Saturday, November 6, 2021

How The MVSP Framework Can Help The SMB Owner

 


Well, as we are now knee deep into Q4 of this year, security pundits have already started to predict what 2022 will be like.  Not too many have come out yet, which is quite surprising.  About a year ago, just about anybody with the title of “Cyber” with their name threw in their two cents worth. 

Of course, I will be also, but it will be closer to the end.

But one thing I have seen come about as I go through the news headlines is that given the horrible rash of Ransomware attacks this year, many companies have now started to come together in an effort to help find solutions. 

I would say that this probably has been fueled by the recent efforts of the Biden Administration, which is of course good.

The most recent of this kind of coming unity has transpired between Google, Salesforce, Okta, and Slack.  Together, they have come out with what is known as the “Minimum Viable Secure Product”, or “MVSP” for short. 

This is a checklist of source that has ben designed to create the minimum-security baseline that is needed for a company in order to make use of a third-party product or service, such as an API.

It has been cited that one of the prime drivers for this has been the Solar Winds hack of some time ago, when a third-party tool was used to infiltrate literally thousands of victims from just one trigger point.  Technically speaking, these are also known as “Supply Chain Attacks”.

The concept of this kind of survey is really nothing new.  It has actually existed for a long period of time, but the only difference between then and now is that there was no standard baseline in which to actually create the instrument.  As a result, many companies would have surveys that would take hours to complete, which in the end was a total waste of time.

And with the Cyber Threat Landscape changing by the minute, nobody has the time to sit down for hours to fill it out. Thus, that is why the MVSP came out, in an effort to address needs and requirements quickly.

But the nice thing about this tool, it also gives you an insight into the various controls that you will need in order to safeguard your PII datasets, in case you do decide to make use of a third party offering.

Better yet, the MVSP could also be a helpful guide to your business in coming into compliance with the tenets and the provisions of the GDPR, CCPA, HIPAA, etc.  Originally, the concept of this project first came into being with Google and Salesforce, but then mushroomed over to other companies, as just described. 

Probably one of the biggest advantages of the MVSP is that it is also highly scalable and flexible, and can be adjusted to your security requirements rather easily.  For example, it can be used throughout the stages of vendor selection, which can range anywhere from coming up a list of potential suppliers to ultimately choosing one. 

Also a key benefit is that the MVSP is designed to be rather short in nature, and so it can fit in quite easily as an addendum into RFP, which tend to be rather long to begin with.

So now the next question that you may be asking is how does one go about in actually using this kind of tool?  Well, there is really no clear-cut answer.  Just about any company can use it, and even those that are not involved in the tech sector. 

But it really comes in useful if you are either developing a Web application, or you do this as a service for other customers as part of your business.

For example, if you are creating a brand-new website for your company, it is quite likely that your software development team (or whoever else you hire) will use various sorts of APIs in this process.  You can use this survey in order to vet out APIs that are deemed to be safe to use, as many of them go outdated, or are not even upgraded with the latest patches and upgrades. 

On the flip side, if you are web development company that creates apps for other clients, then the MVSP is a must for you. You can consider this is as add to the normal testing that you should be doing to make sure that the product you are delivering is safe and secure.

Also, the IT Security team can use this tool as well in order to set up a baseline of they would like to see when it comes to procuring new security products and tools. 

My Thoughts On This

Personally, I think it’s great that these bigger tech companies are coming together to serve the needs of the average, everyday American citizen, and especially those that fall under the range of the SMB market.  Another great advantage of this the MVSP is that it is based on the Open-Sourced Model. 

This simply means that this project will continually to evolve and grow over time, as more updates are made to it.

And it is not just the tech giants that can contribute to this.  As far as I know, anybody can provide contributions to it, after you have used it.  But as the creators say, you should not just rely on this particular methodology to help beef up your lines of defenses. 

It just one more tool that you can add easily into your arsenal.

In fact, the next iteration of the MVSP will be focusing on how your existing set of controls can be further enhanced and/or developed.  Finally, much more detailed information on this can eb found at the following link:

https://mvsp.dev/

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...