The collaboration is focused on creating a vendor-neutral security standard
Industry giants including Google and Salesforce have announced the creation of a “vendor-neutral” security baseline for businesses.
Dubbed the ‘Minimum Viable Secure Product’ (MVSP), Google’s Royal Hansen, vice president of security, said in a blog post on Wednesday that the scheme will establish “minimum acceptable security baselines” for corporations.
In particular, the project will focus on securing business-to-business software developers and businesses that outsource to suppliers.
According to research conducted by the Opus and the Ponemon Institute, 59% of US organizations say they have suffered a data breach caused by third parties, including their vendors.
In a report published by ENISA on software supply chain attacks in Europe, 62% of incidents began with malware deployment, and more than 60% of attacks abused the trust of customers in their suppliers. In total, 58% of attacks reported were focused on data theft.
The MVSP baseline focuses on minimal standards considered to be necessary for a reasonable security posture. Its creators include Google, Salesforce, Okta, and Slack.
To keep things simple, the group has adopted a checklist for users to work their way through, which includes:
- A website point of contact for vulnerability reports
- Responses to vulnerability reports managed in a reasonable time period
- Annual penetration testing
- Data sanitization based on NIST SP 800-88 or equivalent
- Establishing minimally permissive Content Security Policies
- Secure backups
By creating a base standard that organizations are expected to keep – no matter which cybersecurity solutions they adopt or who their favorite vendors are – this could ramp up the pressure on companies to maintain adequate security levels in order to remain competitive and to be considered suitable for future business relationships.
MVSP “highlight[s] opportunities for improvement and [can] raise their visibility within the organization, with clearly defined benefits,” the executive commented.
Read more about the latest software supply chain attacks
Hansen added that these controls could also reduce the complexity around contracts, legal negotiations, and compliance.
“We recommend that all companies building B2B software or otherwise handling sensitive information under its broadest definition implement the listed controls and are strongly encouraged to go well beyond them in their security programs,” the coalition states.
Google and the other project members have also asked for community feedback and for contributions to the MVSP baseline.
“Together we can raise the minimum bar for security across the industry and make everyone safer,” Hansen added.
CATCH UP Critical flaw in GoCD provides platform for supply chain attacks