Minimum Viable Secure Product

A minimum security baseline for enterprise-ready products and services

  • Minimal. Baseline criteria for secure products.
  • Practical. Easy to understand application security focused controls.
  • Modern. Updated annually.


Minimum Viable Secure Product (MVSP) is a list of essential application security controls that should be implemented in enterprise-ready products and services. The controls are designed to be simple to implement and provide a good foundation for building secure and resilient systems and services. MVSP is based on the experience of contributors in enterprise application security and has been built with contributions from a range of companies.

We recommend that all companies building enterprise software and services, or otherwise handling sensitive information, implement the MVSP controls and, where possible, go well beyond them in their application security programs.

We welcome constructive feedback to help us continue to improve MVSP and provide a control set that meets the needs of its users.

Where can you use MVSP?


Contractual Controls

A standardized application security baseline for vendor selection simplifies the sourcing team's job and provides a clear set of requirements for enterprise-ready products and services. MVSP is designed to be brief, concise, and easy to understand so that it can be included in RFP documents without causing delays to the sales cycle.

To ensure the security posture of third-party suppliers, large companies can incorporate MVSP into their standard contractual controls. By ensuring that third-parties acknowledge and respond to the MVSP controls at the initial RFP stage, agreeing to contractual controls based on MVSP can be further expedited.

Find out more here

Find out more here

View a comparison of MVSP controls against common standards (ISO, NIST, CSA) here.


Prior Art

Part of the motivation for MVSP was driven by Dropbox's Vendor Security Model Contract (VSMC), and Google's Vendor Security Assessment Questionnaire (VSAQ).

We have analyzed multiple existing master agreements, as well as taking experience from mature vendor security assessment programs to produce an application-focused security baseline that incorporates the most critical of these requirements.

Update cadence

MVSP is using Semantic Versioning.

The PATCH version is updated frequently and is used for fixing typos, formatting, or word choice. The MINOR version is updated when there are changes to the text of a control that do not alter the nature of the control.

The MAJOR version is updated when the new controls are added, or the nature of the existing controls has changed. The MAJOR version does not change more frequently than once a year.