CISA
Critical infrastructure
News
Regulation, Standards and Compliance
Secure-by-Design

CISA joins MVSP Working Group, set to enhance secure by design principles 

April 08, 2024
CISA joins MVSP Working Group, set to enhance secure by design principles 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced that it is joining the Minimum Viable Secure Product (MVSP) Working Group. Since launching CISA’s global Secure by Design initiative last year, the agency has received feedback including through its Request for Information that recently closed. 

MVSP is a list of essential application security controls that should be implemented in enterprise-ready products and services. The controls are designed to be simple to implement and provide a good foundation for building secure and resilient systems and services. MVSP is based on the experience of contributors in enterprise application security and has been built with contributions from a range of companies.

“The MVSP is an important step forward toward this goal. MVSP offers a simple checklist that organizations can use to strengthen security at multiple stages – to review their software vendors’ security during procurement, as a self-assessment tool for their own software, as part of their software development lifecycle (SDLC), or as contractual controls – which can go a long way towards helping ensure secure by design principles are followed,” Jack Cable and Bob Lord, senior technical advisors at CISA, said in a recent blog post. “We’re excited to join the MVSP working group to help shape the direction of the initiative going forward. The MVSP is a composed of a broad coalition of technology manufacturers, and the working group is open for anyone to join.”

They emphasized the importance of organizations asking the right questions of their software manufacturers to ensure a ‘secure by demand’ approach. This strategy is essential for promoting the adoption of secure-by-design principles and practices. Too often, procurement questionnaires are filled with long lists of questions that don’t always correlate with positive security outcomes. To achieve a future where technology is secure by design, companies buying software should have simple and to-the-point questions for their vendors.

When it comes to procurement, MVSP identifies a standardized application security baseline for vendor selection, simplifies the sourcing team’s job, and provides a clear set of requirements for enterprise-ready products and services. MVSP is designed to be brief, concise, and easy to understand so that it can be included in RFP documents without causing delays to the sales cycle.

Smaller companies that are not yet mature enough to invest in large compliance efforts such as SOC 2 or PCI DSS can use MVSP as a baseline to measure the security posture of their MVP and create a roadmap for continuous improvement. MVPs often lack essential security controls, however, to attract enterprise customers, a clear security roadmap must be a priority.

When it comes to the SDLC, the MVSP recognizes that security teams often have a great number of requirements pertinent to providing digital services. Prioritizing ‘security as a feature’ can be challenging for software teams. MVSP provides a simple set of minimum controls that are both easy for product teams to understand and integrate and easy to verify by the security and compliance team.

MVSP addresses these issues by providing a simple set of minimum controls that are both easy for product teams to understand and integrate into multiple phases of the product life cycle while being easy to verify by the security and compliance team. While MVSP controls are designed to be a baseline, they are built from the ground up to represent the building blocks and industry best practices expected to be present in secure and mature products.

To ensure the security posture of third-party suppliers, large companies can incorporate MVSP into their standard contractual controls. By ensuring that third parties acknowledge and respond to the MVSP controls at the initial RFP stage, agreeing to contractual controls based on MVSP can be further expedited.

Negotiating relevant security and privacy commercial terms with third-party suppliers can require significant effort and time-consuming revisions. Some measures include discussing changes to contractual security terms often requiring input from multiple teams and subject matter experts on both sides, contractually negotiated security controls can be disconnected from other due diligence processes; and negotiations and reinforcing reasonableness of specific safeguards and preempting third-party pushback is tricky when using a set of custom requirements. 

It also calls for maintaining up-to-date safeguards to account for regulatory and industry trends, requires a program of continual review and validation, and maintaining customized contractual security measures places the onus on legal teams to explain technical security concepts. Overall, these issues extend the contracting process, make agreements resource-intensive for all parties, and result in increased costs.

Last month, U.S. security agencies published a joint Secure by Design alert in response to a recent, exploitation of SQL injection (SQLi) defects in a managed file transfer application that impacted thousands of organizations. Additionally, the alert highlights the prevalence of this class of vulnerability. Despite widespread knowledge and documentation of SQLi vulnerabilities over the past two decades, along with the availability of effective mitigations, software manufacturers continue to develop products with this defect, which puts many customers at risk.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Claroty’s Team82 details exploitation of classic deserialization vulnerability in Siemens EnMPro line
Claroty’s Team82 details exploitation of classic deserialization vulnerability in Siemens EnMPro line
Microsoft debuts ICSpector framework to enable examining information and configurations of industrial PLCs
Microsoft debuts ICSpector framework to enable examining information and configurations of industrial PLCs
TXOne’s Portable Security Pro works towards improving security in ICS environments
TXOne Networks presents SageOne, its new CPS protection platform
Critical Start
Critical Start introduces managed detection and response services for OT environments
Shift5
Shift5 debuts GPS integrity module to combat GPS spoofing risks
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure