Google's updated Minimum Viable Secure Product (MVSP) program offers advice for working with researchers and warns against vendors charging extra for basic security features. Credit: REDPIXEL.PL / Shutterstock Google has upgraded its recommended minimum requirements for securing third-party applications, offering more guidance on managing external bug researchers and lowering the costs for accessing basic security features by baking them into applications by design. Google launched its Minimum Viable Secure Product (MVSP) program in 2021 to identify fundamental application security controls that should be integrated into enterprise-ready products and services. “Google’s MVSP initiative establishes a robust security baseline for third-party products and services to uplift protection standards industry-wide. It emphasizes the importance of key security controls,” says Ronen Slavin, co-founder and CTO of Cycode, which makes an application security posture management solution. Better guidance for companies working with external researchers Previous MVSP guidance on external reporting of software flaws was limited to publishing a point of contact for security reports at a vendor’s website and responding to those reports within a reasonable time frame. “The expanded guidance goes much further in helping to guide companies on how to work better with external researchers,” said Royal Hansen, vice president of privacy, safety and security engineering at Google. That expanded guidance recommends organizations: Publish a vulnerability disclosure policy that outlines the testing scope, provide a legal safe harbor, and give contact details for security reports. Develop and document procedures for triaging and remediating reported vulnerabilities. Respond to reports within a reasonable time frame. Patch vulnerabilities consistent with MVSP guidelines, which includes producing and deploying patches to address application vulnerabilities that materially impact security within 90 days of discovery. Building trust between companies and security researchers “The expanded guidance around external vulnerability protection aims to provide more consistent legal protection and process to bug hunters that want to protect themselves from being prosecuted or sued for reporting findings,” says Forester Principal Analyst Sandy Carielli. “It also helps set expectations about how companies will work with researchers. Overall, the expanded guidance will help build trust between companies and security researchers.” The enhanced guidance encourages more comprehensive and responsible vulnerability disclosures, says Jan Miller, CTO of threat analysis at OPSWAT, a threat prevention and data security company. “That contributes to a more secure digital ecosystem, which is especially crucial in critical infrastructure sectors where vulnerabilities can have significant repercussions,” he says. Caution against charging for basic security features The latest version of the MVSP controls also discourages vendors from adding costs to access basic security features in their products and encourages them to bake those basic features into their products by following the security-by-design principles advocated by the US Cybersecurity and Infrastructure Security Agency (CISA). “Charging for basic security features will discourage some individuals or organizations from adopting those features,” Carielli says. “If we want to make products more secure, access to security features cannot be reserved for the wealthiest customers.” Discouraging additional costs for security features is a growing trend among software buyers, adds Nick Sorensen, CEO of Whistic, a third-party risk management company. “Security functionality and capability is becoming table stakes for software vendors,” he says. “We’re seeing a lot more buyers asking questions about those capabilities.” Procurement needs to enforce compliance, as do cyber insurers Although Google’s MVSP controls have been around for two years, the company noted that 48% of third-party vendors fail to meet two or more of the controls. “The reason nearly half of companies fail to meet these controls is due to awareness,” Hansen says. “Our hope with the MSVP system is to improve awareness and help companies prioritize their resources.” Sorensen agrees that awareness was “job number one” in getting wider adoption of MVSP controls. “The more companies that require their vendors to meet MVSP controls, the more vendors that are going to meet those controls,” he says. John Gallagher, vice president of Viakoo Labs, an automated IoT cyber hygiene provider, added that stakeholders have to get tougher with vendors that are soft on security. “Procurement needs to enforce compliance, as do cyber insurers,” he said. “Both provide a ‘stick’ to the ‘carrot’ of MVSP.” Related content news AT&T suffers critical breach impacting 73 million customers Data released on the dark web impacts 7.6 million existing account holders and 65.4 million past subscribers. By Shweta Sharma 01 Apr 2024 4 mins Data Breach feature Recruit for diversity: Practical ways to remove bias from the hiring process Changing the wording on job descriptions and introducing a diverse hiring panel are some of the ways to remove bias when hiring cybersecurity professionals. By Aimee Chanthadavong 01 Apr 2024 8 mins Careers feature The CSO guide to top security conferences Tracking postponements, cancellations, and conferences gone virtual — CSO Online’s calendar of upcoming security conferences makes it easy to find the events that matter the most to you. By CSO Staff 01 Apr 2024 17 mins Technology Industry IT Skills Events news Top cybersecurity product news of the week New product and service announcements from Bedrock Security, GitGuardian, Legit Security, Nametag, and Cybereason and Observe By CSO staff 29 Mar 2024 70 mins Generative AI Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe