About Watchcom initial security evaluation
SuperOffice's security policy requires that applications (and partners) pass a security evaluation before being accepted into the software sphere of SuperOffice. This security evaluation is performed by Watchcom Security Group, a specialist on internet security.
Watchcom works for SuperOffice AS to evaluate the security of your company as a prerequisite to getting your standard application accepted.
The security evaluation is designed to make sure that you as a partner have given thought to the cybersecurity of your company and the information security of your application.
Note
We are aware that some partners may already have done a security audit by another vendor. However, for the SuperOffice App Store, we require that your application goes through our particular audit because Watchcom knows SuperOffice and our environment.
What exactly is this mandatory evaluation?
The Watchcom security evaluation has 3 key elements:
- Self-assessment review
- Testing
- Audit report
The self-assessment and the audit report are confidential between the partner and Watchcom. SuperOffice is only informed if there are red flags needing to be fixed.
How is the testing done?
Self-assessment review
SuperOffice will present you with a questionnaire that must be filled out. This questionnaire allows you to do a self-assessment of the company's view on cyber security and will reflect how the company thinks about cyber security, and how routines, processes, and policies are enforced.
The questions cover the whole specter of the organization’s information security, and it may therefore be necessary to get information from multiple resources within the organization to answer precisely.
Watchcom will review the self-assessment and inform SuperOffice of potential red flags.
Manual audit
Watchcom’s expert penetration testers will make a limited manual audit of the application. The overall goal is to identify potential weaknesses and vulnerabilities in how the third-party application is integrated toward SuperOffice, and how the integration could affect SuperOffice and the data belonging to SuperOffice.
Depending on the integration toward SuperOffice, the testing will include (but is not limited to) testing of weaknesses and vulnerabilities related to network communication, API endpoints, and web applications.
The testing performed by Watchcom involves both manual and automated testing. This may impact the service that is in scope, and could cause unwanted down-time.
Audit report
When the test is completed, you will receive a full security report from Watchcom.
The report will include an executive summary, and detailed information about each finding. All findings will be mapped to OWASP Top 10 with a dedicated risk-score. Each finding will also have relevant information for how to replicate and mitigate the finding.
Any finding classified as medium risk, or above, will result in the application not being approved. To get approved, a re-test of the application will be necessary.
The report can also serve as proof of a conducted security evaluation for other third parties.
Does it cost anything?
You will be invoiced and pay Watchcom directly for the services delivered in connection with the security audit.
Security audits come in 3 different packages: small, medium (for most apps), and large.
| Small | Medium | Large | Extended | |
|---|---|---|---|---|
| Description |
|
|
|
|
| Time (testing and prepare report) | 7 work hours | 11 work hours | 18 work hours | Per agreement |
| Price | 12.500 NOK + VAT (approx € 1060) |
17.500 NOK + VAT (approx € 1480) |
29.500 NOK + VAT (approx € 2500) |
Per agreement |
Warning
If the audit uncovers extensive issues that need to be fixed, it may lead to re-testing and additional auditing services. This may induce additional fees. You will be notified if and when this occurs. You are not obliged to complete and pay for an additional audit - however, failing to do so will lead to your application not being certified and therefore not listed in the SuperOffice App Store.
Pre-requisites
- You have submitted your standard application for certification.
- Your designated certification contact must be available during the test period.
- We have screened your application and approved it for our staging environment (
qaonline.superoffice.com).
We may send you multiple sets of keys at the same time. You will not be able to connect using the production keys until you pass the security evaluation and we explicitly activate them!
Workflow
We send you the application keys for both stage and production.
You set up the application in stage and make sure that it still works.
Your certification contact notifies us that you are ready to proceed.
We run a quick verification to confirm that you are ready for Watchcom.
We prepare a Handover document and send it to Watchcom. It explains:
- What does the application add?
- How does the application work with SuperOffice?
Our Watchcom contact will get in touch with your certification contact to schedule a date and time for testing.
After the test, you get the full report from Watchcom while SuperOffice only receive a pass/fail notification.
Note
It is your responsibility to fix any red flags! Contact SuperOffice to schedule a re-test. We will verify that the integration and environment is ready for Watchcom to perform the re-test.
When approved, we activate the application's keys to the production environment.
You can now set up the application in production and connect to test that it works. The application is still not published!
Next steps: get listed in the App Store and publish your application