Google offers app to help companies assess their vendors' security

The app contains questions for assessing Web application security, infrastructure security, data center security and privacy

Google has published an interactive questionnaire that companies can use to assess the security practices of their suppliers or to review and improve their own security programs.

The Vendor Security Assessment Questionnaire (VSAQ) is a Web-based application and was released under an open-source license on GitHub. It contains a collection of questionnaires that Google itself uses to review multiple aspects of a vendor's security.

The application has templates for Web application security, infrastructure security, physical and data center security and an organization's overall security and privacy program. The questions cover everything from whether the vendor has processes in place for external researchers to report vulnerabilities to HTTPS implementation details and internal data handling policies.

Depending on the answers provided, the application will provide tips and recommendations to help the reviewed organization address issues that can pose a security risk.

According to Google security engineers Lukas Weichselbaum and Daniel Fabian, many of the vendors that were assessed using the questionnaires found the tips useful and were interested in using the app themselves to assess their own suppliers. This played into Google's decision to make it public.

"We hope it will help companies spin up, or further improve their own vendor security programs," Weichselbaum and Fabian said in a blog post. "We also hope the base questionnaires can serve as a self-assessment tool for security-conscious companies and developers looking to improve their security posture."

The four available templates can easily be expanded to include additional questions tailored to each organization's security needs and expectations.

Supply-chain security, especially as it relates to software, has become a serious problem for companies in recent years. Third-party code accounts for the majority of any organization's software and according to security vendor Veracode, 90 percent of that code is not compliant with known security standards like the OWASP (Open Web Application Security Project) Top 10.

Many software developers themselves use third-party components and then fail to track and import patches for vulnerabilities found in them. OWASP lists vulnerable software components as a widespread and difficult to detect issue.

Join the CSO newsletter!

Error: Please check your email address.

More about Google

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts