How InfoSec Should Use the Minimum Viable Secure Product Checklist

A team of tech companies including Google, Salesforce, Slack, and Okta recently released the Minimum Viable Secure Product (MVSP) checklist, a vendor-neutral security baseline listing minimum acceptable security requirements for B2B software and business process outsourcing suppliers.

The news arrives at a time when many organizations are growing concerned about the security of third-party tools and processes they use. After attacks such as those involving SolarWinds and Kaseya, businesses are increasingly aware of how third-party tools and services could serve as a gateway to attackers.

This trend has prompted a broader conversation about the IT supply chain and how companies interact with vendors to determine the security of third-party products. Many organizations have historically used vendor security review questionnaires to determine the strength of a vendor's software security, says Royal Hansen, vice president of security at Google, which he notes released its own open source Vendor Security Assessment Questionnaire in 2016.

"While these questionnaires can be helpful, they are often long, complex and time-consuming," Hansen says. "As a result, the detection of serious blockers often come too late in a project to make changes, so they're not effective for RFPs and early-stage reviews."

Businesses have also built their own, sometimes arbitrary, lists of security measures, adds Jim Alkove, chief trust officer at Salesforce. This created a headache for vendors that had to then comply with potentially thousands of different requirements, he adds. In these cases, errors happen, creating new attack vectors.

"It's human nature," Alkove says. "A lot of cybersecurity comes down to doing common things uncommonly well. However, there's no universal standard as to what those 'common things' are."

The concept of a minimum security baseline, which evolved to become the MVSP, started with core engineers from Salesforce and Google who saw the opportunity to create a simple set of controls that could be used throughout the vendor onboarding process. Their idea expanded to include input from other tech firms that brought their advice and lessons learned to the project.

Over multiple years, they created a vendor-neutral security baseline that establishes minimum acceptable security requirements to make sure core security components are present before moving forward, Hansen says. The MVSP's set of controls can be applied at all stages of the vendor onboarding cycle, from vendor selection, to assessment, to contractual controls. The list is intended to provide greater clarity throughout the process and simplify vendor vetting by condensing thousands of requirements into an easy-to-use format.

Developing a simple framework was a complex process, Hansen notes. There are many security issues to consider, and it needed to apply to a vast range of possible applications and services.

"It's easy to determine the controls you want to see, but establishing what should be included at a minimum was difficult to narrow down and it required a number of iterations," he says.

How Should You Use It?
There's no single way to use the MVSP, Hansen notes. Each organization can use it as they see fit and adapt the checklist to their individual needs.

Security teams, for example, can use it to communicate minimum requirements for tools and services up front, so others know where they stand, and they communicate clear expectations. Procurement teams can use the list to collect information about vendor services; legal teams can use the MVSP as a baseline while negotiating contractual controls, he wrote in a blog post.

"Companies who provide B2B applications or services can also use the MVSP to measure their own product maturity and identify key gaps," Hansen adds, noting this could also be helpful in cases when new products are being developed. Some elements of the MVSP won't be relevant to some individual products, such as those with no Web-based service.

The MVSP "checks a valuable box" by providing a high level of assurance for the security practices of vendors in the supply chain, says Alkove, but it's not the only tool organizations should use.

"It's still contingent on every organization to develop a robust cybersecurity strategy specific to their company, industry, market, and more — one that nails the basics," such as enforcing multifactor authentication for employees accessing corporate networks and investing in security to stay ahead of attackers.

A Starting Point
The MVSP is an open source security standard maintained by a working group that includes members from Google, Salesforce, Okta, and Slack, and the team hopes to expand this group in the coming months. Members plan to regularly review and update the MVSP's controls over time, and they expect that major releases will happen each year following a review process.

Future versions of the MVSP will review how the current controls can evolve and aim to bring improvements to system security, Hansen says. The team believes this will help improve industry security over time as organizations start to adopt the MVSP within their processes.

"We all have to raise the bar over time," says Alkove. "Today's baseline is not tomorrow's, and security professionals must continuously innovate to keep organizations ahead of tomorrow's threats."