11-18, 12:00–12:30 (Europe/Vienna), Badeschiff
The 2022 Verizon Data Breach Investigations Report showed that 62% of system intrusion incidents came through a partner. To address this challenge, organisations across the industry have come together to design Minimum Viable Secure Product (MVSP) – a vendor-neutral security baseline that is designed to eliminate overhead, complexity and confusion during the procurement, RFP and vendor security assessment process by establishing minimum acceptable security baselines for enterprise B2B solutions.
In this presentation, we will talk about how Google uses MVSP, and the goals of the MVSP program to raise the minimum bar for enterprise software and services at scale.
Presentation on how Google uses MVSP (mvsp.dev) to raise the minimum bar for enterprise security.
MVSP is a baseline self-service checklist released under CC0 1.0 Universal license
MVSP is designed to list the bare minimum controls (25) that must be in place for an enterprise product or service to be classed as secure.
-Control Areas
-Business controls
-Application design controls
-Application implementation controls
-Operational controls
Goals of MVSP:
- Present clear minimum security requirements to third parties
- Easily referenced in RFP (Request For Proposal) and procurement processes
- Raising the bar slowly over time to drive industry improvements
- Foundation for contractual language
- Enforce minimum baseline through matching contractual language
- Industry backing from top players in tech
- Encouraging higher adoption and visibility
- Opens the door to future third party security collaboration
- Baseline/Checklist released creative commons
- Removes barrier to access (compared to pay-walled standards)
Staff Security Engineer, Information Security Engineering
Chris leads Google's Minimum Viable Secure Product (MVSP) efforts, and is part of Google
security teams efforts to help the world secure their software. Previously Chris was responsible
for leading vendor security assessment efforts and worked on the security of 3P security
integrations. Before joining Google, Chris was an IT security consultant who specialized in
security testing and research in the financial services sector across the United Kingdom,
Germany, and Austria.