Workplace may require you to pass an annual security review. All apps that use one or more medium- or high-sensitivity permissions are required to undergo an annual security review.
In addition to use of sensitive permissions, there are other circumstances when security review is required. For example:
Passing a security review is required before your app can be used by any Workplace customers and is then required annually thereafter.
The Workplace security review process is made up of two parts:
It is the responsibility of ISVs to schedule and support the testing firm in completing the penetration test. Testing cost is also the ISV's responsibility and needs to be repeated annually. The test itself is a black box test (i.e., providing the source code to the testers is not required) and typically takes 1-2 weeks to execute. However, you should plan for additional test preparation and vulnerability remediation time in case you are required to remediate any vulnerabilities discovered during the pen test.
You will be required to fix and re-test any vulnerabilites having a severity greater than 7.0 according to CVSS 3.1 scale
You may not commence the Penetration Test until your app has passed App Review.
We recommend that you check in with your Workplace partnerships contact prior to committing to a penetration test.
The Security RFI is designed to evaluate your organization's maturity in regards to security processes and controls. Your chosen security testing firm will also guide you through the Security RFI process, starting by sending you the RFI questionnaire and asking you to:
Upon submission, your chosen security review firm will evaluate your responses and ask you follow-up questions if necessary.
If the security firm finds that your processes or procedures could lead to harm to a Workplace customer (e.g., by allowing unauthorized access to Workplace data), you may be required to make process or technical changes to mitigate the risk.
The following security firms are the only firms currently approved to perform Workplace security reviews. Please use these contact details to initiate your Workplace security review:
If an ISV has passed a comparable security review within the past year, Workplace will accept proof of this outcome to satisfy our annual security review requirement.
External security reviews will be considered comparable if Workplace determines that the review:
Workplace currently accepts successful completion of the following external security reviews to satisfy our annual security review requirement:
If requested by an ISV, Workplace will consider accepting other external security reviews based on whether they meet the criteria summarized above.
To keep customer data safe, Workplace requires all 3rd party apps that have mid- and high-sensitivity permissions, or that meet certain other criteria, to pass an annual Security Review. Apps that do not pass the review by the deadline will be removed from the Workplace Integration Directory and will ultimately be disabled and removed from customers' Workplace communities.
The anniversary date is defined as 365 days after the app completed its previous Security Review. Developers will be notified in advance of the deadline.
The timeline and process is outlined as below:
Upon completion of Security Review at any point during the timeline above, an app admin will be notified that Security Review has been completed.
All alerts for Annual Security Review will be sent to the app admins of the app via email and alerts on App Dashboard. If you would like to be notified then ask an existing admin to add you as an admin.
Here is a non-exhaustive set of examples of items that your security firm would consider as part of the Security RFI process: