How InfoSec Should Use the Minimum Viable Secure Product Checklist

Google and Salesforce executives discuss the need for the newly released MVSP, how tech companies came together to work on it, and how organizations should use it.

A team of tech companies including Google, Salesforce, Slack, and Okta recently released the Minimum Viable Secure Product (MVSP) checklist, a vendor-neutral security baseline listing minimum acceptable security requirements for B2B software and business process outsourcing suppliers.
The news arrives at a time when many organizations are
growing concerned
about the security of third-party tools and processes they use. After attacks such as those involving SolarWinds and Kaseya, businesses are increasingly aware of how third-party tools and services could serve as a
gateway to attackers
.
This trend has prompted a broader conversation about the IT supply chain and how companies
interact with vendors
to determine the security of third-party products. Many organizations have historically used vendor security review questionnaires to determine the strength of a vendors software security, says Royal Hansen, vice president of security at Google, which he notes released its own open source Vendor Security Assessment Questionnaire in 2016.
While these questionnaires can be helpful, they are often long, complex and time-consuming, Hansen says. As a result, the detection of serious blockers often come too late in a project to make changes, so theyre not effective for RFPs and early-stage reviews.
Businesses have also built their own, sometimes arbitrary, lists of security measures, adds Jim Alkove, chief trust officer at Salesforce. This created a headache for vendors that had to then comply with potentially thousands of different requirements, he adds. In these cases, errors happen, creating new attack vectors.
Its human nature, Alkove says. A lot of cybersecurity comes down to doing common things uncommonly well. However, theres no universal standard as to what those common things are.
The concept of a minimum security baseline, which evolved to
become the MVSP
, started with core engineers from Salesforce and Google who saw the opportunity to create a simple set of controls that could be used throughout the vendor onboarding process. Their idea expanded to include input from other tech firms that brought their advice and lessons learned to the project.
Over multiple years, they created a vendor-neutral security baseline that establishes minimum acceptable security requirements to make sure core security components are present before moving forward, Hansen says. The MVSPs set of controls can be applied at all stages of the vendor onboarding cycle, from vendor selection, to assessment, to contractual controls. The list is intended to provide greater clarity throughout the process and simplify vendor vetting by condensing thousands of requirements into an easy-to-use format.
Developing a simple framework was a complex process, Hansen notes. There are many security issues to consider, and it needed to apply to a vast range of possible applications and services.
Its easy to determine the controls you want to see, but establishing what should be included at a minimum was difficult to narrow down and it required a number of iterations, he says.
How Should You Use It?
Theres no single way to use the MVSP, Hansen notes. Each organization can use it as they see fit and adapt the checklist to their individual needs.
Security teams, for example, can use it to communicate minimum requirements for tools and services up front, so others know where they stand, and they communicate clear expectations. Procurement teams can use the list to collect information about vendor services; legal teams can use the MVSP as a baseline while negotiating contractual controls, he
wrote in a blog post
.
Companies who provide B2B applications or services can also use the MVSP to measure their own product maturity and identify key gaps, Hansen adds, noting this could also be helpful in cases when new products are being developed. Some elements of the MVSP wont be relevant to some individual products, such as those with no Web-based service.
The MVSP checks a valuable box by providing a high level of assurance for the security practices of vendors in the supply chain, says Alkove, but its not the only tool organizations should use.
Its still contingent on every organization to develop a robust cybersecurity strategy specific to their company, industry, market, and more — one that nails the basics, such as enforcing multifactor authentication for employees accessing corporate networks and investing in security to stay ahead of attackers.
A Starting Point
The MVSP is an open source security standard maintained by a working group that includes members from Google, Salesforce, Okta, and Slack, and the team hopes to expand this group in the coming months. Members plan to regularly review and update the MVSPs controls over time, and they expect that major releases will happen each year following a review process.
Future versions of the MVSP will review how the current controls can evolve and aim to bring improvements to system security, Hansen says. The team believes this will help improve industry security over time as organizations start to adopt the MVSP within their processes.
We all have to raise the bar over time, says Alkove. Todays baseline is not tomorrows, and security professionals must continuously innovate to keep organizations ahead of tomorrows threats.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
How InfoSec Should Use the Minimum Viable Secure Product Checklist