Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Audits

Google Open Sources Vendor Security Assessment Framework

Google Releases Source Code of Security Assessment Questionnaire

Google announced on Monday that it has decided to open source its Vendor Security Assessment Questionnaire (VSAQ) framework to help companies improve their security programs.

Google Releases Source Code of Security Assessment Questionnaire

Google announced on Monday that it has decided to open source its Vendor Security Assessment Questionnaire (VSAQ) framework to help companies improve their security programs.

While it’s owned by Google, the VSAQ is not an official product of the search giant. The interactive questionnaire application was developed to support security reviews by facilitating the collection of information and allowing users to display it in a template form.

Google uses such questionnaires to evaluate third-party vendors’ security and privacy posture, but the company pointed out that they can also be used for self-assessment or for becoming familiar with security issues. The decision to release VSAQ as open source comes after some of the vendors who completed the questionnaires expressed interest in using them to assess their own suppliers.

“We hope it will help companies spin up, or further improve their own vendor security programs. We also hope the base questionnaires can serve as a self-assessment tool for security-conscious companies and developers looking to improve their security posture,” Lukas Weichselbaum and Daniel Fabian of Google Security explained in a joint blog post.

The VSAQ framework released by Google as open source includes four questionnaire templates for web app security, security and privacy programs, physical and data center security, and infrastructure security. These base templates can be modified to include questions specific to the company using the VSAQ.

“The VSAQ Framework comes with a simple client-side-only reference implementation that’s suitable for self-assessments, for vendor security programs with a moderate throughput, and for just trying out the framework,” said Weichselbaum and Fabian. “For a high-throughput vendor security program, we recommend using the VSAQ Framework with a custom server-side component that fits your needs.”

Instructions on how to set up, build and deploy the VSAQ framework are available on Google’s GitHub page.

Advertisement. Scroll to continue reading.

Related: Password Cracking Tool Hashcat Goes Open Source

Related: Amazon Releases New Open Source Implementation of TLS Protocol

Related: Netflix Releases XSS Flaw Discovery Framework

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Audits

Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Application Security

Cisco's enterprise-facing Webex video conferencing and messaging utility monitors the microphone at all times, even when the user's microphone is muted in the software,...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Audits

The PCI Security Standards Council (SSC), the organization that oversees the Payment Card Industry Data Security Standard (PCI DSS), this week announced the release...

Application Security

Security researchers at Google’s Project Zero have picked apart one of the most notorious in-the-wild iPhone exploits and found a never-before-seen hacking roadmap that...

Application Security

Microsoft’s security patching machine hummed into overdrive Tuesday with the release of fixes for at least 97 documented software vulnerabilities, including a zero-day that’s...