Skip to main content




Minimum Viable Secure Product (MVSP) is a cybersecurity checklist baseline that lists controls to ensure minimally viable security posture of a product.


1_6. Business controls - Compliance331. Guarantee legal compliance
1_8. Business controls - Data sanitization173. Discard unsafe inputs
2_1. Application design - Single Sign-On228. Authenticate using standard protocols
2_2. Application design - HTTPS only029. Cookies with security attributes
324. Control redirects
336. Disable insecure TLS versions
349. Include HTTP security headers
2_3. Application design - Content Security Policy062. Define standard configurations
175. Protect pages from clickjacking
266. Disable insecure functionalities
349. Include HTTP security headers
2_4. Application design - Password policy122. Validate credential ownership
127. Store hashed passwords
129. Validate previous passwords
132. Passphrases with at least 4 words
133. Passwords with at least 20 characters
134. Store passwords with salt
238. Establish safe recovery
332. Prevent the use of breached passwords
334. Avoid knowledge-based authentication
2_5. Application design - Security libraries155. Application free of malicious code
158. Use a secure programming language
160. Encode system outputs
173. Discard unsafe inputs
302. Declare dependencies explicitly
2_7. Application design - Logging075. Record exceptional events in logs
085. Allow session history queries
376. Register severity level
2_9. Application design - Encryption147. Use pre-existent mechanisms
224. Use secure cryptographic mechanisms
336. Disable insecure TLS versions
338. Implement perfect forward secrecy
351. Assign unique keys to each device
3_3. Application implementation - Vulnerability prevention029. Cookies with security attributes
030. Avoid object reutilization
031. Discard user session data
062. Define standard configurations
141. Force re-authentication
173. Discard unsafe inputs
174. Transactions without a distinguishable pattern
266. Disable insecure functionalities
273. Define a fixed security suite
4_2. Operational controls - Logical access034. Manage user accounts
095. Define users with privileges
096. Set user's required privileges