MVSP

Minimum Viable Secure Product (MVSP) is a cybersecurity checklist baseline that lists controls to ensure minimally viable security posture of a product.

Control-Requirement Mapping

Definition	Requirements
1_6. Business controls - Compliance	331. Guarantee legal compliance
1_8. Business controls - Data handling	173. Discard unsafe inputs
2_1. Application design controls - Single Sign-On	228. Authenticate using standard protocols
2_2. Application design controls - HTTPS only	324. Control redirects 336. Disable insecure TLS versions 349. Include HTTP security headers 029. Cookies with security attributes
2_3. Application design controls - Security Headers	175. Protect pages from clickjacking 266. Disable insecure functionalities 349. Include HTTP security headers 062. Define standard configurations
2_4. Application design controls - Password policy	122. Validate credential ownership 127. Store hashed passwords 129. Validate previous passwords 132. Passphrases with at least 4 words 133. Passwords with at least 20 characters 134. Store passwords with salt 238. Establish safe recovery 332. Prevent the use of breached passwords 334. Avoid knowledge-based authentication
2_5. Application design controls - Security libraries	155. Application free of malicious code 158. Use a secure programming language 160. Encode system outputs 173. Discard unsafe inputs 302. Declare dependencies explicitly
2_7. Application design controls - Logging	376. Register severity level 075. Record exceptional events in logs 085. Allow session history queries
2_8. Application design controls - Encryption	147. Use pre-existent mechanisms 224. Use secure cryptographic mechanisms 336. Disable insecure TLS versions 338. Implement perfect forward secrecy 351. Assign unique keys to each device
3_3. Application implementation controls - Vulnerability prevention	141. Force re-authentication 173. Discard unsafe inputs 174. Transactions without a distinguishable pattern 266. Disable insecure functionalities 273. Define a fixed security suite 029. Cookies with security attributes 030. Avoid object reutilization 031. Discard user session data 062. Define standard configurations
4_2. Operational controls - Logical access	034. Manage user accounts 095. Define users with privileges 096. Set user's required privileges

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.