What is MVSP?
A vendor-neutral minimum security baseline — backed by Google, Salesforce and others — for what every B2B product should implement.
Definition
MVSP (Minimum Viable Secure Product) is a minimalistic, vendor-neutral security checklist for B2B products. Developed by a consortium including Google, Salesforce and Okta, it defines the baseline controls every product should have — simple enough to complete quickly during procurement and vendor security reviews.
MVSP is intentionally lightweight: a common minimum bar rather than an exhaustive framework, useful both for buyers assessing vendors and for vendors demonstrating basic security hygiene.
The four control areas
Business controls
Vulnerability reports, pen testing, compliance and incident handling.
Application design
Authentication, authorisation, encryption in transit and security headers.
Application implementation
Secure development, dependency and vulnerability management.
Operational controls
Logging, patching, backups and physical/data-centre security.
Who needs to comply?
MVSP is used by B2B software vendors wanting a quick, credible baseline, and by buyers standardising their vendor security questionnaires.
How ISpectra helps
ISpectra assesses your product against the MVSP checklist, remediates gaps, and helps you use it as a stepping stone toward SOC 2 or ISO 27001.
Talk to an advisor