Zero trust, Application security, DevSecOps

Google, tech industry propose minimum viable secure product baseline

The Google corporate logo hangs outside the Google Germany offices on Aug. 31, 2021, in Berlin. (Photo by Sean Gallup/Getty Images)

Google announced on Wednesday that it has teamed up with Salesforce, Okta, Slack, and other unspecified companies to create a baseline for a minimum viable secure product (MVSP) for business-to-business software and business processing outsourcing suppliers.

In a blog post, Royal Hansen, Google's vice president of security, said the MVSP could increase clarity during each phase of the RFP, procurement and vendor security assessment process so all parties can achieve their goals and potentially reduce the onboarding and sales cycle by weeks — or even months.

The MVSP checklist consists of four main components: business controls, application design controls, application implementation controls, and operational controls. The developers of the MVSP want security teams to use these baselines as a checklist to understand gaps in the security of a product or service and point out opportunities for improvement.

This new effort for B2B software only addresses a subset of the attack surface, said Bud Broomhead, CEO at Viakoo. IoT and OT devices — which are often delivered with known vulnerabilities — must also have minimum viable security requirements to prevent end users from having to remediate vulnerabilities before installing new products, said Broomhead.

“Whether through regulation or collaboration, minimum security requirements should apply to all parts of the attack surface, not just B2B software,” Broomhead said.

Yaniv Bar-Dayan, co-founder and CEO of Vulcan Cyber said the MVSP initiative doesn’t absolve technology vendors from taking responsibility for product security, or from government regulation. Bar-Dayan believes that the current cyber security situation requires an all-hands on deck approach for the industry to ever get close to meeting expectations for real cyber security.

“Everybody wants a secure computing experience, but the reality is that our cyber interactions and lives are not secure,” Bar-Dayan said. “It doesn’t make sense to pin the blame for our insecurity on a single entity, but industry giants, government agencies, and individual users are all responsible to a degree.”

Douglas Murray, CEO at Valtix, said while he views generating a comprehensive security baseline as a positive step forward, it has thus far been a one-sided fight. Murray said cyberthreats increasingly outpace technology and historically, regulation never keeps up with technology.

“As more businesses incorporate the internet into their operations, cybersecurity needs competitive innovation, not regulatory hurdles,” Murray said. “The enterprise migration to the cloud has created a wild west of threats, and the need for unified prevention and visibility across data flows is paramount to any organization's continued success.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.