VSAQ – Free, Interactive Vendor Security Assessment Questionnaire
Creating and managing vendor security assessments can be a challenge. Google has shared VSAQ via Github their solution to this problem. I must admit that it is pretty slick.
Check out the Google demo here!
VSAQ is a free, open source vendor security assessment questionnaire. It can help assess on premises, hybrid, and cloud SaaS vendor solutions.
Having an interactive questionnaire can be quite helpful in vendor engagement. If vendors are uses best practices, they get a relatively short questionnaire. On the other hand, vendors who stray away from best practices will need to explain themselves and answer more questions. Not only does it ask vendors additional questions based on response, but it also creates warning levels. Because these warnings levels show the vendor how serious we consider potential weaknesses.
Another advantage is the fact that there is no time wasted on emails back and forth with vendors. They can fill out this form by simply following a link. VSAQ does not save answers on the server. Because the vendor will download the answer file and send it back. You can also configure the download button to save the file to a network location if you prefer.
Installation of VSAQ on CentOS 7
Google posted simple installation instructions on Github but they are incomplete. Additonal repo and tools are required. I will include my installation procedure below. Please note that these instructions are just basic installation instructions. For more information about securing and hardening Linux check out the CIS Benchmark for CentOS 7.
So let’s get started!
Install Pre-Requisite Software
sudo yum -y install unzip sudo yum -y install ant sudo yum -y install git sudo yum -y install curl sudo yum -y install maven sudo yum -y install wget sudo yum -y install java-1.7.0-openjdk-devel
sudo yum -y install httpd sudo firewall-cmd --permanent --add-port=80/tcp sudo firewall-cmd --permanent --add-port=443/tcp sudo firewall-cmd --reload sudo systemctl start httpd sudo systemctl enable httpd
Clone Github Repositories
cd / sudo git clone https://github.com/google/vsaq cd third_party/ sudo git clone https://github.com/google/closure-compiler sudo git clone https://github.com/google/closure-library sudo git clone https://github.com/google/closure-stylesheets sudo git clone https://github.com/jleyba/js-dossier sudo git clone https://github.com/google/safe-html-types sudo git clone https://github.com/google/closure-templates
cd /vsaq/ sudo ./do.sh install_deps
sudo ./do.sh check_deps
sudo ./do.sh build
Move Files to Public Website
sudo cp -r build . /var/www/html/
Start the Server
sudo ./do.sh run
Browse to the Questionnaire
Secure the Server
Make sure to harden the server as we have only covered basics. So make sure to secure this server. CIS has great guide for hardening CentOS7.