Skip to content
Source imaged via Shutterstock
Source imaged via Shutterstock

Blog post -

Helping developers get approved to use Google and Facebook platforms securely

By Joel Scambray, VP of Application Security, North America

In recent months, we’ve observed a pretty dramatic increase in major platform providers mandating that third-party app developers meet specific security and privacy requirements. NCC Group is proud to be an approved provider to some of these programs:

Other examples of public assurance programs include the following (NCC Group is not a named provider for these):

It’s becoming clear that many third party app developers, especially those handling sensitive information, will increasingly be asked to pass a security assessment, possibly at multiple levels of depth. As the reliability of the digital ecosystem becomes increasingly important, especially during the ongoing pandemic, you may see more of this and may be asked to demonstrate compliance for the apps you develop.

  • Do they apply to my app?
  • What level of assessment is my app required to complete?
  • How long will the assessment process take?
  • How much will it cost?
  • What are the detailed technical steps involved?
  • What happens to my app if it doesn’t “pass”?

To find answers to some of these questions, we recommend you check out our on-demand webinar that talks about our experience as an approved security assessor for Google’s OAuth API Verification program. The webinar lasts about 20 minutes and covers a little over 40 slides. We’ve also recently completed an engagement with a real-world Google developer partner and will provide insight on how we helped them navigate this process. But for those of you that don’t have even that much time, here’s the tl;dr…

Key takeaways from the webinar

One key takeaway from our webinar is that there are important development schedule and cost considerations developers need to make. For a Google OAuth Security Assessment, you can expect between 12-40 business days from first inquiry to final approval (Letter of Assessment, LOA) and between $15,000 to $75,000 USD (per Google guidance). Actual time and cost vary with the technical scope of the target application, supporting infrastructure, processes, and so on. Obviously, this could represent significant change to schedule and cost, so planning for this going forward is critical.

Another important feature of Google’s OAuth program is its balance of breadth and depth. The program covers four key areas:

  • External Network Penetration Testing
  • Application Penetration Testing
  • Deployment Review
  • Policy and Procedure Review

As you can see from this list, the assessment covers more than just the typical penetration test. Google has looked holistically at the application, supporting networks, infrastructure (including cloud hosting environments), and even information security policies and procedures. This more comprehensive approach is based on Google’s desire to strengthen the security of their API ecosystem for all users. Even to the extent of shutting off access to sensitive or restricted APIs for apps that don’t pass.

Finally, it’s important to consider that Google’s OAuth security assessment requirements recur annually, and Google requires a full re-test each year (not just changes since last test). So, the time and cost considerations noted above should be baked into development plans ongoing.

In summary, if you’re already doing regular security assessments for your apps, great! If you need to learn more about specific programs like Google’s, and/or you’re interested in learning more about general security and privacy assurance best practices, don’t hesitate to reach out.


Press contacts

NCC Group Press Office

NCC Group Press Office

Press contact All media enquires relating to NCC Group plc +44 7824 412 405
NCC Group - Financial Media Enquiries

NCC Group - Financial Media Enquiries

Press contact Maitland AMO Financial Results Media Enquiries +44 (0)20 7379 5151
Regional Press Office - North America

Regional Press Office - North America

Press contact +1 408 776 1400

NCC Group exists to make the world safer and more secure

In today’s threat landscape understanding the risks organisations and customers are exposed to is more important than ever.

Understanding the impact and how to be more resilient is key to protecting brand, reputation and sensitive customer information. Building a cyber-resilient organization can be a complex process but it’s not impossible.

With our knowledge, experience and global footprint, we help assess, develop and manage cyber resilience posture.

NCC Group Newsroom
XYZ Building, 2 Hardman Boulevard, Spinningfield
M3 3AQ Manchester
United Kingdom