Google expands minimum security guidelines for third-party vendors

Google has upgraded its recommended minimum requirements for securing third-party applications, offering more guidance on managing external bug researchers and lowering the costs for accessing basic security features by baking them into applications by design.

Google launched its Minimum Viable Secure Product (MVSP) program in 2021 to identify fundamental application security controls that should be integrated into enterprise-ready products and services. “Google’s MVSP initiative establishes a robust security baseline for third-party products and services to uplift protection standards industry-wide. It emphasizes the importance of key security controls,” says Ronen Slavin, co-founder and CTO of Cycode, which makes an application security posture management solution.

Better guidance for companies working with external researchers

Previous MVSP guidance on external reporting of software flaws was limited to publishing a point of contact for security reports at a vendor’s website and responding to those reports within a reasonable time frame. “The expanded guidance goes much further in helping to guide companies on how to work better with external researchers,” said Royal Hansen, vice president of privacy, safety and security engineering at Google.

That expanded guidance recommends organizations:

• Publish a vulnerability disclosure policy that outlines the testing scope, provide a legal safe harbor, and give contact details for security reports.

• Develop and document procedures for triaging and remediating reported vulnerabilities.

• Respond to reports within a reasonable time frame.

• Patch vulnerabilities consistent with MVSP guidelines, which includes producing and deploying patches to address application vulnerabilities that materially impact security within 90 days of discovery.

Building trust between companies and security researchers

“The expanded guidance around external vulnerability protection aims to provide more consistent legal protection and process to bug hunters that want to protect themselves from being prosecuted or sued for reporting findings,” says Forester Principal Analyst Sandy Carielli. “It also helps set expectations about how companies will work with researchers. Overall, the expanded guidance will help build trust between companies and security researchers.”

The enhanced guidance encourages more comprehensive and responsible vulnerability disclosures, says Jan Miller, CTO of threat analysis at OPSWAT, a threat prevention and data security company. “That contributes to a more secure digital ecosystem, which is especially crucial in critical infrastructure sectors where vulnerabilities can have significant repercussions,” he says.

Caution against charging for basic security features

The latest version of the MVSP controls also discourages vendors from adding costs to access basic security features in their products and encourages them to bake those basic features into their products by following the security-by-design principles advocated by the US Cybersecurity and Infrastructure Security Agency (CISA).

“Charging for basic security features will discourage some individuals or organizations from adopting those features,” Carielli says. “If we want to make products more secure, access to security features cannot be reserved for the wealthiest customers.”

Discouraging additional costs for security features is a growing trend among software buyers, adds Nick Sorensen, CEO of Whistic, a third-party risk management company. “Security functionality and capability is becoming table stakes for software vendors,” he says. “We’re seeing a lot more buyers asking questions about those capabilities.”

Procurement needs to enforce compliance, as do cyber insurers

Although Google’s MVSP controls have been around for two years, the company noted that 48% of third-party vendors fail to meet two or more of the controls. “The reason nearly half of companies fail to meet these controls is due to awareness,” Hansen says. “Our hope with the MSVP system is to improve awareness and help companies prioritize their resources.”

Sorensen agrees that awareness was “job number one” in getting wider adoption of MVSP controls. “The more companies that require their vendors to meet MVSP controls, the more vendors that are going to meet those controls,” he says.

John Gallagher, vice president of Viakoo Labs, an automated IoT cyber hygiene provider, added that stakeholders have to get tougher with vendors that are soft on security. “Procurement needs to enforce compliance, as do cyber insurers,” he said. “Both provide a ‘stick’ to the ‘carrot’ of MVSP.”