Tech

Google opens up VSAQ security assessor to the open source community

Without an established framework and standards, judging a vendor's security can be a tough task.

Written by Charlie Osborne, Contributing Writer March 8, 2016 at 12:53 a.m. PT

Google has released assessment software to the open-source community to grant vendors the opportunity to scrutinize their own security practices.

On Monday, the tech giant said the Vendor Security Assessment Questionnaire (VSAQ), a selection of self-adapting questionnaires, have been used in the past to help the firm assess the practices and risk related to hundreds of vendors and their security every year.

Now, VSAQ is open for use by vendors that wish to assess themselves or their suppliers and find ways in which to improve their security measures.

In a blog post, Lukas Weichselbaum and Daniel Fabian from the Google Security team said VSAQ is useful not only for information gathering but also triage purposes when it comes to "evaluating multiple aspects of a vendor's security and privacy posture."

After trying out the software, many vendors used the information gathered by the questionnaire -- which in turn pointed out problems and areas for improvement -- to tackle weak areas in their security. A number of vendors also expressed interest in using VSAQ themselves not only to further improve corporate practices but to evaluate their own suppliers.

Security

The possibility of using VSAQ to scrutinize third-party suppliers is important. No matter how much investment is poured into a company's security and defense, they are only as strong as the weakest link -- and if other firms linked to the network do not have not the resources or the same levels of funding for cybersecurity, this could provide an avenue for cyberattackers to breach a network.

If software and surveys including VSAQ become common tools across the board, this could help enterprise players find severe weaknesses in third-parties -- as well as their own networks -- and tackle the problem before it results in a data breach or successful cyberattack.

Google has now released the VSAQ Framework under a 2.0 Apache License on GitHub. While VSAQ is a client-side assessor with a fair throughput, for high-throughput security programs, the enterprise can also consider using the VSAQ framework with server-side components.

"We hope it will help companies spin up, or further improve their own vendor security programs," Google said. "We also hope the base questionnaires can serve as a self-assessment tool for security-conscious companies and developers looking to improve their security posture."