The Minimum Viable Secure Product, or simply MVSP, is a concise, checks-based security baseline. It is designed so that businesses can streamline their acquisition process while ensuring a minimum level of security exists within the selected third-party products and services. Google, Dropbox, Okta, Salesforce and others have contributed to its development. The project aims to “eliminate overhead, complexity and confusion” that stems from the process described above.
Chris Ray is a senior member of a local 35+ B-league hockey team and also occasionally blogs about cybersecurity topics.
What is MVSP?
The Minimum Viable Secure Product, or simply MVSP, is a concise, checks-based security baseline. It is designed so that businesses can streamline their acquisition process while also ensuring a minimum level of security exists within the selected third-party products and services.
There is a lot to unpack in that definition, so let’s take a minute and pick it apart.
1. The MVSP is a vendor-neutral project. Companies like Google, Dropbox, Okta, Salesforce, and others have contributed to its development.
2. The MVSP builds on the idea of an MVP, or Minimum Viable Product. The MVP concept is well understood in the development world, but for those not familiar, an MVP essentially describes the absolute minimum features and qualities a product must have to be successful. The MVSP describes the absolute minimum security checks that a product/service must have to be secure.
3. It is “checks-based”. This means there is a list of “checks” or action items that the vendor takes and reviews. It is very practical in nature and asks questions that are often answered in a few words.
4. It’s pretty comprehensive! I know some of you may scoff and say “how!?” but hear me out. This list of checks covers many items which are low-hanging fruit for most organizations. The list is quite diverse as well, with checks ranging from patch management, staff training, SSO/HTTPS requirements to DR plans. It covers a lot of ground!
5. Simplicity. The creators of this project have kept simplicity as a core tenant. After all, we have plenty of overly complex security frameworks already.
6. Built from experience. When they built the MVSP, they used existing vendor contracts and questionnaires as their foundation. The checks included in the MVSP are derived from checks that have proven effective.
What problem does it solve?
The way we approach vendor risk management today is built around the concept of asking questions through questionnaires. The questionnaires are almost always a “one off” for each organization, which brings with them all the hassle of a bespoke application.
You must keep the questions updated, it will be very difficult to offload this to a third party.
You must ensure it asks the right questions for your business.
From the vendors perspective, they will have to carefully review your questions, because although they might be similar to another client, they won’t be identical.
What I described above is a common problem for many organizations. The MVSP project aims to “eliminate overhead, complexity and confusion” that stems from the process described above.
Who is it for?
If you’re building apps & services or handling your client’s data, pay attention. The MVSP project is designed to be used by a huge portion of the tech community!
What kind of “checks”?
Alright, if you are still here reading, great! That means you probably want to know what the checks in the MVSP look like. You are probably asking questions like “If I were to implement this, what kind of work am I creating for my team?
Below are a few checks I have picked out that will give you a general sense, but I encourage you to go and review all of them yourself.
1. Publish the point of contact for security reports on your website. If a vulnerability is found, make it easy for someone to report it.
2. Train your staff!
3. Enforce HTTPS only everywhere.
4. When possible use SSO.
5. Patch or mitigate vulnerabilities within 30 days (medium or higher only)
6. Hold onto logs for auth, data access, security settings changes, etc…
7. Get a pentest annually (hmmm?)
As you can see, there is a lot of promise in this project. A huge portion of cyber risk in today’s business is introduced by third parties. This project establishes a minimum level of security that non-technical people can reference and hopefully find secure solutions to their business problems.
Let me know what you think, this will help or hinder! Is it too little? What is it missing?
Also published here.