Minimum Viable Secure Product

Yesterday, Google’s security blog announced a project that I think is long overdue, the Minimum Viable Secure Product (MVSP). MVSP is a security checklist intended to aid the development of secure B2B services and safely handling sensitive data. It was developed by a group of heavy hitters in B2B tech, including Google, Slack, Salesforce, and Okta.

This is exciting to me as a security professional because it creates an opportunity for a common baseline of security controls that can be evaluated relatively quickly. It gives new companies – and those new to caring about security – a great starting point, and I’m optimistic that companies will begin sharing information about how they comply with the checklist. Having a number of major players behind it should make this more likely.

The current landscape

There already are dozens of high-profile security standards for specific sectors like healthcare and finance, as well as a number of similar standards that are more generally applicable. But actually implementing these programs can be an enormous undertaking that takes months or years to do the right way. (For example, my team just completed our first HITRUST certification, and it took us nearly two years, with lots of outside help.)

Having a simpler standard that is high quality, easy to understand, and can be implemented fairly quickly has tremendous upside. Here’s hoping it sees real adoption and doesn’t just muddy the waters further.

Of course there’s an XKCD for this.

But is it any good?

I’ll admit I was optimistic before even reading the checklist, just based on the reasons above. I was even happier when I actually read the thing. It’s definitely an excellent starting point.

It’s important to remember what it is and isn’t when evaluating it. It’s not a comprehensive risk management framework, as many existing standards are. This means it omits many sections that other frameworks include, such as device management and employee onboarding/offboarding.

But that’s kind of the point. Those bigger frameworks are great for larger businesses and those handling very sensitive data, but most B2B apps really aren’t doing that. MVSP builds in the most critical controls to protect the integrity and confidentiality of data in applications and leaves the rest up to the companies developing them.

Did I mention it’s free?

MVSP is licensed under the CC0 1.0 Universal license, which is a fancy way to say it’s in the Public Domain. This will enable companies to adapt the checklist to their own needs and provide relevant commercial services without having to worry about Google’s lawyers tracking them down.

This creates additional opportunities to build B2B tech to aid developers with implementation and verification of compliance with the checklist.

All this adds up to a very exciting announcement that makes my little nerd heart happy. I’ll be watching eagerly to see how MVSP develops and how developers respond to it.