Minimum Viable Secure Product

MVSP is a minimum application security baseline for enterprise-ready products and services. The baseline checklist is focused on application security controls, and can be used at various stages of the sales cycle, from RFP through to contractual controls.

The best way to read about MVSP is to visit mvsp.dev.

How to use it

Procurement / Requests for proposals

Universal baseline for vendor selection simplifies the jobs of the sourcing teams. MVSP is short and concise to be included into RFP documents without bloating them.

Self-assessment

Smaller companies that are not mature enough to afford large compliance efforts such as SOC 2 or PCI DSS use MVSP as the baseline for the security posture of their MVP.

Third-party security

Larger companies attempting to triage their vendors' security posture incorporate MVSP as their universal questionnaire.

Including it into your standard agreements

By including the MVSP in your standard agreements, it is possible to align on a set of baseline contractual controls that matches those shared at the point of RFP. This can greatly help to ensure that requirements are communicated clearly up front, and reduces last minute surprises.

Complying with it as vendor

As a vendor you may be asked if you are able to comply with the MVSP baseline. Alongside the checklist, you can find more information about the controls and why these are important in the Controls FAQ.

Contributing

MVSP is designed to be simple, understandable and minimalistic. It must be considered that the goal is not to become another complex standard. Before sending a PULL request contributors should always ask themselves the question: Could I consider a vendor secure if they did not comply with the control I am adding? If the answer is yes, then the control should not be there.

For more information, see Contributing

License

MVSP and its translations are public domain under CC0 1.0 Universal license.