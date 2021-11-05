Google teamed up with several technology companies to create baseline security measures for third-party vendors, but there's some skepticism about how effective the checklist will be.

The collaborative effort, which Google named the Minimum Viable Secure Product (MVSP), is a "vendor-neutral security baseline" designed to test the security posture of software companies and third-party vendors. The document is comprised of safety controls that address authorization, vulnerability reporting, password policies, backup protocols and patching recommendations. Salesforce, Okta and Slack assisted in the development of MVSP, among other vendors.

According to a blog post last week by Royal Hansen, vice president of security at Google, it is intended to "increase the minimum bar for security across the industry while simplifying the vetting process."

Securing software and third-party suppliers presents many challenges, as evidenced by an uptick in supply chain attacks, including the massive one against SolarWinds last year that utilized a poisoned software update. A portion of the White House's executive order on improving cybersecurity in May involved "enhancing the software supply chain security."

With the increasing number of breaches known to be caused by third-party vendors, Melinda Marks, senior analyst at Enterprise Strategy Group, said it's important for organizations to ensure that their vendors' security practices meet a set of standards to prevent such incidents.

Similarly, Shawn Tuma, partner at law firm Spencer Fane LLP, specializes in data privacy and cybersecurity risk management and told SearchSecurity that cyber supply chain risk is one of the greatest threats that many companies face. "Once the vendor selection process is completed, it is often largely out of their hands to control, and that is a problem," Tuma said in an email to SearchSecurity.

Google said the MVSP was designed to "ensure a reasonable security posture." It was also designed to set a security precedent across all enterprises.

"Up until today, organizations of all sizes have had to design and implement their own security baselines for vendors that align with their risk posture. Unfortunately, this creates an impossible situation for vendors and organizations alike as they try to accommodate thousands of different requirements," Hansen wrote.

According to Tuma, even enterprises that want to address cyber supply chain risks face much confusion. That includes what to look for, which Tuma said makes it an almost impossible task to perform without committing a tremendous amount of resources. "Anything that can help bring clarity and standardization to this process will be helpful," Tuma said.

Confusion can also fall to third-party organizations. Marks said instead of third-party vendors "scrambling to meet every customer's security requirements," these recommendations provide a solid baseline for what vendors should provide.