Minimum Viable Secure Product

A minimum security baseline for enterprise-ready products and services

  • Minimal. Baseline criteria for secure products.
  • Practical. Easy to understand application security focused controls.
  • Modern. Updated annually.


Salesforce Google Okta Slack Vanta C2SEC BoxyHQ Secureframe Reciprocity SecurityScorecard SecureStack BitSight Safebase Boberdoo Compliance Cow Terratrue Unicis.Tech Whistic Synaptics Netflix


Minimum Viable Secure Product (MVSP) is a list of essential application security controls that should be implemented in enterprise-ready products and services. The controls are designed to be simple to implement and provide a good foundation for building secure and resilient systems and services. MVSP is based on the experience of contributors in enterprise application security and has been built with contributions from a range of companies.

We recommend that all companies building enterprise software and servics, or otherwise handling sensitive information, implement the MVSP controls and, where possible, go well beyond them in their application security programs.

We welcome constructive feedback to help us continue to improve MVSP and provide a control set that meets the needs of its users.

Where can you use MVSP?

Requests for Proposals

A standardized application security baseline for vendor selection simplifies the sourcing team's job and provides a clear set of requirements for enterprise-ready products and services. MVSP is designed to be brief, concise, and easy to understand so that it can be included in RFP documents without causing delays to the sales cycle.


Smaller companies that are not yet mature enough to invest in large compliance efforts such as SOC 2 or PCI DSS can use MVSP as a baseline to measure the security posture of their MVP and create a roadmap for continuous improvement. MVPs often lack essential security controls, however to attract enterprise customers, a clear security roadmap must be a priority.

Contractual controls

To ensure the security posture of third-party suppliers, large companies can incorporate MVSP into their standard contractual controls. By ensuring that third-parties acknowledge and respond to the MVSP controls at the initial RFP stage, agreeing to contractual controls based on MVSP can be further expedited.

Prior Art

Part of the motivation for MVSP was driven by Dropbox' Vendor Security Model Contract (VSMC), and the Google's Vendor Security Assessment Questionnaire (VSAQ).

We have analyzed multiple existing master agreements, as well as taking experience from mature vendor security assessment programs to produced an application focused security baseline that incorporates the most critical of these requirements.

Update cadence

MVSP is using Semantic Versioning.

The PATCH version is updated frequently and is used for fixing typos, formatting, or word choice. The MINOR version is updated when there are changes to the text of a control that do not alter the nature of the control.

The MAJOR version is updated when the new controls are added, or the nature of the existing controls has changed. The MAJOR version does not change more frequently than once a year.