Pass Security Review

Workplace may require you to pass an annual security review. All apps that use one or more medium- or high-sensitivity permissions are required to undergo an annual security review.

In addition to use of sensitive permissions, there are other circumstances when security review is required. For example:

Any chat bot that inherently sends sensitive Personally Identifiable Information (PII) in chat messages (e.g., payroll information)
Any chat bot that meets a certain threshold of usage, as defined by Workplace
In other circumstances, as deemed necessary by Workplace

Passing a security review is required before your app can be used by any Workplace customers and is then required annually thereafter.

Description of the Workplace Security Review

The Workplace security review process is made up of two parts:

Penetration test - tests an ISV's webapp for the existence of vulnerabilities that could lead to harm to Workplace customers (e.g., by allowing unauthorized access to customer data)
Security RFI - qualified assessors will evaluate the effectiveness of the ISV's security practices and procedures across a breadth of areas, including data handling, secure software development, and vulnerability management

Penetration test

It is the responsibility of ISVs to schedule and support the testing firm in completing the penetration test. Testing cost is also the ISV's responsibility and needs to be repeated annually. The test itself is a black box test (i.e., providing the source code to the testers is not required) and typically takes 1-2 weeks to execute. However, you should plan for additional test preparation and vulnerability remediation time in case you are required to remediate any vulnerabilities discovered during the pen test.

You will be required to fix and re-test any vulnerabilites having a severity greater than 7.0 according to CVSS 3.1 scale

You may not commence the Penetration Test until your app has passed App Review.

We recommend that you check in with your Workplace partnerships contact prior to committing to a penetration test.

Security request for information (Security RFI)

The Security RFI is designed to evaluate your organization's maturity in regards to security processes and controls. Your chosen security testing firm will also guide you through the Security RFI process, starting by sending you the RFI questionnaire and asking you to:

Complete the questionnaire responses, and
Provide any documentation (e.g., screen shots, process definition documents, 3rd party attestations) that support your responses.

Upon submission, your chosen security review firm will evaluate your responses and ask you follow-up questions if necessary.

If the security firm finds that your processes or procedures could lead to harm to a Workplace customer (e.g., by allowing unauthorized access to Workplace data), you may be required to make process or technical changes to mitigate the risk.

Firms Authorized to Conduct Workplace Security Reviews

The following security firms are the only firms currently approved to perform Workplace security reviews. Please use these contact details to initiate your Workplace security review:

NCC Group - Workplace-testing@nccgroup.com
Bishop Fox - https://bishopfox.com/services/facebook-partner-assessment

Acceptable External Security Reviews

If an ISV has passed a comparable security review within the past year, Workplace will accept proof of this outcome to satisfy our annual security review requirement.

External security reviews will be considered comparable if Workplace determines that the review:

Is designed by another enterprise SaaS platform for the purpose of establishing whether the ISV has implemented strong application security protections
Includes a web app penetration test conducted by a qualified security firm (Workplace, at its sole discretion, will determine whether a security firm is qualified)
1. The scope of the web app pen test must have included all aspects of the system and software that are used to integrate with Workplace
2. At the conclusion of the pen test, there must be no unresolved critical or high severity vulnerabilities
Includes an evaluation as to whether the ISV has implemented appropriate technical, administrative, and operational safeguards with respect to relevant systems and software, based on reasonable evidence requested from and provided by the ISV

Workplace currently accepts successful completion of the following external security reviews to satisfy our annual security review requirement:

If requested by an ISV, Workplace will consider accepting other external security reviews based on whether they meet the criteria summarized above.

Renewing Your Annual Security Review

To keep customer data safe, Workplace requires all 3rd party apps that have mid- and high-sensitivity permissions, or that meet certain other criteria, to pass an annual Security Review. Apps that do not pass the review by the deadline will be removed from the Workplace Integration Directory and will ultimately be disabled and removed from customers' Workplace communities.

The anniversary date is defined as 365 days after the app completed its previous Security Review. Developers will be notified in advance of the deadline.

The timeline and process is outlined as below:

Sixty days before the anniversary date, an app admin will be notified that the Security Review is due and you will be reminded to schedule your Security Review with an approved vendor.
Thirty days before the anniversary date, if Security Review is not complete, then if an app admin will be notified that the Security Review is due and you will be reminded to schedule your Security Review with an approved vendor.
On the anniversary date , if Security Review is not complete, then an app admin will be notified that the Security Review is not complete. The app will be removed from the Integration Directory and new customers or installs will not be permitted.
Thirty days after the anniversary date, if Security Review is not complete, then an app admin will be notified that the Security Review is not complete. All existing installs are disabled from customers’ Workplace instances.The admin of the customers' Workplace community will be allowed to enable it for another thirty days.
Sixty days after the anniversary date, if Security Review is not complete, then an app admin will be notified that the Security Review is not complete. All existing installs are disabled from customers’ Workplace instances.The admin of the customers' Workplace community will be allowed to enable it for another thirty days.
Ninety days after the anniversary date, if Security Review is not complete, then an app admin will be notified that the Security Review is not complete after multiple notifications. All existing installs are removed from customer’s Workplace instances.To make your app available for existing and new customers to install again, you must complete Security Review.

Upon completion of Security Review at any point during the timeline above, an app admin will be notified that Security Review has been completed.

All alerts for Annual Security Review will be sent to the app admins of the app via email and alerts on App Dashboard. If you would like to be notified then ask an existing admin to add you as an admin.

FAQ

Is it mandatory to fix all vulnerabilities found during pen testing?

No, you will not be required to fix all vulnerabilities discovered during pen testing
The testing firm will assign a severity to each vulnerability according to the CVSS 3.1 scale
You will be required to fix any vulnerabilities with a CVSS 3.1 score of 7.0 or above (i.e., critical or high severity vulnerabilities). You will not pass the pen test until any must-fix vulnerabilites are confirmed fixed by your testing firm
We recommend that ISVs fix and retest other vulnerabilities too (i.e., those with a CVSS 3.1 score below 7.0) , but this is not mandatory to pass the pen test

Permalink

What are the differences in the security review for mid- and high-sensitivity apps?

Both mid- and high-sensitivity apps are required to undergo an annual pen test and security RFI
Pen testers will typically spend about 40 hours of effort testing mid-sensitivity apps whereas they will typically spend about 80 hours testing high-sensitivity apps

Permalink

Is a SOC2 or ISO 27001 certification required to pass the Workplace security review?

It is not mandatory to have a SOC2 or ISO 27001 certification to pass the Workplace security review
However, we do expect that firms that have obtained one or both of these certifications will be well positioned to pass the security review efficiently

Permalink

Is it mandatory to implement all recommendations resulting from the security RFI in order to pass?

No, it is not mandatory to implement all recommedations in order to pass the security RFI
The testing firm will assign a risk level (e.g., low, medium, high, or critical) to areas where your process or implementation does not meet the security review requirements
You will be required to implement fixes for any critical issues along with any other issues that the security firm deems to present a critical or high risk to Workplace customers

Permalink

What are some examples of critical issues that could arise from the Security RFI process?

Here is a non-exhaustive set of examples of items that your security firm would consider as part of the Security RFI process:

Whether strong encryption is always used to protect Workplace customer data in transit or at rest
Requiring strict authentication controls for admin access to your production environment
Having a vulnerability disclosure program that would allow an ethical hacker to disclose a vulnerability to you
Whether you are using appropriate protection techniques for Workplace API access tokens
Any third party services that you share Workplace customer data with

Permalink