Blog post -
Helping developers get approved to use Google and Facebook platforms securely
By Joel Scambray, VP of Application Security, North America
In recent months, we’ve observed a pretty dramatic increase in major platform providers mandating that third-party app developers meet specific security and privacy requirements. NCC Group is proud to be an approved provider to some of these programs:
- Google OAuth API Verification Program
- Facebook Workplace Security Review Process
- Alexa Built-In Devices Authorized Third-Party Lab
- ioXt Authorized Lab
Other examples of public assurance programs include the following (NCC Group is not a named provider for these):
It’s becoming clear that many third party app developers, especially those handling sensitive information, will increasingly be asked to pass a security assessment, possibly at multiple levels of depth. As the reliability of the digital ecosystem becomes increasingly important, especially during the ongoing pandemic, you may see more of this and may be asked to demonstrate compliance for the apps you develop.
- Do they apply to my app?
- What level of assessment is my app required to complete?
- How long will the assessment process take?
- How much will it cost?
- What are the detailed technical steps involved?
- What happens to my app if it doesn’t “pass”?
To find answers to some of these questions, we recommend you check out our on-demand webinar that talks about our experience as an approved security assessor for Google’s OAuth API Verification program. The webinar lasts about 20 minutes and covers a little over 40 slides. We’ve also recently completed an engagement with a real-world Google developer partner and will provide insight on how we helped them navigate this process. But for those of you that don’t have even that much time, here’s the tl;dr…
Key takeaways from the webinar
One key takeaway from our webinar is that there are important development schedule and cost considerations developers need to make. For a Google OAuth Security Assessment, you can expect between 12-40 business days from first inquiry to final approval (Letter of Assessment, LOA) and between $15,000 to $75,000 USD (per Google guidance). Actual time and cost vary with the technical scope of the target application, supporting infrastructure, processes, and so on. Obviously, this could represent significant change to schedule and cost, so planning for this going forward is critical.
Another important feature of Google’s OAuth program is its balance of breadth and depth. The program covers four key areas:
- External Network Penetration Testing
- Application Penetration Testing
- Deployment Review
- Policy and Procedure Review
As you can see from this list, the assessment covers more than just the typical penetration test. Google has looked holistically at the application, supporting networks, infrastructure (including cloud hosting environments), and even information security policies and procedures. This more comprehensive approach is based on Google’s desire to strengthen the security of their API ecosystem for all users. Even to the extent of shutting off access to sensitive or restricted APIs for apps that don’t pass.
Finally, it’s important to consider that Google’s OAuth security assessment requirements recur annually, and Google requires a full re-test each year (not just changes since last test). So, the time and cost considerations noted above should be baked into development plans ongoing.
In summary, if you’re already doing regular security assessments for your apps, great! If you need to learn more about specific programs like Google’s, and/or you’re interested in learning more about general security and privacy assurance best practices, don’t hesitate to reach out.