Minimum Viable Secure Product

A minimum security baseline for enterprise-ready products and services

  • Minimal. Baseline criteria for secure products.
  • Practical. Specifies checks applicable even to small companies.
  • Modern. Updated annually.

Contributors

Salesforce
Google
Okta
Slack

Motivation

Minimum Viable Secure Product is a minimalistic security checklist for B2B software and business process outsourcing suppliers.

Designed with simplicity in mind, the checklist contains only those controls that must, at a minimum, be implemented to ensure a reasonable security posture.

We recommend that all companies building B2B software or otherwise handling sensitive information under its broadest definition implement the listed controls and are strongly encouraged to go well beyond them in their security programs.

Where is it used?

Requests for proposals

Universal baseline for vendor selection simplifies the jobs of the sourcing teams. MVSP is short and concise to be included into RFP documents without bloating them.

Self-assessments

Smaller companies that are not mature enough to afford large compliance efforts such as SOC 2 or PCI DSS use MVSP as the baseline ensuring the security posture of their MVP.

Third-party security

Larger companies attempting to triage their vendors' security posture incorporate MVSP as their universal questionnaire.

Prior Art

The motivation for MVSP has arrived from the Dropbox' Vendor Security Model Contract (VSMC) and the Google's Vendor Security Assessment Questionnaire (VSAQ).

We have analyzed multiple existing master agreements and produced a baseline that incorporates the most of these requirements.

Update cadence

MVSP is using Semantic Versioning.

The PATCH version is updated frequently and is used for fixing typos, formatting, or word choice. The MINOR version is updated when there are changes to the text of a control that do not alter the nature of the control.

The MAJOR version is updated when the new controls are added, or the nature of the existing controls has changed. The MAJOR version does not change more frequently than once a year.