In recent months, we’ve observed a pretty dramatic increase in major platform providers mandating that third-party app developers meet specific security and privacy requirements. NCC Group is proud to be an approved provider of some of these programs:
- Google MASA Authorized Lab Partner
- Google CASA Authorized Assessor
- Meta Workplace Security Review Authorized Assessor
- Alexa Built-In Devices Authorized Third-Party Lab
- ioXt Authorized Lab
Other examples of public assurance programs include the following (NCC Group is not a named provider for these):
Understanding Security Assessments for Your Apps
It’s becoming clear that many third-party app developers, especially those handling sensitive information, will increasingly be asked to pass a security assessment, possibly at multiple levels of depth. As the reliability of the digital ecosystem becomes increasingly important, you may see more of this and may be asked to demonstrate compliance for the apps you develop. Some questions you should consider if your app is potentially subject to these assessments:
- Do they apply to my app?
- What level of assessment is my app required to complete?
- How long will the assessment process take?
- How much will it cost?
- What are the detailed technical steps involved?
- What happens to my app if it doesn’t “pass”?
While there are some common elements across each of these frameworks, they mostly have unique scopes, requirements, approaches, and compliance processes, as one would expect, given the stature of their sponsoring organizations. One key takeaway from this is that there are multiple important development schedules and cost considerations developers need to make.
Planning Ahead for App Security Assessments
Actual assessment duration and costs typically vary with the technical scope of the target application, supporting infrastructure, processes, and so on. Obviously, this could represent a significant change to a development schedule and cost, so planning for this going forward is critical.
Even more critical than the cost of the assessment is the potential impact to business derived from your app. Several of the frameworks listed above will shut off access to sensitive or restricted APIs for apps that don’t pass, which could impact or even completely disable your app’s functionality for most or all users
Factor Annual Tests into Development Plans
Finally, it’s important to consider that many of these evolving frameworks recur annually. For example, Google requirements include a full re-test each year, not just changes since the last test. So, the time and cost considerations noted above should be baked into your development plans ongoing.
In summary, if you’re already doing regular security assessments for your apps, great! If you need to learn more about specific programs like Google’s, and/or you’re interested in learning more about general security and privacy assurance best practices, check out our landing pages for each relevant program below:
- Google MASA
- Google CASA (formerly OAuth Verification & Security Assessment)
- Meta Workplace Security Review
- Alexa Built-In Devices Independent Security Assessment
- ioXt Authorized Lab Testing and Certification
Joel Scambray has helped Fortune 500-class organizations address information security challenges for over twenty years as a consultant, author, speaker, executive, and entrepreneur. He is widely recognized as co-author of the Hacking Exposed book series, and has worked/consulted for companies including Microsoft, Google, Amazon, and Ernst & Young. He has helped start & build security companies valued collectively in the hundreds of millions of dollars. Joel is currently Senior Vice President of Data & Application Security services at NCC Group.
Call us before you need us.
Don't hesitate to reach out to our experts and learn more about the security assessments you'll need for your app.