MVSP

Summary

Minimum Viable Secure Product (MVSP) is a cybersecurity checklist baseline that lists controls to ensure minimally viable security posture of a product.

Definitions

Definition	Requirements
1_6. Business controls - Compliance	331. Guarantee legal compliance
1_8. Business controls - Data sanitization	173. Discard unsafe inputs
2_1. Application design - Single Sign-On	228. Authenticate using standard protocols
2_2. Application design - HTTPS only	029. Cookies with security attributes 324. Control redirects 336. Disable insecure TLS versions 349. Include HTTP security headers
2_3. Application design - Content Security Policy	062. Define standard configurations 175. Protect pages from clickjacking 266. Disable insecure functionalities 349. Include HTTP security headers
2_4. Application design - Password policy	122. Validate credential ownership 127. Store hashed passwords 129. Validate previous passwords 132. Passphrases with at least 4 words 133. Passwords with at least 20 characters 134. Store passwords with salt 238. Establish safe recovery 332. Prevent the use of breached passwords 334. Avoid knowledge-based authentication
2_5. Application design - Security libraries	155. Application free of malicious code 158. Use a secure programming language 160. Encode system outputs 173. Discard unsafe inputs 302. Declare dependencies explicitly
2_7. Application design - Logging	075. Record exceptional events in logs 085. Allow session history queries 376. Register severity level
2_9. Application design - Encryption	147. Use pre-existent mechanisms 224. Use secure cryptographic mechanisms 336. Disable insecure TLS versions 338. Implement perfect forward secrecy 351. Assign unique keys to each device
3_3. Application implementation - Vulnerability prevention	029. Cookies with security attributes 030. Avoid object reutilization 031. Discard user session data 062. Define standard configurations 141. Force re-authentication 173. Discard unsafe inputs 174. Transactions without a distinguishable pattern 266. Disable insecure functionalities 273. Define a fixed security suite
4_2. Operational controls - Logical access	034. Manage user accounts 095. Define users with privileges 096. Set user's required privileges