Well, as we are now knee deep into Q4 of this year, security
pundits have already started to predict what 2022 will be like. Not too many have come out yet, which is
quite surprising. About a year ago, just
about anybody with the title of “Cyber” with their name threw in their two
cents worth.
Of course, I will be also, but it will be closer to the end.
But one thing I have seen come about as I go through the
news headlines is that given the horrible rash of Ransomware attacks this year,
many companies have now started to come together in an effort to help find
solutions.
I would say that this probably has been fueled by the recent
efforts of the Biden Administration, which is of course good.
The most recent of this kind of coming unity has transpired
between Google, Salesforce, Okta, and Slack.
Together, they have come out with what is known as the “Minimum Viable
Secure Product”, or “MVSP” for short.
This is a checklist of source that has ben designed to
create the minimum-security baseline that is needed for a company in order to
make use of a third-party product or service, such as an API.
It has been cited that one of the prime drivers for this has
been the Solar Winds hack of some time ago, when a third-party tool was used to
infiltrate literally thousands of victims from just one trigger point. Technically speaking, these are also known as
“Supply Chain Attacks”.
The concept of this kind of survey is really nothing
new. It has actually existed for a long
period of time, but the only difference between then and now is that there was
no standard baseline in which to actually create the instrument. As a result, many companies would have
surveys that would take hours to complete, which in the end was a total waste
of time.
And with the Cyber Threat Landscape changing by the minute,
nobody has the time to sit down for hours to fill it out. Thus, that is why the
MVSP came out, in an effort to address needs and requirements quickly.
But the nice thing about this tool, it also gives you an
insight into the various controls that you will need in order to safeguard your
PII datasets, in case you do decide to make use of a third party offering.
Better yet, the MVSP could also be a helpful guide to your
business in coming into compliance with the tenets and the provisions of the
GDPR, CCPA, HIPAA, etc. Originally, the
concept of this project first came into being with Google and Salesforce, but
then mushroomed over to other companies, as just described.
Probably one of the biggest advantages of the MVSP is that
it is also highly scalable and flexible, and can be adjusted to your security
requirements rather easily. For example,
it can be used throughout the stages of vendor selection, which can range
anywhere from coming up a list of potential suppliers to ultimately choosing
one.
Also a key benefit is that the MVSP is designed to be rather
short in nature, and so it can fit in quite easily as an addendum into RFP,
which tend to be rather long to begin with.
So now the next question that you may be asking is how does
one go about in actually using this kind of tool? Well, there is really no clear-cut
answer. Just about any company can use
it, and even those that are not involved in the tech sector.
But it really comes in useful if you are either developing a
Web application, or you do this as a service for other customers as part of
your business.
For example, if you are creating a brand-new website for
your company, it is quite likely that your software development team (or
whoever else you hire) will use various sorts of APIs in this process. You can use this survey in order to vet out
APIs that are deemed to be safe to use, as many of them go outdated, or are not
even upgraded with the latest patches and upgrades.
On the flip side, if you are web development company that
creates apps for other clients, then the MVSP is a must for you. You can
consider this is as add to the normal testing that you should be doing to make
sure that the product you are delivering is safe and secure.
Also, the IT Security team can use this tool as well in
order to set up a baseline of they would like to see when it comes to procuring
new security products and tools.
My Thoughts On This
Personally, I think it’s great that these bigger tech
companies are coming together to serve the needs of the average, everyday
American citizen, and especially those that fall under the range of the SMB
market. Another great advantage of this
the MVSP is that it is based on the Open-Sourced Model.
This simply means that this project will continually to
evolve and grow over time, as more updates are made to it.
And it is not just the tech giants that can contribute to
this. As far as I know, anybody can
provide contributions to it, after you have used it. But as the creators say, you should not just
rely on this particular methodology to help beef up your lines of
defenses.
It just one more tool that you can add easily into your
arsenal.
In fact, the next iteration of the MVSP will be focusing on
how your existing set of controls can be further enhanced and/or
developed. Finally, much more detailed
information on this can eb found at the following link:
https://mvsp.dev/
No comments:
Post a Comment