Workplace may require you to pass our security review process. All apps that use one or more medium- or high-sensitivity permissions are required to undergo security review.
In addition to use of sensitive permissions, there are other circumstances when security review is required. For example:
The security review process is made up of two parts:
Passing the security review is required before your app can be used by any Workplace customers and is then required annually thereafter.
It is the responsibility of ISVs to schedule and support the testing firm in completing the penetration test. Testing cost is also the ISV's responsibility and needs to be repeated annually. The test itself is a black box test (i.e., providing the source code to the testers is not required) and typically takes 1-2 weeks to execute. However, you should plan for additional test preparation and vulnerability remediation time in case you are required to remediate any vulnerabilities discovered during the pen test.
You will be required to fix and re-test any vulnerabilites having a severity greater than 7.0 according to CVSS 3.1 scale
You may not commence the Penetration Test until your app has passed App Review.
We recommend that you check in with your Workplace partnerships contact prior to committing to a penetration test.
The Security RFI is designed to evaluate your organization's maturity in regards to security processes and controls. Your chosen security testing firm will also guide you through the Security RFI process, starting by sending you the RFI questionnaire and asking you to:
Upon submission, your chosen security review firm will evaluate your responses and ask you follow-up questions if necessary.
If the security firm finds that your processes or procedures could lead to harm to a Workplace customer (e.g., by allowing unauthorized access to Workplace data), you may be required to make process or technical changes to mitigate the risk.
To keep customer data safe, Workplace requires all 3rd party apps that have mid- and high-sensitivity permissions, or that meet certain other criteria, to pass an annual Security Review. Apps that do not pass the review by the deadline will be removed from the Workplace Integration Directory and will ultimately be disabled and removed from customers' Workplace communities.
The anniversary date is defined as 365 days after the app completed its Security Review. Every year Security Review will be conducted on this anniversary date and developers will be notified accordingly.
The timeline and process is outlined as below:
Upon completion of Security Review at any point during the timeline above, an app admin will be notified that Security Review has been completed.
All alerts for Annual Security Review will be sent to the app admins of the app via email and alerts on App Dashboard. If you would like to be notified then ask an existing admin to add you as an admin.
Please use these contact details to initiate your security review:
Here is a non-exhaustive set of examples of items that your security firm would consider as part of the Security RFI process: