Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Vulnerability Management

9/16/2016
11:30 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Uber, Dropbox, Other Tech Leaders Team Up To Boost Vendor Security

Tech companies - including Uber, Dropbox, Twitter, and Docker - have joined forces to create the Vendor Security Alliance, which aims to vet vendor security practices.

Oftentimes compromised vendor systems are the gateways leading to major security breaches. Nine prominent tech companies are joining forces to prevent these types of attacks with the Vendor Security Alliance (VSA).

VSA is a coalition of organizations committed to improving Internet security. The group will create standards for vendors' security practices so enterprise customers can gauge the safety of their products and services.

The effort was spearheaded by Ken Baylor, Uber's head of compliance. In addition to Uber, founding businesses include Docker, Palantir, Twitter, Atlassian, GoDaddy, Dropbox, Square, and Airbnb.

"Every day, industries across the globe depend on each other to embrace sound cybersecurity practices: yet in the past companies have not had a standardized way to assess the security of their peers," writes the group in its mission statement. "The VSA was formed to solve these issues and streamline vendor security compliance."

Each year, the VSA will collaborate with security experts and compliance officers to release a questionnaire so companies can determine their level of risk. Questions are intended to evaluate vendors and make sure the right controls are in place to boost security.

The questionnaire will measure risk by addressing areas including policies, procedures, privacy, vulnerability management, and data security, explains Uber's Baylor in a blog post on the news. Its scoring process will help standardize cybersecurity practices across businesses.

When complete, the questionnaire will be evaluated, audited, and scored by an independent third-party auditor working with the group, he continues. Vendors will earn points for strong practices, and lose them for anything that may increase security risks.

As they offer their products and services to companies within the VSA, vendors can use their scores to demonstrate the strength of their security practices without requiring additional audits.

"Sharing expertise and standardizing acceptable cybersecurity practices will create a baseline of acceptable security for all vendors, as well as reduce vendor risk," says Baylor. "Companies belonging to the VSA can draw on the collective expertise across the industry, gaining trust and verification of vendors' security practices."

The VSA reports its first questionnaire will be made available on Oct. 1 and will be free of charge. The group will create a new questionnaire each year to raise standards for vendors and hold them accountable for strong security measures.

"We believe trust begins with transparency and accountability, and having an independent entity manage this process for all its members will provide an efficient, common, and credible way of evaluating the vendors we all use," adds George Totev, head of risk and compliance at Atlassian, in a blog post.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
JulietteRizkallah
50%
50%
JulietteRizkallah,
User Rank: Ninja
9/26/2016 | 3:55:18 PM
Non security Tech vendors leading the vendor security compliance charge?
I woudl expect such initiative to come from security vendors and/or cyberinsurance providers. Interesting to see what this alliance will come up with and how its participants will draw from their experience.
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7856
PUBLISHED: 2021-04-20
A vulnerability of Helpcom could allow an unauthenticated attacker to execute arbitrary command. This vulnerability exists due to insufficient authentication validation.
CVE-2021-28793
PUBLISHED: 2021-04-20
vscode-restructuredtext before 146.0.0 contains an incorrect access control vulnerability, where a crafted project folder could execute arbitrary binaries via crafted workspace configuration.
CVE-2021-25679
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** The AdTran Personal Phone Manager software is vulnerable to an authenticated stored cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed....
CVE-2021-25680
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** The AdTran Personal Phone Manager software is vulnerable to multiple reflected cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed. Only...
CVE-2021-25681
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** AdTran Personal Phone Manager 10.8.1 software is vulnerable to an issue that allows for exfiltration of data over DNS. This could allow for exposed AdTran Personal Phone Manager web servers to be used as DNS redirectors to tunnel arbitrary data over DNS. NOTE: The aff...