Google has released a framework to open source that it implements internally to evaluate the security posture of the numerous vendors it uses for various services each year.
The company’s Vendor Security Assessment Questionnaire (VSAQ) Framework is a collection of four templates with questions for evaluating the quality of a supplier’s security and privacy practices.
By releasing the framework to the open-source community, Google officials said they want to give other organizations an opportunity to do the same kind of evaluation that Google itself does when selecting vendors and suppliers.
“We hope it will help companies spin up, or further improve their own vendor security programs,” Lukas Weichselbaum and Daniel Fabian, Google Security team members, wrote in a blog post on Monday. “We also hope the base questionnaires can serve as a self-assessment tool for security-conscious companies and developers looking to improve their security posture.”
The four questionnaire templates in Google’s VSAQ Framework include Web application security, infrastructure security, physical and data center security and a security and privacy questionnaire. All of the questions are preceded by a brief description of the reasons that Google has interest in that specific topic and the advantages of having that control in place.
The questions in each downloadable template cover a wide range of topics. The Web security questionnaire, for instance, asks vendors to supply information on their vulnerability reporting and management practices, authentication and authorization controls, and their development processes for protecting against common Web application errors like cross-site scripting and SQL injection.
Questions in the infrastructure security template are designed to evaluate the security controls that the vendor might be using to preserve network and data integrity. Questions in this section include those pertaining to written security policies, the use of network firewalls, encryption, monitoring and traffic management. Also included in the infrastructure template are questions for evaluating the controls a vendor might be using for server, endpoint and storage security.
The physical and data center template similarly contain questions for evaluating the controls and processes used by a vendor to control access to physical facilities and systems and to critical components like switches, wireless access points and office routers.
According to Weichselbaum and Fabian, the VSAQ framework has helped the company automate a lot of the initial information gathering and triaging involved in the vendor selection process. Many of the vendors that have been required to fill out the questionnaire have used it to improve their security posture and for evaluating their own suppliers and vendors in turn, the two Google security team members said.
The templates can be easily modified to include questions that are specific or unique to a company’s particular requirements, according to Weichselbaum and Fabian. They touted the VSAQ framework as helping organizations scale their vendor assessment processes while also making it easier for vendors to respond to inquiries about their security readiness.
The mega-breaches at Target and several other organizations in recent times have focused attention on the importance of companies in ensuring that business partners, vendors, suppliers and other third parties with whom they interact have adequate security. The breach at Target, for instance, started when attackers used log-in credentials belonging to a company providing heating, ventilation and air-conditioning services to the retailer to break into the company’s network.