Google Opens Up Collection of Vendor Security Assessment Questionnaires

by Ostatic Staff - Mar. 08, 2016

Google is continuing its rapid pace of open source contributions this year. As we've covered, the company recently opened up some powerful and interesting machine learning tools. It is open sourcing a program called TensorFlow that is based on the same internal toolset that Google has spent years developing to support its AI software and other predictive and analytics programs. You can find out more about TensorFlow at its site, and you might be surprised to learn that it is the engine behind several Google tools you may already use, including Google Photos and the speech recognition found in the Google app.

Meanwhile, Google has now opened up a Vendor Security Assessment Questionnaire (VSAQ), which collects self-adapting questionnaires that have been used to allow companies to evaluate the risks related to hundreds of vendors and their security every year.

In a blog post, members of Google's security team said that the questionnaires can help vendors use the embedded tips and recommendations to improve their security posture, and they noted that many vendors use them to evaluate suppliers:

"We've decided to open source the VSAQ Framework (Apache License Version 2) and the generally applicable parts of our questionnaires on GitHub: We hope it will help companies spin up, or further improve their own vendor security programs. We also hope the base questionnaires can serve as a self-assessment tool for security-conscious companies and developers looking to improve their security posture. The VSAQ Framework comes with four security questionnaire templates that can be used with the VSAQ rendering engine:

Web Application Security Questionnaire

Security & Privacy Program Questionnaire

Infrastructure Security Questionnaire

Physical & Data Center Security Questionnaire

"All four base questionnaire templates can be readily extended with company-specific questions. Using the same questionnaire templates across companies may help to scale assessment efforts."

If you want to dip your ties and try this approach without making a significant time commitment, A demo version of the VSAQ Framework is available here: