Pass Security Review

Workplace may require you to pass our security review process. All apps that use one or more medium- or high-sensitivity permissions are required to undergo security review.

In addition to use of sensitive permissions, there are other circumstances when security review is required. For example:

  • If a chat bot is configured such that it can be added to Work Chat group threads
  • Any chat bot that inherently sends sensitive Personally Identifiable Information (PII) in chat messages (e.g., payroll information)
  • Any chat bot that meets a certain threshold of usage, as defined by Workplace
  • In other circumstances, as deemed necessary by Workplace

The security review process is made up of two parts:

  1. Penetration test - tests an ISV's webapp for the existence of vulnerabilities that could lead to harm to Workplace customers (e.g., by allowing unauthorized access to customer data)
  2. Security RFI - qualified assessors will evaluate the effectiveness of the ISV's security practices and procedures across a breath of areas, including data handling, secure software development, and vulnerability management

Passing the security review is required before your app can be used by any Workplace customers and is then required annually thereafter.

Penetration test

It is the responsibility of ISVs to schedule and support the testing firm in completing the penetration test. Testing cost is also the ISV's responsibility and needs to be repeated annually. The test itself is a black box test (i.e., providing the source code to the testers is not required) and typically takes 1-2 weeks to execute. However, you should plan for additional test preparation and vulnerability remediation time in case you are required to remediate any vulnerabilities discovered during the pen test.

You will be required to fix and re-test any vulnerabilites having a severity greater than 7.0 according to CVSS 3.1 scale

You may not commence the Penetration Test until your app has passed App Review.

We recommend that you check in with your Workplace partnerships contact prior to committing to a penetration test.

Security request for information (Security RFI)

The Security RFI is designed to evaluate your organization's maturity in regards to security processes and controls. Your chosen security testing firm will also guide you through the Security RFI process, starting by sending you the RFI questionnaire and asking you to:

  1. Complete the questionnaire responses, and
  2. Provide any documentation (e.g., screen shots, process definition documents, 3rd party attestations) that support your responses.

Upon submission, your chosen security review firm will evaluate your responses and ask you follow-up questions if necessary.

If the security firm finds that your processes or procedures could lead to harm to a Workplace customer (e.g., by allowing unauthorized access to Workplace data), you may be required to make process or technical changes to mitigate the risk.

Annual Security Review

To keep customer data safe, Workplace requires all 3rd party apps that have mid- and high-sensitivity permissions, or that meet certain other criteria, to pass an annual Security Review. Apps that do not pass the review by the deadline will be removed from the Workplace Integration Directory and will ultimately be disabled and removed from customers' Workplace communities.

The anniversary date is defined as 365 days after the app completed its Security Review. Every year Security Review will be conducted on this anniversary date and developers will be notified accordingly.

The timeline and process is outlined as below:

  • Sixty days before the anniversary date, an app admin will be notified that the Security Review is due and you will be reminded to schedule your Security Review with an approved vendor.
  • Thirty days before the anniversary date, if Security Review is not complete, then if an app admin will be notified that the Security Review is due and you will be reminded to schedule your Security Review with an approved vendor.
  • On the anniversary date , if Security Review is not complete, then an app admin will be notified that the Security Review is not complete. The app will be removed from the Integration Directory and new customers or installs will not be permitted.
  • Thirty days after the anniversary date, if Security Review is not complete, then an app admin will be notified that the Security Review is not complete. All existing installs are disabled from customers’ Workplace instances.The admin of the customers' Workplace community will be allowed to enable it for another thirty days.
  • Sixty days after the anniversary date, if Security Review is not complete, then an app admin will be notified that the Security Review is not complete. All existing installs are disabled from customers’ Workplace instances.The admin of the customers' Workplace community will be allowed to enable it for another thirty days.
  • Ninety days after the anniversary date, if Security Review is not complete, then an app admin will be notified that the Security Review is not complete after multiple notifications. All existing installs are removed from customer’s Workplace instances.To make your app available for existing and new customers to install again, you must complete Security Review.

Upon completion of Security Review at any point during the timeline above, an app admin will be notified that Security Review has been completed.

All alerts for Annual Security Review will be sent to the app admins of the app via email and alerts on App Dashboard. If you would like to be notified then ask an existing admin to add you as an admin.

Contacting a Security Firm

Please use these contact details to initiate your security review:

  • NCC Group - Workplace-testing@nccgroup.com

FAQ

  • No, you will not be required to fix all vulnerabilities discovered during pen testing
  • The testing firm will assign a severity to each vulnerability according to the CVSS 3.1 scale
  • You will be required to fix any vulnerabilities with a CVSS 3.1 score of 7.0 or above (i.e., critical or high severity vulnerabilities). You will not pass the pen test until any must-fix vulnerabilites are confirmed fixed by your testing firm
  • We recommend that ISVs fix and retest other vulnerabilities too (i.e., those with a CVSS 3.1 score below 7.0) , but this is not mandatory to pass the pen test
  • Both mid- and high-sensitivity apps are required to undergo an annual pen test and security RFI
  • Pen testers will typically spend about 40 hours of effort testing mid-sensitivity apps whereas they will typically spend about 80 hours testing high-sensitivity apps
  • It is not mandatory to have a SOC2 or ISO 27001 certification to pass the Workplace security review
  • However, we do expect that firms that have obtained one or both of these certifications will be well positioned to pass the security review efficiently
  • No, it is not mandatory to implement all recommedations in order to pass the security RFI
  • The testing firm will assign a risk level (e.g., low, medium, high, or critical) to areas where your process or implementation does not meet the security review requirements
  • You will be required to implement fixes for any critical issues along with any other issues that the security firm deems to present a critical or high risk to Workplace customers

Here is a non-exhaustive set of examples of items that your security firm would consider as part of the Security RFI process:

  • Whether strong encryption is always used to protect Workplace customer data in transit or at rest
  • Requiring strict authentication controls for admin access to your production environment
  • Having a vulnerability disclosure program that would allow an ethical hacker to disclose a vulnerability to you
  • Whether you are using appropriate protection techniques for Workplace API access tokens
  • Any third party services that you share Workplace customer data with