In an ongoing effort to share their knowledge and expertise, Google recently announced on its security blog that they have released to open source their Vendor Security Assessment Questionnaire (VSAQ) on GitHub under the Apache License Version 2. The Google Vendor Security Review Tool questionnaire is used by Google to evaluate the quality of security and privacy for hundreds of vendors each year. Each of the four questionnaires that they have made available consist of a series of questions that adapt and adjust based on the responses in a way that The Register refers to as a, “choose-your-own-adventure,” style of questionnaire.
Google decided to publish this interactive questionnaire as a result of an outpouring of positive feedback from vendors who use the VSAQ to not only assess their own security and privacy postures, but also to improve them as well. Building on their own positive experiences, many vendors wanted to use the VSAQ to determine the security of their own suppliers.
Included in the VSAQ framework are four questionnaire templates which vendors can implement and customize by adding their own custom questions which are unique to their companies or verticals.
Each of the questionnaires are straightforward and the format is not unlike the application review security questionnaires found on Facebook. If risks are detected, warnings are issued along with a text-box where the vendor can explain either their unique exceptions to the identified risk, or the compensating controls which they have in place to mitigate the highlighted risk. Upon completion, Google offers recommendations and tips for the vendor to help them solve the potential vulnerabilities and threats.
The four templates of questionnaires are:
Web Application Security Questionnaire – Sample Question [click to enlarge]
Google is no stranger to taking the solutions that they develop and releasing them as open source projects for the greater good of the development community. In addition to releasing the Google Vendor Security Review Tool, examples that stand out in the field of security are nogotofail and Firing Range, both were made available on GitHub in November 2014.
Nogotofail is a scalable and powerful network security testing tool that provides, “an easy way to confirm that the devices or applications you are using are safe against known TLS/SSL vulnerabilities and misconfigurations,” according to the Google Security Blog. Nogotofail works for applications running on Android, iOS, Linux, Windows, Chrome OS, OSX and any other device which you use to connect to the internet and was released to open source in November 2014.
Firing Range is a multi-faceted product security program built on the Google App Engine which helped Google engineers build and deploy secure software at every stage of the development life cycle prior to the release as an open source program, and now the folks at Google hope that others also find it helpful to assess how capable the detection tools that they currently are using are.
Google isn’t alone when it comes to large companies releasing security software as open source programs. In 2014, Netflix also announced they were releasing two security related web applications, Scrumblr and Sketchy, on GitHub.
Sign up today & never miss an update from the Checkmarx blog
Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.
Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.