Chris John Riley -- MVSP: Minimum Viable Secure Product

19 snips

Nov 7, 2023

Chris John Riley discusses the Minimum Viable Secure Product (MVSP) checklist for B2B software, targeting startups and organizations creating new applications. MVSP includes controls for business operations, application design, implementation, and operational controls. It emphasizes regular third-party penetration testing and evolutionary updates to keep up with cybersecurity changes. The future of MVSP focuses on evolving controls and industry feedback. The importance of application security and book recommendations are also discussed.

Ask episode

AI Snips

Chapters

Transcript

Episode notes

ANECDOTE

Chris's Security Career Journey

Chris John Riley's security journey began 25 years ago managing Novell networks in London before moving to Germany and Austria for broader sysadmin and pen testing roles.
He joined Google after a friend's referral, where he expanded into vendor security assessments and red teaming over nearly a decade.

INSIGHT

MVSP Definition and Purpose

MVSP targets the minimum viable security controls needed for enterprise-grade B2B software products.
It's built from shared experience across major tech companies and balances being realistic, effective, and broadly applicable.

ADVICE

Leverage MVSP for Vendor Screening

Use MVSP as an early filter in RFP and vendor assessment to avoid late-stage security surprises.
Applying it during contract negotiations ensures vendors meet baseline security controls before procurement.

Get the Snipd Podcast app to discover more snips from this episode

Get the app

Chris John Riley joins Chris and Robert to discuss the Minimum Viable Secure Product. MVSP is a minimalistic security checklist for B2B software and business process outsourcing suppliers. It was designed by a team that included experts from Google, Salesforce, Okta, and Slack. The MVSP objectives are targeted at startups and other companies creating new applications, helping such organizations meet security standards expected by larger enterprises like Google. The MVSP is designed to be accessible for users, as a way to streamline the process of vendor assessment and procurement from the start to the contractual control stages.

Using MVSP, developers and application security enthusiasts can establish a baseline for building secure applications. MVSP includes controls about business operations, application design, implementation, and operational controls. For instance, it encourages third-party penetration testing on applications, as it believes that every product has an issue somewhere and needs regular testing to maintain a good security posture. The controls are designed to be reasonable and achievable, but also evolutionary to keep up with changes in the cybersecurity landscape.

Moving forward, MVSP intends to continue updating its guidelines to reflect the realities of the software development landscape but to keep the number of controls manageable to maintain wide acceptance. Chris encourages firms to consider MVSP as a baseline during the Request for Proposal (RFP) process to ensure prospective vendors meet the required security guidelines.

Links:

Minimum Viable Secure Product: https://mvsp.dev/

Recommended Books:

Cybersecurity Myths and Misconceptions... by Eugene H. Spafford, Leigh Metcalf, and Josiah Dykstra:
- https://www.pearson.com/en-us/subject-catalog/p/cybersecurity-myths-and-misconceptions-avoiding-the-hazards-and-pitfalls-that-derail/P200000007269/9780137929238
Phantoms in the Brain: Probing the Mysteries of the Human Mind by V.S. Ramachandran
- https://www.harpercollins.com/products/phantoms-in-the-brain-v-s-ramachandran?variant=32130994110498

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~