related to symfony/http-kernel.
CVE-2019-18888
PUBLISHED: 2019-11-21
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. T...