Skip to main content




Minimum Viable Secure Product (MVSP) is a cybersecurity checklist baseline that lists controls to ensure minimally viable security posture of a product.


1_6. Business controls - Compliance
331. Guarantee legal compliance
1_8. Business controls - Data handling
173. Discard unsafe inputs
2_1. Application design controls - Single Sign-On
228. Authenticate using standard protocols
2_2. Application design controls - HTTPS only
029. Cookies with security attributes
324. Control redirects
336. Disable insecure TLS versions
349. Include HTTP security headers
2_3. Application design controls - Security Headers
062. Define standard configurations
175. Protect pages from clickjacking
266. Disable insecure functionalities
349. Include HTTP security headers
2_4. Application design controls - Password policy
122. Validate credential ownership
127. Store hashed passwords
129. Validate previous passwords
132. Passphrases with at least 4 words
133. Passwords with at least 20 characters
134. Store passwords with salt
238. Establish safe recovery
332. Prevent the use of breached passwords
334. Avoid knowledge-based authentication
2_5. Application design controls - Security libraries
155. Application free of malicious code
158. Use a secure programming language
160. Encode system outputs
173. Discard unsafe inputs
302. Declare dependencies explicitly
2_7. Application design controls - Logging
075. Record exceptional events in logs
085. Allow session history queries
376. Register severity level
2_8. Application design controls - Encryption
147. Use pre-existent mechanisms
224. Use secure cryptographic mechanisms
336. Disable insecure TLS versions
338. Implement perfect forward secrecy
351. Assign unique keys to each device
3_3. Application implementation controls - Vulnerability prevention
029. Cookies with security attributes
030. Avoid object reutilization
031. Discard user session data
062. Define standard configurations
141. Force re-authentication
173. Discard unsafe inputs
174. Transactions without a distinguishable pattern
266. Disable insecure functionalities
273. Define a fixed security suite
4_2. Operational controls - Logical access
034. Manage user accounts
095. Define users with privileges
096. Set user's required privileges
free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.