Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Vendor-Neutral Initiative Sets Bare-Minimum Baseline for Security

Google on Wednesday announced the Minimum Viable Secure Product (MVSP) initiative, partnering with some of tech’s biggest names to create a vendor-neutral minimum baseline criteria for secure products.

Google on Wednesday announced the Minimum Viable Secure Product (MVSP) initiative, partnering with some of tech’s biggest names to create a vendor-neutral minimum baseline criteria for secure products.

Aimed at eliminating the need for organizations to design and implement their own security baselines, the MVSP effort is vendor agnostic and is designed to increase clarity during each phase of the procurement process.

Built and backed by organizations like Google, Okta, Salesforce, Slack, and others, the initiative aims to increase the minimum bar for security and to simplify the vetting process.

Through MVSP, a set of minimum security requirements is being developed for business-to-business applications, as well as for outsourcing suppliers. A series of proposed controls should be implemented to ensure that minimum security is achieved and to help improve security posture.

At a bare minimum, the MVSP mandates that vendors should implement vulnerability reporting processes and should allow customer testing. Organizations should perform reviews of their security programs, should allow for external testing, should perform training of their employees, should ensure they are compliant to standards and requirements, and make sure they have incident response and data sanitization in place.

[ READ: How to Plan Your M&A Security Strategy ]

For applications, the initiative requires the implementation of Single Sign-On and HTTPS-only, as well as the existence of content security and password policies, the use of standardized libraries to improve security, the implementation of processes to identify and address vulnerabilities, logging, encryption, and backup and disaster recovery capabilities.

Various other application implementation and operational controls are also included, to help security teams perform vendor assessments and internal reviews faster, as well as compliance teams, legal teams, and procurement teams in their efforts.

“We recommend that all companies building B2B software or otherwise handling sensitive information under its broadest definition implement the listed controls and are strongly encouraged to go well beyond them in their security programs,” the group said in a statement.

Related: Meeting Backup Requirements for Cyber Insurance Coverage

Related: How to Plan Your M&A Security Strategy

Related: Google Details New Privacy and Security Policies for Android Apps

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.