Tech companies - including Uber, Dropbox, Twitter, and Docker - have joined forces to create the Vendor Security Alliance, which aims to vet vendor security practices.

Kelly Sheridan, Former Senior Editor, Dark Reading

September 16, 2016

2 Min Read

Oftentimes compromised vendor systems are the gateways leading to major security breaches. Nine prominent tech companies are joining forces to prevent these types of attacks with the Vendor Security Alliance (VSA).

VSA is a coalition of organizations committed to improving Internet security. The group will create standards for vendors' security practices so enterprise customers can gauge the safety of their products and services.

The effort was spearheaded by Ken Baylor, Uber's head of compliance. In addition to Uber, founding businesses include Docker, Palantir, Twitter, Atlassian, GoDaddy, Dropbox, Square, and Airbnb.

"Every day, industries across the globe depend on each other to embrace sound cybersecurity practices: yet in the past companies have not had a standardized way to assess the security of their peers," writes the group in its mission statement. "The VSA was formed to solve these issues and streamline vendor security compliance."

Each year, the VSA will collaborate with security experts and compliance officers to release a questionnaire so companies can determine their level of risk. Questions are intended to evaluate vendors and make sure the right controls are in place to boost security.

The questionnaire will measure risk by addressing areas including policies, procedures, privacy, vulnerability management, and data security, explains Uber's Baylor in a blog post on the news. Its scoring process will help standardize cybersecurity practices across businesses.

When complete, the questionnaire will be evaluated, audited, and scored by an independent third-party auditor working with the group, he continues. Vendors will earn points for strong practices, and lose them for anything that may increase security risks.

As they offer their products and services to companies within the VSA, vendors can use their scores to demonstrate the strength of their security practices without requiring additional audits.

"Sharing expertise and standardizing acceptable cybersecurity practices will create a baseline of acceptable security for all vendors, as well as reduce vendor risk," says Baylor. "Companies belonging to the VSA can draw on the collective expertise across the industry, gaining trust and verification of vendors' security practices."

The VSA reports its first questionnaire will be made available on Oct. 1 and will be free of charge. The group will create a new questionnaire each year to raise standards for vendors and hold them accountable for strong security measures.

"We believe trust begins with transparency and accountability, and having an independent entity manage this process for all its members will provide an efficient, common, and credible way of evaluating the vendors we all use," adds George Totev, head of risk and compliance at Atlassian, in a blog post.

About the Author(s)

Kelly Sheridan

Former Senior Editor, Dark Reading

Kelly Sheridan was formerly a Staff Editor at Dark Reading, where she focused on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial services. Sheridan earned her BA in English at Villanova University. You can follow her on Twitter @kellymsheridan.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights