MVSP in the Software Development Lifecycle (SDLC)

Meet Aliyah, the product owner for a software team that builds and maintains components for a financial institution’s mobile application. She’s responsible for ensuring the team develops features that meet both customer and regulatory requirements for security and data protection.


Security teams often have a great number of requirements pertinent to providing digital services for a financial institution. Prioritizing “security as a feature” can be challenging for software teams:

  • Evaluating the product security of a potential feature or component requires application security expertise within the team and an understanding of the SDLC from governance and compliance experts.
  • Missing key security requirements during the planning and design phase of a product can result in feature delays due to re-factoring.
  • Failing to validate security and compliance requirements during the build and test phases increases the likelihood of last minute surprises when validating these controls at the release management stage.
  • Operationalizing complex data protection and privacy controls across multiple products can be overwhelming to development teams.

How MVSP can help

MVSP addresses these issues by providing a simple set of minimum controls that are both easy for product teams to understand and integrate into multiple phases of the product life cycle, while being easy to verify by the security and compliance team. While MVSP controls are designed to be a baseline, they are built from the ground up to represent the building blocks and industry best practices expected to be present in secure and mature products.

In detail, using MVSP means:

  • No need to reinvent the wheel – Using MVSP means you don’t have to design and maintain your own custom template or release criteria. Where custom criteria are needed, controls can be tailored to your specific needs, using MVSP as a foundation.
  • Timely Feedback – Identifying gaps in the MVSP controls at early design stages allows for more effective decision making, enables positively influencing the quality of solutions built by product teams, and supports collaboration between software engineers and security practitioners.
  • Flexibility – MVSP controls are released under a Creative Commons license, which means there are no restrictions on how you use them, and you don't have to share your data with anyone else. In contrast, existing standards like ISO, SOC 2, PCI DSS, and CAIQ-Lite can be expensive and time-consuming to comply with, and require regular audits. Additionally, these standards are often broad and can be difficult to understand and apply internally when developing software products.
  • Standardization – Product teams can share the MVSP controls with internal and external consumers of their products to demonstrate that they are meeting security and regulatory controls, reducing the time involved with manual reviews.
  • Industry influence – As the ubiquity of MVSP increases within the industry, these controls become table stakes for software organizations, driving the broader industry to improve and adapt to the ever growing security and privacy requirements of modern applications.

According to the DORA State of DevOps 2022 report, which focused on security, elite performers who met or exceeded their reliability targets were twice as likely to have security integrated into their software development process. Teams who integrate security practices throughout their development process are 1.6 times more likely to exceed organizational goals.

Useful links