A new vendor-neutral security baseline called Minimum Viable Secure Product (MVSP) is designed to list the minimum acceptable security requirements for B2B and business process outsourcing software vendors. MVSP was developed and supported by technology companies such as Google, Salesforce, Slack and Okta.
“Our goal is to raise the minimum bar for security across the industry while simplifying the verification process,” Royal Hansen, vice president of security at Google, said in a blog post. He cites a study by the Opus and Ponemon Institute which found that 59% of companies experienced a breach caused by one of their vendors or a third party.
Organizations have traditionally had to design and implement their own vendor security baselines based on their level of risk; however, this creates an “impossible situation” for vendors and businesses as they attempt to meet thousands of different requirements.
The MVSP aims to reduce the complexity of sourcing, bidding, and vendor security assessment with a checklist of minimum acceptable baselines for verifying a product’s security posture and understand its security vulnerabilities.
“Designed with simplicity in mind, the checklist contains only those controls that must, at a minimum, be implemented to ensure a reasonable security posture,” the officials say at the top of the document.
All companies that build B2B software or handle sensitive information “in its broadest definition” are advised to implement the controls.
Read more details here.