Security Blog
The latest news and insights from Google on security and safety on the Internet
Scalable vendor security reviews
7 de março de 2016
Posted by Lukas Weichselbaum and Daniel Fabian, Google Security
[Cross-posted on the
Google Open Source Blog
]
At Google, we assess the security of hundreds of vendors every year. We scale our efforts through automating much of the initial information gathering and triage portions of the vendor review process. To do this we've developed the Vendor Security Assessment Questionnaire (VSAQ), a collection of self-adapting questionnaires for evaluating multiple aspects of a vendor's security and privacy posture.
We've received feedback from many vendors who completed the questionnaires. Most vendors found them intuitive and flexible — and, even better, they've been able to use the embedded tips and recommendations to improve their security posture. Some also expressed interest in using the questionnaires to assess their own suppliers.
Based on this positive response, we've decided to open source the VSAQ Framework (Apache License Version 2) and the generally applicable parts of our questionnaires on GitHub:
https://github.com/google/vsaq
. We hope it will help companies spin up, or further improve their own vendor security programs. We also hope the base questionnaires can serve as a self-assessment tool for security-conscious companies and developers looking to improve their security posture.
The VSAQ Framework comes with four security questionnaire templates that can be used with the VSAQ rendering engine:
Web Application Security Questionnaire
Security & Privacy Program Questionnaire
Infrastructure Security Questionnaire
Physical & Data Center Security Questionnaire
All four base questionnaire templates can be readily extended with company-specific questions. Using the same questionnaire templates across companies may help to scale assessment efforts. Common templates can also minimize the burden on vendor companies, by facilitating the reuse of responses.
The
VSAQ Framework
comes with a simple client-side-only reference implementation that's suitable for self-assessments, for vendor security programs with a moderate throughput, and for just trying out the framework. For a high-throughput vendor security program, we recommend using the VSAQ Framework with a custom server-side component that fits your needs (the interface is quite simple).
Give VSAQ a try! A demo version of the VSAQ Framework is available here:
https://vsaq-demo.withgoogle.com
Excerpt from Security and Privacy Programs Questionnaire
Let us know how VSAQ works for you:
contact us
. We look forward to getting your feedback and continuing to make vendor reviews scalable — and maybe even fun!
Nenhum comentário :
Postar um comentário
Marcadores
#sharethemicincyber
#supplychain #security #opensource
android
android security
android tr
app security
big data
biometrics
blackhat
C++
chrome
chrome enterprise
chrome security
connected devices
CTF
diversity
encryption
federated learning
fuzzing
Gboard
google play
google play protect
hacking
interoperability
iot security
kubernetes
linux kernel
memory safety
Open Source
pha family highlights
pixel
privacy
private compute core
Rowhammer
rust
Security
security rewards program
sigstore
spyware
supply chain
targeted spyware
tensor
Titan M2
VDP
vulnerabilities
workshop
Archive
2024
dez.
nov.
out.
set.
ago.
jul.
jun.
mai.
abr.
mar.
fev.
jan.
2023
dez.
nov.
out.
set.
ago.
jul.
jun.
mai.
abr.
mar.
fev.
jan.
2022
dez.
nov.
out.
set.
ago.
jul.
jun.
mai.
abr.
mar.
fev.
jan.
2021
dez.
nov.
out.
set.
ago.
jul.
jun.
mai.
abr.
mar.
fev.
jan.
2020
dez.
nov.
out.
set.
ago.
jul.
jun.
mai.
abr.
mar.
fev.
jan.
2019
dez.
nov.
out.
set.
ago.
jul.
jun.
mai.
abr.
mar.
fev.
jan.
2018
dez.
nov.
out.
set.
ago.
jul.
jun.
mai.
abr.
mar.
fev.
jan.
2017
dez.
nov.
out.
set.
jul.
jun.
mai.
abr.
mar.
fev.
jan.
2016
dez.
nov.
out.
set.
ago.
jul.
jun.
mai.
abr.
mar.
fev.
jan.
2015
dez.
nov.
out.
set.
ago.
jul.
jun.
mai.
abr.
mar.
fev.
jan.
2014
dez.
nov.
out.
set.
ago.
jul.
jun.
abr.
mar.
fev.
jan.
2013
dez.
nov.
out.
ago.
jun.
mai.
abr.
mar.
fev.
jan.
2012
dez.
set.
ago.
jun.
mai.
abr.
mar.
fev.
jan.
2011
dez.
nov.
out.
set.
ago.
jul.
jun.
mai.
abr.
mar.
fev.
2010
nov.
out.
set.
ago.
jul.
mai.
abr.
mar.
2009
nov.
out.
ago.
jul.
jun.
mar.
2008
dez.
nov.
out.
ago.
jul.
mai.
fev.
2007
nov.
out.
set.
jul.
jun.
mai.
Feed
Follow @google
Follow
Give us feedback in our
Product Forums
.
Nenhum comentário :
Postar um comentário