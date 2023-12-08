Google has upgraded its recommended minimum requirements for securing third-party applications, offering more guidance on managing external bug researchers and lowering the costs for accessing basic security features by baking them into applications by design.\n\nGoogle launched its Minimum Viable Secure Product (MVSP) program in 2021 to identify fundamental application security controls that should be integrated into enterprise-ready products and services. "Google's MVSP initiative establishes a robust security baseline for third-party products and services to uplift protection standards industry-wide. It emphasizes the importance of key security controls," says Ronen Slavin, co-founder and CTO of Cycode, which makes an application security posture management solution.\n\nBetter guidance for companies working with external researchers\n\nPrevious MVSP guidance on external reporting of software flaws was limited to publishing a point of contact for security reports at a vendor\u2019s website and responding to those reports within a reasonable time frame. \u201cThe expanded guidance goes much further in helping to guide companies on how to work better with external researchers,\u201d said Royal Hansen, vice president of privacy, safety and security engineering at Google.\n\nThat expanded guidance recommends organizations:\n\nBuilding trust between companies and security researchers\n\n\u201cThe expanded guidance around external vulnerability protection aims to provide more consistent legal protection and process to bug hunters that want to protect themselves from being prosecuted or sued for reporting findings,\u201d says Forester Principal Analyst Sandy Carielli. \u201cIt also helps set expectations about how companies will work with researchers. Overall, the expanded guidance will help build trust between companies and security researchers.\u201d\n\nThe enhanced guidance encourages more comprehensive and responsible vulnerability disclosures, says Jan Miller, CTO of OPSWAT, a threat prevention and data security company. \u201cThat contributes to a more secure digital ecosystem, which is especially crucial in critical infrastructure sectors where vulnerabilities can have significant repercussions,\u201d he says.\n\nCaution against charging for basic security features\n\nThe latest version of the MVSP controls also discourages vendors from adding costs to access basic security features in their products and encourages them to bake those basic features into their products by following the security-by-design principles advocated by the US Cybersecurity and Infrastructure Security Agency (CISA).\n\n\u201cCharging for basic security features will discourage some individuals or organizations from adopting those features,\u201d Carielli says. \u201cIf we want to make products more secure, access to security features cannot be reserved for the wealthiest customers.\u201d\n\nDiscouraging additional costs for security features is a growing trend among software buyers, adds Nick Sorensen, CEO of Whistic, a third-party risk management company. \u201cSecurity functionality and capability is becoming table stakes for software vendors,\u201d he says. \u201cWe're seeing a lot more buyers asking questions about those capabilities."\n\nProcurement needs to enforce compliance, as do cyber insurers\n\nAlthough Google\u2019s MVSP controls have been around for two years, the company noted that 48% of third-party vendors fail to meet two or more of the controls. \u201cThe reason nearly half of companies fail to meet these controls is due to awareness,\u201d Hansen says. \u201cOur hope with the MSVP system is to improve awareness and help companies prioritize their resources.\u201d\n\nSorensen agrees that awareness was \u201cjob number one\u201d in getting wider adoption of MVSP controls. \u201cThe more companies that require their vendors to meet MVSP controls, the more vendors that are going to meet those controls,\u201d he says.\n\nJohn Gallagher, vice president of Viakoo Labs, an automated IoT cyber hygiene provider, added that stakeholders have to get tougher with vendors that are soft on security. \u201cProcurement needs to enforce compliance, as do cyber insurers,\u201d he said. \u201cBoth provide a \u2018stick\u2019 to the \u2018carrot\u2019 of MVSP.\u201d