Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Vulnerability Management

9/16/2016
11:30 AM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Uber, Dropbox, Other Tech Leaders Team Up To Boost Vendor Security

Tech companies - including Uber, Dropbox, Twitter, and Docker - have joined forces to create the Vendor Security Alliance, which aims to vet vendor security practices.

Oftentimes compromised vendor systems are the gateways leading to major security breaches. Nine prominent tech companies are joining forces to prevent these types of attacks with the Vendor Security Alliance (VSA).

VSA is a coalition of organizations committed to improving Internet security. The group will create standards for vendors' security practices so enterprise customers can gauge the safety of their products and services.

The effort was spearheaded by Ken Baylor, Uber's head of compliance. In addition to Uber, founding businesses include Docker, Palantir, Twitter, Atlassian, GoDaddy, Dropbox, Square, and Airbnb.

"Every day, industries across the globe depend on each other to embrace sound cybersecurity practices: yet in the past companies have not had a standardized way to assess the security of their peers," writes the group in its mission statement. "The VSA was formed to solve these issues and streamline vendor security compliance."

Each year, the VSA will collaborate with security experts and compliance officers to release a questionnaire so companies can determine their level of risk. Questions are intended to evaluate vendors and make sure the right controls are in place to boost security.

The questionnaire will measure risk by addressing areas including policies, procedures, privacy, vulnerability management, and data security, explains Uber's Baylor in a blog post on the news. Its scoring process will help standardize cybersecurity practices across businesses.

When complete, the questionnaire will be evaluated, audited, and scored by an independent third-party auditor working with the group, he continues. Vendors will earn points for strong practices, and lose them for anything that may increase security risks.

As they offer their products and services to companies within the VSA, vendors can use their scores to demonstrate the strength of their security practices without requiring additional audits.

"Sharing expertise and standardizing acceptable cybersecurity practices will create a baseline of acceptable security for all vendors, as well as reduce vendor risk," says Baylor. "Companies belonging to the VSA can draw on the collective expertise across the industry, gaining trust and verification of vendors' security practices."

The VSA reports its first questionnaire will be made available on Oct. 1 and will be free of charge. The group will create a new questionnaire each year to raise standards for vendors and hold them accountable for strong security measures.

"We believe trust begins with transparency and accountability, and having an independent entity manage this process for all its members will provide an efficient, common, and credible way of evaluating the vendors we all use," adds George Totev, head of risk and compliance at Atlassian, in a blog post.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JulietteRizkallah
50%
50%
JulietteRizkallah,
User Rank: Ninja
9/26/2016 | 3:55:18 PM
Non security Tech vendors leading the vendor security compliance charge?
I woudl expect such initiative to come from security vendors and/or cyberinsurance providers. Interesting to see what this alliance will come up with and how its participants will draw from their experience.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Can you smell me now?
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11844
PUBLISHED: 2020-05-29
There is an Incorrect Authorization vulnerability in Micro Focus Service Management Automation (SMA) product affecting version 2018.05 to 2020.02. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation.
CVE-2020-6937
PUBLISHED: 2020-05-29
A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, and 4.x released before April 7, 2020, could allow remote attackers to submit data which can lead to resource exhaustion.
CVE-2020-7648
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json`
CVE-2020-7650
PUBLISHED: 2020-05-29
All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.
CVE-2020-7654
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG.