Building a MVSP or Minimum Viable Secure Product

technical1 year ago2 minutes read
Picture of author Olivier Sels

You're probably familiar with the concept of a Minimum Viable Product (MVP) if you're creating a software product, SaaS platform or IoT device. But did you know there is also something called the Minimum Viable Secure Product (MVSP), which means your product meets the minimum security requirements every product should adhere to? Let's explore MVSP with 4 questions.

A snippet of text to describe mvsp: Minimum Viable Secure Product.

What's a MVSP?

MVSP is a security baseline created by industry giants like Google, Okta and Salesforce. It's a minimal list of requirements that every software product should meet and a great resource meant for businesses of any size, not only for large businesses. If your product is being used, then it should honestly meet these requirements.

What's it good for?

First and foremost, meeting these requirements will noticeably increase the security of your product and reduce costly security incidents in the long run. Many recent regulations, such as the GDPR or M-22-18, require a minimum level of security hygiene from certain companies, and chances are high you are among them. In the future this will only become stricter with new regulations being implemented, such as NIS-2.

Secondly, your sales team will have a security checklist they can provide to potential customers. Once you start selling to bigger corporations, proof that you take cybersecurity seriously becomes very important. If you're too small for a security certification, having the MVSP checklist checked off can act as enough proof of your good cybersecurity hygiene to land the contract.

Thirdly, if you're looking for vendors, ask them if they meet the requirements on this list. If they cannot answer that question affirmatively, it might be good to consider other options. The security of your product also depends on the security of the partners you work with.

Is it hard to meet these requirements?

It depends. If you have experience developing secure software, you will probably already meet several if not most of the 25 requirements without knowing you do. Many requirements describe what's considered current best practices. Let's see some examples:

  • 1.1 Vulnerability reports:
    • Publish the point of contact for security reports on your website.
    • Respond to security reports within a reasonable time frame.
  • 2.2 HTTPS-only:
    • Redirect traffic from HTTP protocol (port 80) to HTTPS (port 443).
    • Scan and address issues using freely available modern TLS scanning tools.
    • Include the Strict-Transport-Security header on all pages with the includeSubdomains directive
  • 3.1 List of data: Maintain a list of sensitive data types that the application is expected to process.

As you can see, these examples are practices you might already be doing if you take security seriously, and if you don't, aren't that hard to implement.

Where do I start?

Take a look at the checklist. You'll see that the requirements generally fall in two groups: the ones requiring technical implementation and the ones prescribing a high-level process. It's generally easier to start with the ones requiring technical implementation as developers are able to make quick work of them.

For the processes, some are easy, but others might require more security experience to implement them correctly. If you're unsure, contact a professional to help you implement these processes or take a look at our services or contact us.

Conclusion

MVSP is meant for businesses of all sizes and will help you start implementing cybersecurity best practices. The items on the list are minimal and very relevant. If you're uncertain where and how to improve Application Security, the MVSP checklist is a great place to start!


Follow us on

Perform a SAMM assessment

Free

Improve security

Easy to use

Related articles

A diagram of how to protect application secrets, showing them being injected in the deployment process. Developers do not have access to application secrets or the production environment.
A cloud of key aspects related to the 'organize basic data protections' practice
business
March 27, 2023

If your company develops software then the answer is always: yes, you need an appsec program. But what is an appsec program and why do you…

Our mission

Secuma helps technology companies develop more secure applications. We encourage and guide the integration of security best practices in the entire Software Development Lifecycle, improving the security of your applications and stopping issues from becoming incidents.

Company

infosecuma.be
Sels Software & Security BV
Hoogputstraat 22B
3690 Zutendaal
Belgium
BE0748911858

Geregistreerd dienstverlener voor de KMO portefeuille

DV.A249876


Thank you for visting Secuma |
Pictures courtesy of Unsplash