In an ongoing effort to share their knowledge and expertise, Google recently announced on its security blog that they have released to open source their Vendor Security Assessment Questionnaire (VSAQ) on GitHub under the Apache License Version 2. The Google Vendor Security Review Tool questionnaire is used by Google to evaluate the quality of security and privacy for hundreds of vendors each year. Each of the four questionnaires that they have made available consist of a series of questions that adapt and adjust based on the responses in a way that The Register refers to as a, “choose-your-own-adventure,” style of questionnaire.
Why Was The Google Vendor Security Review Tool Released To Open Source?
Google decided to publish this interactive questionnaire as a result of an outpouring of positive feedback from vendors who use the VSAQ to not only assess their own security and privacy postures, but also to improve them as well. Building on their own positive experiences, many vendors wanted to use the VSAQ to determine the security of their own suppliers.
What Templates are included in the VSAQ Framework?
Included in the VSAQ framework are four questionnaire templates which vendors can implement and customize by adding their own custom questions which are unique to their companies or verticals.
Each of the questionnaires are straightforward and the format is not unlike the application review security questionnaires found on Facebook. If risks are detected, warnings are issued along with a text-box where the vendor can explain either their unique exceptions to the identified risk, or the compensating controls which they have in place to mitigate the highlighted risk. Upon completion, Google offers recommendations and tips for the vendor to help them solve the potential vulnerabilities and threats.
The four templates of questionnaires are:
Web Application Security Questionnaire – Sample Question [click to enlarge]
Has Google Released Other Security Tools To Open Source?
Google is no stranger to taking the solutions that they develop and releasing them as open source projects for the greater good of the development community. In addition to releasing the Google Vendor Security Review Tool, examples that stand out in the field of security are nogotofail and Firing Range, both were made available on GitHub in November 2014.
Nogotofail is a scalable and powerful network security testing tool that provides, “an easy way to confirm that the devices or applications you are using are safe against known TLS/SSL vulnerabilities and misconfigurations,” according to the Google Security Blog. Nogotofail works for applications running on Android, iOS, Linux, Windows, Chrome OS, OSX and any other device which you use to connect to the internet and was released to open source in November 2014.
Firing Range is a multi-faceted product security program built on the Google App Engine which helped Google engineers build and deploy secure software at every stage of the development life cycle prior to the release as an open source program, and now the folks at Google hope that others also find it helpful to assess how capable the detection tools that they currently are using are.
Google isn’t alone when it comes to large companies releasing security software as open source programs. In 2014, Netflix also announced they were releasing two security related web applications, Scrumblr and Sketchy, on GitHub.