Today Docker is proud to announce that we are founding member of the Vendor Security Alliance (VSA), a coalition formed to help organizations streamline their vendor evaluation processes by establishing a standardized questionnaire for appraising a vendor’s security and compliance practices.The VSA was established to solve a fundamental problem: how can IT teams conform to its existing security practices when procuring and deploying third-party components and platforms?
The VSA solves this problem by developing a required set of security questions that will allow vendors to demonstrate to their prospective customers that they are doing a good job with security and data handling. Good security is built on great technology paired with processes and policies. Until today, there was no consistent way to discern if all these things were in place. Doing a proper security evaluation today tends to be a hard, manual process. A large number of key questions come to mind when gauging how well a third-party company manages security.
As an example, these are the types of things that IT teams must be aware of when assessing a vendor’s security posture:
- Do they securely handle sensitive customer data?
- Do they have the ability to detect when attacks occur on their infrastructure?
- Do they train their developers on secure coding best practices?
- Do they follow industry best practices for configuring the systems?
Docker joins the Vendor Security Alliance’s founding team of security conscious companies including Uber, Dropbox, Palantir, Twitter, Square, Atlassian, Godaddy and Airbnb. The founding team has worked together to provide a pragmatic and approachable questionnaire. The collective team draws from a wide variety of backgrounds and experiences, including mobile, enterprise, and infrastructure companies which have provided a unique set of perspectives that has informed a strong common security lexicon. We expect this questionnaire to be the basis for all companies to understand their security posture with tangible, actionable questions that will help improve software security across all industries. In service of that goal, we are releasing the questionnaire so that it is freely available to everyone. At the beginning of October, a copy of the questionnaire will be available for everyone at https://www.vendorsecurityalliance.org/.
As a founding member of the Vendor Security Alliance, Docker has taken an important step towards helping companies secure their processes and infrastructure. At Docker we talk a lot about helping organizations build secure infrastructure using Docker’s tools like Docker Content Trust and the Docker Engine’s runtime isolation, both of which were influenced by diligent feedback from our customers. But technology isn’t the whole equation. Assessing yourself against best practices and understanding how well your vendors manage their programs is an important step when it comes to building a security program at any company. Docker will also be using this questionnaire to assess our own vendors, while looking outward to see how it will help the industry with shared practices and consistent evaluation criteria.