Google has updated its Minimum Viable Secure Product (MVSP) program, setting higher security standards for third-party applications. This initiative reflects Google’s commitment to elevating security measures across its supply chain, ensuring that third-party vendors adhere to robust security protocols.
The Evolution of Google’s MVSP Program
Launched in 2021, the MVSP program was initially designed to identify fundamental application security controls integral to enterprise-ready products and services. The updated guidelines offer more comprehensive advice on managing external bug researchers and emphasize the importance of integrating basic security features into applications by design, rather than charging extra for them.
Enhanced Guidance for External Researchers
The expanded MVSP guidance goes beyond merely publishing a contact point for security reports on a vendor’s website. It now recommends that organizations publish a detailed vulnerability disclosure policy, develop documented procedures for triaging and remediating reported vulnerabilities, respond to reports within a reasonable timeframe, and patch vulnerabilities in line with MVSP guidelines.
Building Trust Between Companies and Security Researchers
The updated guidance aims to foster a more trusting relationship between companies and external security researchers. By providing legal protection and clear processes for bug hunters, Google’s initiative sets expectations for how companies should work with researchers, ultimately contributing to a more secure digital ecosystem.
Discouraging Additional Costs for Basic Security Features
The latest version of the MVSP controls advises against vendors charging extra for basic security features. This approach aligns with the security-by-design principles advocated by the US Cybersecurity and Infrastructure Security Agency (CISA) and underscores the importance of making security features accessible to all users, not just the wealthiest customers.
Compliance and Enforcement Challenges
Despite the MVSP controls being in place for two years, Google notes that nearly half of third-party vendors fail to meet two or more of the controls. This gap is attributed to a lack of awareness, underscoring the need for companies to prioritize resource allocation towards meeting these controls. Procurement departments and cyber insurers are urged to enforce compliance, providing a necessary ‘stick’ to complement the ‘carrot’ of MVSP.
Conclusion: A Step Towards Comprehensive Cybersecurity
Google’s expansion of the MVSP program represents a significant step towards comprehensive cybersecurity. By setting higher standards for third-party vendors and emphasizing the integration of security features by design, Google is not only enhancing its own security posture but also influencing the broader industry to adopt more stringent security measures. This move is a clear indication of the tech giant’s dedication to leading the charge in cybersecurity, promoting a safer and more resilient digital environment for all users.